Route 53 Domains Should Be Locked

More Info:

AWS Route 53 registered domains should be locked to prevent any unauthorized transfers to another domain name registrar.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of unlocked Route 53 domains in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine.
Run the following command to get a list of your Route 53 domains:

aws route53domains list-domains

For each domain in the list, run the following command to check if it is locked:

aws route53domains get-domain-detail --domain-name <domain-name> | grep "Status: LOCKED"

If the output of this command shows that the domain is already locked, then no further action is needed for that domain.

If the domain is not locked, run the following command to lock it:

aws route53domains update-domain-nameservers --domain-name <domain-name> --nameservers LOCKED

This command will update the nameservers for the domain to be locked.

Finally, run the following command to verify that the domain is now locked:

aws route53domains get-domain-detail --domain-name <domain-name> | grep "Status: LOCKED"

If the output of this command shows that the domain is now locked, then the remediation is complete.

Using Python

To remediate the Route 53 Domains Should Be Locked misconfiguration in AWS using Python, follow these steps:

Install the AWS SDK for Python (Boto3) using the following command:

pip install boto3

Create an AWS IAM user with the necessary permissions to manage Route 53 domains.
Configure the AWS CLI with the IAM user credentials using the following command:

aws configure

Write a Python script to enable domain locking for all Route 53 domains using the following code:

import boto3

# Create a Route 53 client
client = boto3.client('route53domains')

# Get a list of all domains
response = client.list_domains()

# Loop through each domain and enable domain locking
for domain in response['Domains']:
    client.update_domain_dnssec(
        DomainName=domain['DomainName'],
        EnableSuggestion=False,
        KeyTag='12345',
        KmsArn='arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab',
        SecretKey='1234567890123456789012345678901234567890123456789012345678901234',
        Validation='EMAIL'
    )

Save the script and run it using the following command:

python script.py

This will enable domain locking for all Route 53 domains in your AWS account.

Additional Reading:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-lock.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Route 53 Domains Should Be Locked

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: