Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Route 53 Domain Auto Renew

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)
Rule ID: Route53-002

Ensure that the Auto Renew feature is enabled to automatically renew your Amazon Route 53 domain names as the expiration date approaches. The automatic renewal registration fee will be charged to your AWS account and you will get an email with the renewal confirmation once the registration is processed.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Enabling automatic renewal for your domains registered with AWS or transferred to AWS will guarantee you full control over domain name registration. When your domains are automatically renewed before their expiration date, the risk of losing them is practically zero.


Audit

To determine if all your domain names have the Auto Renew feature enabled, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Domains, choose Registered domains.

04 Click on the Route 53 registered domain name that you want to examine.

05 On the selected domain name page, in the details section, check the Auto renew feature status. If the Auto renew status is set to Disabled, the automatic renewal registration for the selected Route 53 domain name is not enabled and you can lose the ownership of the selected domain once this expires.

06 Repeat steps no. 4 and 5 for each domain name registered with Amazon Route 53 or transferred to Route 53.

Using AWS CLI

01 Run list-domains command (OSX/Linux/UNIX) to list all the domain names registered with Amazon Route 53 or transferred to Route 53:

aws route53domains list-domains
  --query 'Domains[*].DomainName'

02 The command output should return an array with the registered/transferred domain names:

[
	"trendmicro.com",
	"cloudconformity.com"
]

03 Run get-domain-detail command (OSX/Linux/UNIX) using the domain name that you want to examine as the identifier parameter and custom query filters to describe the Auto Renew feature status currently available for the selected domain:

aws route53domains get-domain-detail
  --domain-name trendmicro.com
  --query 'AutoRenew'

04 The command output should return the requested feature status (true for enabled, false for disabled):

[
	false
]

If the get-domain-detail command output returns false, as shown in the example above, Auto Renew current status is set to false, the automatic renewal registration for the selected Route 53 domain name is not enabled and the risk of losing the ownership of the domain increases.

05 Repeat steps no. 3 and 4 for each domain name registered with Amazon Route 53 or transferred to Route 53.

Remediation / Resolution

To reconfigure the domain names registered with Amazon Route 53 in order to enable the Auto Renew feature, perform the following operations:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_route53domains_registered_domain" "route53-registered-domain" {

	domain_name = "domain.com"

	name_server {
		name = "ns-500.domain-dns.com"
	}

	name_server {
		name = "ns-905.domain-dns.net"
	}

	tags = {
		Owner = "IT"
	}

	auto_renew = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Domains, choose Registered domains.

04 Click on the Route 53 registered domain name that you want to reconfigure.

05 On the selected domain name page, in the details section, choose (enable) next to Auto renew to turn on automatic renewal for the registered domain name. The Auto renew feature status should change now to Enabled.

06 Repeat steps no. 4 and 5 for each domain name registered with Amazon Route 53 or transferred to Route 53.

Using AWS CLI

01 Run enable-domain-auto-renew command (OSX/Linux/UNIX) using the domain name that you want to reconfigure as the identifier parameter, to enable automatic renewal registration for the selected domain name (the command does not produce an output):

aws route53domains enable-domain-auto-renew
  --region us-east-1
  --domain-name trendmicro.com

02 Repeat step no. 1 for each domain name registered with Amazon Route 53 or transferred to Route 53.

References

Publication date May 6, 2016