Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Route 53 Domain Transfer Lock

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Route53-003

Ensure that your Amazon Route 53 registered domains are locked to prevent any unauthorized transfers to another domain name registrar. To secure your domain names transfer, your registered/transferred domains must have the Transfer Lock feature enabled. The feature sets the "clientTransferProhibited" flag which is a registry setting enabled by the registrar to force all transfer requests to be rejected automatically.

This rule can help you with the following compliance standards:

  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Enabling transfer locking for the domain names registered with Amazon Route 53 or transferred to Route 53, will provide an extra protection against domain hijacking.


Audit

To determine if the Transfer Lock feature is enabled for all your registered domains, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Domains, choose Registered domains.

04 Click on the Route 53 registered domain name that you want to examine.

05 On the selected domain name page, in the details section, check the Transfer lock feature status. If the Transfer lock status is set to Disabled, the transfer locking is not enabled for the selected Amazon Route 53 domain name and the risk of being transferred to another registrar without your knowledge is high.

06 Repeat steps no. 4 and 5 for each domain name registered with Amazon Route 53 or transferred to Route 53.

Using AWS CLI

01 Run list-domains command (OSX/Linux/UNIX) to list all the domain names registered with Amazon Route 53 or transferred to Route 53:

aws route53domains list-domains
  --query 'Domains[*].DomainName'

02 The command output should return an array with the registered/transferred domain names:

[
	"cloudconformity.com"
	"trendmicro.com"
]

03 Run get-domain-detail command (OSX/Linux/UNIX) using the domain name that you want to examine as the identifier parameter and custom query filters to determine if the Transfer Lock feature is enabled for the selected domain:

aws route53domains get-domain-detail
  --domain-name cloudconformity.com
  --query 'StatusList'

04 The command output should return an array of EPP status codes (Extensible Provisioning Protocol status codes) which indicate the current status of the domain name registration:

[
	"clientDeleteProhibited",
	"clientUpdateProhibited"
]

If the list returned by the get-domain-detail command output does not include the "clientTransferProhibited" status code, as shown in the example above, the Transfer Lock feature is not enabled for the selected Amazon Route 53 domain, therefore the selected domain name is not protected against hijacking.

05 Repeat steps no. 3 and 4 for each domain name registered with Amazon Route 53 or transferred to Route 53.

Remediation / Resolution

To reconfigure the domain names registered with Amazon Route 53 in order to enable the Transfer Lock feature, perform the following actions:

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_route53domains_registered_domain" "route53-registered-domain" {

	domain_name = "domain.com"

	name_server {
		name = "ns-500.domain-dns.com"
	}

	name_server {
		name = "ns-905.domain-dns.net"
	}

	tags = {
		Owner = "IT"
	}

	transfer_lock = true

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Domains, choose Registered domains.

04 Click on the Route 53 registered domain name that you want to reconfigure.

05 On the selected domain name page, in the details section, choose (enable) next to Transfer lock to enable the Transfer Lock feature for the registered domain name. The Transfer lock feature status should change now toEnabled.

06 Repeat steps no. 4 and 5 for each domain name registered with Amazon Route 53 or transferred to Route 53.

Using AWS CLI

01 Run enable-domain-transfer-lock command (OSX/Linux/UNIX) using the domain name that you want to reconfigure as the identifier parameter, to enable the Transfer Lock feature and lock the specified domain so that it can't be transferred to another registrar:

aws route53domains enable-domain-transfer-lock
  --region us-east-1
  --domain-name cloudconformity.com

02 The command output should return an operation ID that can be used to track the progress and completion of the enable-domain-transfer-lock command request:

{
	"OperationId": "abcd1234-abcd-1234-abcd-1234abcd1234"
}

03 Repeat steps no. 1 and 2 for each domain name registered with Amazon Route 53 or transferred to Route 53.

References

Publication date May 6, 2016