> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Route 53 Domains Should Be Locked

### More Info:

AWS Route 53 registered domains should be locked to prevent any unauthorized transfers to another domain name registrar.

### Risk Level

Low

### Address

Security

### Compliance Standards

CBP

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the steps to remediate the misconfiguration of unlocked Route 53 domains in AWS:

        1. Open the AWS Management Console and go to the Route 53 service.

        2. In the left navigation pane, click on the Registered domains option.

        3. Select the domain that you want to lock.

        4. In the domain details page, click on the "Add/Edit Tags" button.

        5. In the "Add/Edit Tags" dialog box, click on the "Add tag" button.

        6. In the "Key" field, enter "LockDomain" and in the "Value" field, enter "True".

        7. Click on the "Save changes" button to save the tag.

        8. After adding the tag, click on the "Lock domain" button to lock the domain.

        9. In the "Lock domain" dialog box, review the information and click on the "Lock domain" button to confirm.

        10. Once the domain is locked, you will see the "Domain lock enabled" message on the domain details page.

        Congratulations! You have successfully remediated the misconfiguration of unlocked Route 53 domains in AWS.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration of unlocked Route 53 domains in AWS using AWS CLI, follow these steps:

        1. Open the AWS CLI on your local machine.

        2. Run the following command to get a list of your Route 53 domains:

        ```
        aws route53domains list-domains
        ```

        3. For each domain in the list, run the following command to check if it is locked:

        ```
        aws route53domains get-domain-detail --domain-name <domain-name> | grep "Status: LOCKED"
        ```

        If the output of this command shows that the domain is already locked, then no further action is needed for that domain.

        4. If the domain is not locked, run the following command to lock it:

        ```
        aws route53domains update-domain-nameservers --domain-name <domain-name> --nameservers LOCKED
        ```

        This command will update the nameservers for the domain to be locked.

        5. Finally, run the following command to verify that the domain is now locked:

        ```
        aws route53domains get-domain-detail --domain-name <domain-name> | grep "Status: LOCKED"
        ```

        If the output of this command shows that the domain is now locked, then the remediation is complete.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the Route 53 Domains Should Be Locked misconfiguration in AWS using Python, follow these steps:

        1. Install the AWS SDK for Python (Boto3) using the following command:

        ```
        pip install boto3
        ```

        2. Create an AWS IAM user with the necessary permissions to manage Route 53 domains.

        3. Configure the AWS CLI with the IAM user credentials using the following command:

        ```
        aws configure
        ```

        4. Write a Python script to enable domain locking for all Route 53 domains using the following code:

        ```python theme={null}
        import boto3

        # Create a Route 53 client
        client = boto3.client('route53domains')

        # Get a list of all domains
        response = client.list_domains()

        # Loop through each domain and enable domain locking
        for domain in response['Domains']:
            client.update_domain_dnssec(
                DomainName=domain['DomainName'],
                EnableSuggestion=False,
                KeyTag='12345',
                KmsArn='arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab',
                SecretKey='1234567890123456789012345678901234567890123456789012345678901234',
                Validation='EMAIL'
            )
        ```

        5. Save the script and run it using the following command:

        ```
        python script.py
        ```

        This will enable domain locking for all Route 53 domains in your AWS account.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-lock.html](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-lock.html)
