Ensure that DNS query logging with Amazon Route 53 Resolver is enabled within the AWS regions designed to host sensitive data, where regulated workloads must address the most stringent security and compliance requirements.
When working with security-sensitive cloud applications, you may need the ability to monitor, debug, search, and archive DNS lookups originating from inside your Virtual Private Clouds (VPCs). Amazon Route 53 Resolver now supports the logging of DNS queries and responses for DNS queries originating from within your VPCs, whether these queries are answered locally by Route 53 Resolver, resolved over the public Internet, or are forwarded to on-premises DNS servers via Route 53 Resolver endpoints. DNS queries forwarded by on-premises DNS servers to your VPCs via inbound endpoints are also logged. Even the DNS queries made by your Amazon Lambda functions, Amazon EKS clusters, and Amazon WorkSpaces instances can be logged using this feature. With DNS query logging enabled, you no longer need to manage your own cloud infrastructure in order to log the DNS activity within your VPC network.
Audit
To determine if logging of DNS queries using Amazon Route 53 Resolver is enabled within your AWS account, perform the following actions:
Remediation / Resolution
To enable and configure DNS query logging using Amazon Route 53 Resolver for your AWS cloud account, perform the following actions:
References
- AWS Documentation
- Resolver query logging
- AWS resources that you can send Resolver query logs to
- AWS Command Line Interface (CLI) Documentation
- route53resolver
- list-resolver-query-log-configs
- create-resolver-query-log-config
- logs
- create-log-group
- describe-log-groups
- firehose
- create-delivery-stream
- s3api
- create-bucket
- put-public-access-block
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Logging of DNS Queries Using Route 53 Resolver
Risk Level: Medium