Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Amazon Route 53 Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: Route53-009

Monitor AWS Route 53 configuration changes. Route 53 is a highly available and scalable Domain Name System (DNS) web service that is designed to give developers and businesses an extremely reliable and cost effective way to route end users to websites and web applications by translating domain names such as www.cloudconformity.com into the numeric IP addresses such as 192.10.0.5 that computers use to connect to each other on the Internet. You can use Amazon Route 53 to register domain names, route Internet traffic to the resources provisioned for your domain and check the health of your cloud resources such as web servers and email servers. You can use any combination of the functions provided by Route 53. For example, you can use AWS Route 53 service both to register your domain name and to route Internet traffic for the domain, or you can use Route 53 to route Internet traffic for a domain that you registered with another domain registrar. Route 53 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or another AWS service within Route 53. CloudTrail captures all API calls for Route 53 as events, including calls from the Route 53 console or from application code requests to the Route 53 API. Cloud Conformity RTMA utilizes the information collected by AWS CloudTrail to send notifications about the configurations changes made at the Route 53 DNS service level. The activity detected by Cloud Conformity RTMA, based on CloudTrail logging data, can be any user request initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDKs, that calls any of the actions listed below:

This rule can help you with the following compliance standards:

  • APRA
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Real-Time Threat Monitoring.

Security



"CreateHostedZone" - Creates a public or private DNS hosted zone.

"CreateHealthCheck" - Creates a Route 53 health check.

"CreateQueryLoggingConfig" - Creates a configuration for DNS query logging. After you create a query logging configuration, Route 53 begins to publish log data to an AWS CloudWatch Logs log group.

"CreateReusableDelegationSet" - Creates a delegation set (a group of four name servers) that can be reused by multiple hosted zones.

"CreateTrafficPolicy" - Creates a traffic policy that can be used to create multiple DNS resource record sets for one domain name or one subdomain name.

"CreateTrafficPolicyInstance" - Creates resource record sets in a specified Route 53 hosted zone based on the settings within a specified traffic policy version.

"CreateTrafficPolicyVersion" - Creates a new version of an existing traffic policy.

"CreateVPCAssociationAuthorization" - Authorizes the AWS account that created a specified VPC to submit an AssociateVPCWithHostedZone request to associate the VPC with a specified hosted zone that was created by a different account.

"ChangeResourceRecordSets" - Creates, changes or deletes a resource record set, which contains authoritative DNS information for a specified domain name or subdomain name.

"ChangeTagsForResource" - Adds, edits or deletes tags for a health check or a hosted zone.

"UpdateHealthCheck" - Updates an existing Route 53 health check.

"UpdateHostedZoneComment" - Updates the comment for a specified Route 53 hosted zone.

"UpdateTrafficPolicyComment" - Updates the comment for a specified traffic policy version.

"UpdateTrafficPolicyInstance" - Updates the resource record sets in a specified hosted zone that were created based on the settings within a selected traffic policy version.

"DeleteHealthCheck" - Deletes a Route 53 health check.

"DeleteHostedZone" - Deletes a Route 53 DNS hosted zone.

"DeleteQueryLoggingConfig" - Deletes a configuration for DNS query logging. After you delete a configuration, Amazon Route 53 stops sending query logs to AWS CloudWatch Logs.

"DeleteReusableDelegationSet" - Deletes a reusable delegation set.

"DeleteTrafficPolicy" - Deletes a traffic policy.

"DeleteTrafficPolicyInstance" - Deletes a traffic policy instance and all of the resource record sets that AWS Route 53 created when you launched the instance.

"DeleteVPCAssociationAuthorization" - Removes authorization to submit an AssociateVPCWithHostedZone request to associate a specified VPC with a hosted zone that was created by a different AWS account.

"AssociateVPCWithHostedZone" - Associates a Virtual Private Cloud (VPC) with a private hosted zone.

"DisassociateVPCFromHostedZone" - Disassociates a VPC from a AWS Route 53 private hosted zone.

To adhere to AWS security best practices and implement the principle of least privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to perform its tasks), Cloud Conformity strongly recommends that you avoid as much as possible to provide your IAM users (except the admin user) the permission to change the Route 53 service configuration within your AWS account. The communication channels used to send Cloud Conformity RTMA notifications can be easily configured in your Cloud Conformity account settings. The list of supported communication channels that you can use to get AWS Route 53 configuration change alerts are Email, SMS, Slack, PagerDuty, Zendesk and ServiceNow.

Rationale

As a security best practices, you need to be aware of all the configuration changes made at the Amazon Route 53 DNS service level. AWS Route 53 effectively connects end user requests to your infrastructure (EC2 instances, Elastic Load Balancers, S3 buckets, etc) running within AWS cloud, therefore, monitoring any Route 53 configuration change is essential for keeping your AWS cloud DNS infrastructure secure. Cloud Conformity RTMA can detect any configuration change request (API) made by IAM users within your AWS account and notify you in real time via predefined communication channels.

References

Publication date Sep 7, 2018