Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Privacy Protection

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: Route53-010

Ensure that your Amazon Route 53 domains have Privacy Protection feature enabled in order to hide all their contact information from WHOIS queries and reduce the amount of spam received. The feature allows you to conceal your personal phone number, email, and physical address for the domain names registered and/or transferred to Amazon Route 53 service.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When Route 53 Privacy Protection is disabled, anyone is able to look up your personal information with a simple WHOIS query. Enabling the Privacy Protection feature would protect against receiving spam and from anyone that might send WHOIS queries to get the contact information that you provided when you registered the domain, including name, physical address, phone number, and email address.

Note: Some Top-Level Domain (TLD) registries conceal all your contact information automatically, some allow you to choose to hide all contact information, some allow you to hide only some information, and some do not allow you to hide any information at all. Your first and last name will be hidden if the TLD registry and registrar allows it.


Audit

To determine if your Amazon Route 53 domains have privacy protection for contact information enabled, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Domains, choose Registered domains.

04 Choose the registered domain name that you want to examine, and check the value available in the Privacy Protection column for the selected domain. If the value listed in this column is different than All contacts, the registrant contact information is not fully protected, therefore the Privacy Protection feature is not enabled for the selected Amazon Route 53 domain name.

05 Repeat steps no. 4 and 5 for each domain name registered with Amazon Route 53 or transferred to Route 53.

Using AWS CLI

01 Run list-domains command (OSX/Linux/UNIX) to list all the domain names registered with Amazon Route 53 or transferred to Route 53:

aws route53domains list-domains
  --query 'Domains[*].DomainName'

02 The command output should return an array with the registered/transferred domain names:

[
	"trendmicro.com",
	"cloudconformity.com"
]

03 Run get-domain-detail command (OSX/Linux/UNIX) using the domain name that you want to examine as the identifier parameter and custom query filters to determine if the contact information available for the selected domain name is concealed from WHOIS queries:

aws route53domains get-domain-detail
  --domain-name trendmicro.com
  --query '"RegistrantPrivacy":RegistrantPrivacy, "AdminPrivacy":AdminPrivacy, "TechPrivacy":TechPrivacy'

04 The command output should return the requested information (true for enabled, false for disabled):

[
	"RegistrantPrivacy": false,
	"AdminPrivacy": false,
	"TechPrivacy": false
]

If the get-domain-detail command output returns false for each type of contact information available, as shown in the example above, any WHOIS query made for your domain name should return the contact information that you entered for the registrant contact (i.e. domain owner), therefore the Privacy Protection feature is not enabled for the selected Amazon Route 53 domain name.

05 Repeat steps no. 3 and 4 for each domain name registered with Amazon Route 53 or transferred to Route 53.

Remediation / Resolution

To enable the Privacy Protection feature for your Amazon Route 53 domain names in order to hide all contact information from WHOIS queries and reduce spam, perform the following operations:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_route53domains_registered_domain" "route53-registered-domain" {

	domain_name = "domain.com"

	name_server {
	name = "ns-500.domain-dns.com"
	}

	name_server {
		name = "ns-905.domain-dns.net"
	}

	tags = {
		Owner = "IT"
	}

	registrant_privacy = true
	admin_privacy      = true
	tech_privacy       = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Domains, choose Registered domains.

04 Click on the registered domain name for which you want to enable privacy protection.

05 Select Edit contacts from the console top menu, and choose to hide contact information for each type of contact available. Choose Save to apply the changes.

06 Repeat steps no. 4 and 5 for each registered Route 53 domain name that you want to hide registrant contact information.

Using AWS CLI

01 Run update-domain-contact-privacy command (OSX/Linux/UNIX) to enable registrant privacy protection for the selected Amazon Route 53 domain name in order to conceal contact information from WHOIS queries:

aws route53domains update-domain-contact-privacy
  --domain-name trendmicro.com
  --registrant-privacy
  --admin-privacy
  --tech-privacy

02 The command output should return an operation ID that can be used to track the progress and completion of the command request:

{
	"OperationId": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

03 Repeat steps no. 1 and 2 for each registered Amazon Route 53 domain name that you want to hide registrant contact information.

References

Publication date Oct 20, 2018