Best practice rules for Amazon Route 53
AWS Route 53 is a scalable and highly available Domain Name web service. Route53 provides a reliable and cost effective way to link end users to applications by translating domain names (web addresses) into numeric IP addresses that computers require to connect to one another.
Trend Micro Cloud One™ – Conformity monitors Amazon Route 53 with the following rules:
- Amazon Route 53 Configuration Changes
Route 53 configuration changes have been detected within your Amazon Web Services account.
- Enable DNSSEC Signing for Route 53 Hosted Zones
Ensure that DNSSEC signing is enabled for your Amazon Route 53 Hosted Zones.
- Privacy Protection
Ensure that Privacy Protection feature is enabled for your Amazon Route 53 domains.
- Remove AWS Route 53 Dangling DNS Records
Ensure dangling DNS records are removed from your AWS Route 53 hosted zones to avoid domain/subdomain takeover.
- Route 53 Domain Auto Renew
Ensure your domain names are automatically renewed by AWS Route 53 service.
- Route 53 Domain Expired
Ensure expired AWS Route 53 domains names are restored.
- Route 53 Domain Expiry 30 Days
Ensure AWS Route 53 domain names are renewed before their expiration.
- Route 53 Domain Expiry 45 Days
Ensure AWS Route 53 domain names are renewed before their expiration (45 days before expiration).
- Route 53 Domain Expiry 7 Days
Ensure AWS Route 53 domain names are renewed before their expiration.
- Route 53 Domain Transfer Lock
Ensure your domain names have the Transfer Lock feature enabled in order to keep them secure.
- Route 53 In Use
Ensure AWS Route 53 DNS service is in use for highly efficient DNS management.
- Sender Policy Framework In Use
Ensure that Sender Policy Framework (SPF) is used to stop spammers from spoofing your AWS Route 53 domain.
- Sender Policy Framework Record Present
Ensure there is an SPF record set for each MX DNS record in order to stop spammers from spoofing your domains.