Logo of Trend Micro

Root Domain Alias Records that Point to ELB

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that the root domain alias record points to the Elastic Load Balancer (ELB) associated with your web-server layer. To route your root domain traffic to an ELB, use Amazon Route 53 service to create an alias record that points to your load balancer. An alias record provides a Route 53–specific extension to DNS functionality. Instead of an IP address or a domain name, an alias record must contain a pointer to your Elastic Load Balancer. Prior to running this rule by the Cloud Conformity engine, your root domain needs to be configured in the rule settings, on your Cloud Conformity account dashboard.

Reliability

The Amazon Route 53 hosted zone can hold a special record type called "alias" that allows you to create an A record for the root domain and point it to the fully qualified domain (FQDN) of the AWS ELB associated with your web application layer. In the same way records for all other layers should be created in order to allow flexibility in the application design and avoid hardcoding the FQDN of a resource.

Note: Ensure that you replace all <root_domain_name> placeholders found in the conformity rule content with your own root domain name.

Audit

To determine if there is a Route 53 hosted zone that contains a root domain alias record that points to your ELB, available within your AWS account, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Check for Root Domain Alias Records that Point to ELB conformity rule settings and copy the root domain name configured for your web application (e.g. <root_domain_name>).

02 Sign in to the AWS Management Console.

03 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

04 In the left navigation panel, under Dashboard, click Hosted Zones.

05 Select All Types from the dropdown list available under the dashboard top menu to list all your Route 53 hosted zones.

06 Paste the name of your root domain copied at step no. 1 inside the Search all fields box and press Enter. If the search process does not return any results and the following message is displayed: "You have no hosted zones with a keyword '<root_domain_name>'", there is no AWS Route 53 hosted zone created for the domain name used by your web application, therefore there isn't a root domain alias record that points to your Elastic Load Balancer (ELB).

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Check for Root Domain Alias Records that Point to ELB conformity rule settings and copy the root domain name configured for your web application (e.g. <root_domain_name>).

02 Run list-hosted-zones command (OSX/Linux/UNIX) using the name of the domain copied at the previous step as identifier and custom query filters to list the metadata of the AWS Route 53 hosted zone created for the root domain used by your web application. Replace <root_domain_name> with your own root domain name: 

aws route53 list-hosted-zones
	--query "HostedZones[?Name == '<root_domain_name>.']"

03 The command output should return an array with the requested hosted zone metadata or an empty array if there is no hosted zone created for the specified domain name: 

[]

If the list-hosted-zones command output returns an empty array, i.e. [], as shown in the example above, there is no Amazon Route 53 hosted zone created for your root domain name, therefore there is no root domain alias record that points to your web application load balancer.

Remediation / Resolution

To update your AWS Route 53 domains configuration and enable the Auto Renew feature, perform the following:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Check for Root Domain Alias Records that Point to ELB conformity rule settings and copy your root domain name (e.g. <root_domain_name>).

02 Sign in to the AWS Management Console.

03 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

04 In the left navigation panel, under Dashboard, click Hosted Zones.

05 Click Create Hosted Zones button from the AWS dashboard top menu.

06 In the Create Hosted Zone right panel, enter the following information:

  1. In the Domain Name field, paste the domain name copied at step no. 1 (e.g. <root_domain_name>).
  2. (Optional) In the Comment field, enter a description for the DNS zone.
  3. Select Public Hosted Zone from the Type dropdown list.
  4. Click Create to create the Route 53 hosted zone for the specified root domain name.

07 On your newly created hosted zone page, follow the steps outlined in this conformity rule to create and configure the root domain alias record that needs to point to your web application load balancer.

Using AWS CLI

01 Sign in to your Cloud Conformity console, access Check for Root Domain Alias Records that Point to ELB conformity rule settings and copy your root domain name (e.g. <root_domain_name>).

02 Run create-hosted-zone command (OSX/Linux/UNIX) using the name of the domain copied at the previous step for the --name parameter to create a new Amazon Route 53 hosted zone. The following command example creates a DNS hosted zone for a root domain name called <root_domain_name> and associate it with an AWS VPC identified by the ID "vpc-abcdabcd", available within the US East region. Replace <root_domain_name> with your own root domain name: 

aws route53 create-hosted-zone
	--name <root_domain_name>
	--caller-reference 2018-04-14-17:33
	--hosted-zone-config Comment="DNS hosted zone for <root_domain_name>."
	--vpc VPCRegion="us-east-1",VPCId="vpc-abcdabcd"

03 The command output should return the new hosted zone metadata: 

{
    "ChangeInfo": {
        "Status": "PENDING",
        "SubmittedAt": "2018-04-14T14:17:40.159Z",
        "Id": "/change/AAABBBCCCDDDE"
    },
    "HostedZone": {
        "ResourceRecordSetCount": 2,
        "CallerReference": "2018-04-14-17:33",
        "Config": {
            "Comment": "DNS hosted zone for .",
            "PrivateZone": false
        },
        "Id": "/hostedzone/AABBCC1234567",
        "Name": "."
    },
    "VPC": {
        "VPCId": "vpc-abcdabcd",
        "VPCRegion": "us-east-1"
    }
}

04 Follow the CLI steps outlined within this conformity rule to create and configure the root domain alias record that needs to point to your web application ELB.

References

Publication date Apr 18, 2018

Related Route53 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Root Domain Alias Records that Point to ELB

Risk level: Medium