Detections
Analytics

Ensure CloudWatch logging is enabled for AWS Route53 hosted zones

MEDIUM

Description

Enabling Route53 logging will allow for query log data to be stored for use with CloudWatch for analysis. Having logs analyzed by CloudWatch can help with performance and error checking. For more information on Route53 query logging, see the AWS documentation.
Resources:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html

Remediation

In AWS Console -

  1. Sign in to the AWS Console and open the Route53 Console.
  2. Under Resolver, select Query Logging.
  3. Follow the steps in the wizard to configure query logging as needed.

In Terraform -

  1. For each aws_route53_zone resource, ensure there is a corresponding aws_route53_query_log resource.
  2. In the aws_route53_query_log resource, set the cloudwatch_log_group_arn field to the ARN of the CloudWatch log group to be used for log storage.

References:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_query_log

Policy Details

Rule Reference ID: AC_AWS_0204
CSP: AWS
Remediation Available: No
Domain: Logging and Monitoring
Resource: aws_route53_query_log
Resource Category: Virtual Network
Resource Type: Route53

Frameworks