Logo of Trend Micro

Route 53 Domain Transfer Lock

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (not acceptable risk)
Rule ID: Route53-003

Ensure that your AWS Route 53 registered domains are locked to prevent any unauthorized transfers to another domain name registrar. Your domain names must have the Transfer Lock feature enabled. This feature sets the clientTransferProhibited flag which is a registry setting enabled by the registrar to force all transfer requests to be rejected automatically.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Enabling transfer locking for your domain names registered with AWS Route 53 or transferred to AWS Route 53 will provide an extra protection against domain hijacking.

Audit

To determine if your domain names have the Transfer Lock feature enabled, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Domains, click Registered Domains.

04 Select the domain name that you want to examine.

05 On the Your Domains > <domain name> page, check the Transfer Lock setting status. If the current status is set to Disabled, the transfer locking is not enabled for the selected domain name and the risk of being transferred to another registrar without your knowledge is high.

06 Repeat step no. 4 and 5 for each registered domain name available in your AWS account.

Using AWS CLI

01 Run list-domains command (OSX/Linux/UNIX) to list all the domain names registered with AWS Route 53 or transferred to AWS Route 53: 

aws route53domains list-domains
	--query 'Domains[*].DomainName'

02 The command output should return each domain name currently available: 

[
    "myawsdomain.com"
]

03 Run get-domain-detail command (OSX/Linux/UNIX) using the domain name returned at the previous step, to determine if the Transfer Lock feature is enabled for the selected domain: 

aws route53domains get-domain-detail
	--domain-name myawsdomain.com
	--query 'StatusList'

04 The command output should return an array of EPP status codes (Extensible Provisioning Protocol status codes) which indicate the current status of the domain name registration: 

[
    clientDeleteProhibited,
    clientUpdateProhibited
]

If the returned array does not include the clientTransferProhibited status code, the transfer locking setting (Route 53 Transfer Lock feature) is not enabled, which means that the selected domain name is not protected against domain hijacking.

05 Repeat step no. 3 and 4 for each registered domain name available in your AWS account.

Remediation / Resolution

To update your AWS Route 53 domain names configuration and enable transfer locking, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Domains, click Registered Domains.

04 Select the domain name that you want to update.

05 On the Your Domains > <domain name> page, click Enable next to Transfer Lock to enable the feature. The AWS Route 53 Transfer Lock feature status should now change to Enabled.

06 Repeat steps no. 4 and 5 for each registered domain name available in your AWS account.

Using AWS CLI

01 Run list-domains command (OSX/Linux/UNIX) to list all the domain names registered with AWS Route 53 or transferred to AWS Route 53: 

aws route53domains list-domains
	--query 'Domains[*].DomainName'

02 The command output should return each domain name currently available: 

[
    "myawsdomain.com"
]

03 Run enable-domain-transfer-lock command (OSX/Linux/UNIX) using the domain name returned at the previous step, to enable the Route 53 Transfer Lock feature and set the clientTransferProhibited EPP status for the selected domain: 

aws route53domains enable-domain-transfer-lock
	--domain-name myawsdomain.com

04 The command output should return an operation ID that can be used to track the domain name transfer lock request progress: 

{
   "OperationId":"5f970c95-a5ba-40ca-53c8-0c79cf0a9db76b"
}

05 Repeat step no. 3 and 4 for each domain name registered with AWS or transferred to AWS.

References

Publication date May 6, 2016

Related Route53 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Route 53 Domain Transfer Lock

Risk level: Medium