Skip to main content

More Info:

AWS Route 53 hosted zones should have a TXT DNS record that contains a corresponding Sender Policy Framework (SPF) value set for each MX record available.

Risk Level

Low

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Route 53 Hosted Zones Should Have Sender Policy Framework Record Present” in AWS using the AWS console, follow these steps:
  1. Log in to the AWS Management Console and navigate to the Route 53 dashboard.
  2. Click on the Hosted Zones option in the left-hand navigation menu.
  3. Select the hosted zone for which you want to add a Sender Policy Framework (SPF) record.
  4. Click on the Create Record Set button at the top of the page.
  5. In the Create Record Set dialog box, enter the following details:
  • Name: Enter the name of the domain or subdomain for which you want to create an SPF record (e.g., example.com or mail.example.com).
  • Type: Select TXT from the drop-down list.
  • Value: Enter the SPF record value. The value should be in the following format: “v=spf1 include:_spf.example.com ~all”. Replace “_spf.example.com” with the domain name of your email service provider.
  1. Click on the Create button to save the record set.
  2. Verify that the new record set appears in the hosted zone record list.
  3. Repeat the above steps for any other hosted zones that require an SPF record.
By following these steps, you have successfully remediated the misconfiguration “Route 53 Hosted Zones Should Have Sender Policy Framework Record Present” in AWS using the AWS console.

To remediate this misconfiguration for AWS using AWS CLI, follow these steps:
  1. Open your terminal or command prompt and ensure that you have the AWS CLI installed.
  2. Run the following command to list all the hosted zones in your AWS account: 
    aws route53 list-hosted-zones
  3. Identify the hosted zone that needs to have the Sender Policy Framework (SPF) record present.
  4. Create a JSON file with the following information: 
    {
    "Comment": "Add SPF record",
    "Changes": [
        {
            "Action": "UPSERT",
            "ResourceRecordSet": {
                "Name": "example.com.",
                "Type": "TXT",
                "TTL": 300,
                "ResourceRecords": [
                    {
                        "Value": "\"v=spf1 include:_spf.google.com ~all\""
                    }
                ]
            }
        }
    ]
}
    Replace example.com with the name of your hosted zone, and "v=spf1 include:_spf.google.com ~all" with the SPF record you want to add.
  5. Run the following command to add the SPF record to the hosted zone: 
    aws route53 change-resource-record-sets --hosted-zone-id HOSTED_ZONE_ID --change-batch file://path/to/file.json
    Replace HOSTED_ZONE_ID with the ID of your hosted zone, and path/to/file.json with the path to the JSON file you created in step 4.
  6. Verify that the SPF record has been added to the hosted zone by running the following command: 
    aws route53 list-resource-record-sets --hosted-zone-id HOSTED_ZONE_ID
    Replace HOSTED_ZONE_ID with the ID of your hosted zone.
That’s it! You have now remediated the misconfiguration by adding an SPF record to the Route 53 hosted zone using AWS CLI.
To remediate the misconfiguration in AWS Route 53 hosted zones, we need to create a Sender Policy Framework (SPF) record. Here are the step-by-step instructions to do so using Python:
  1. First, we need to install the AWS SDK for Python (Boto3) using pip. Run the following command in your terminal: 
    pip install boto3
  2. Next, we need to authenticate our AWS account using AWS access keys. You can set up access keys by going to the AWS IAM console and creating a new user with programmatic access. Once you have the access keys, you can set them up in your Python code using the following snippet: 
    import boto3

access_key = 'YOUR_ACCESS_KEY'
secret_key = 'YOUR_SECRET_KEY'
region = 'YOUR_REGION'

client = boto3.client(
    'route53',
    aws_access_key_id=access_key,
    aws_secret_access_key=secret_key,
    region_name=region
)
    Replace YOUR_ACCESS_KEY, YOUR_SECRET_KEY, and YOUR_REGION with your own AWS access keys and region.
  3. Now, we can create the SPF record using the change_resource_record_sets method of the route53 client. Here’s an example code snippet to create an SPF record: 
    hosted_zone_id = 'YOUR_HOSTED_ZONE_ID'
domain_name = 'YOUR_DOMAIN_NAME'
spf_value = '"v=spf1 include:_spf.google.com ~all"'

response = client.change_resource_record_sets(
    HostedZoneId=hosted_zone_id,
    ChangeBatch={
        'Changes': [
            {
                'Action': 'UPSERT',
                'ResourceRecordSet': {
                    'Name': domain_name,
                    'Type': 'TXT',
                    'TTL': 300,
                    'ResourceRecords': [
                        {
                            'Value': spf_value
                        }
                    ]
                }
            }
        ]
    }
)
    Replace YOUR_HOSTED_ZONE_ID, YOUR_DOMAIN_NAME, and spf_value with your own values. spf_value should be set to the SPF record value you want to create.
  4. Finally, you can run the Python script to create the SPF record in your AWS Route 53 hosted zone. Once the script has run successfully, you should see the new SPF record in your hosted zone in the AWS console. Note: Make sure to test your SPF record to ensure that it is working as expected and not causing any email delivery issues.

Additional Reading: