Description:
Transfer lock is a feature in Amazon Route 53 that prevents unauthorized transfers of your domain to another registrar. This helps to protect your domain from being hijacked or transferred to a malicious actor.

Rationale:
Enabling transfer lock is a best practice for security and domain ownership. It helps to protect your domain from being transferred to someone else without your permission.

Impact:
Enabling transfer lock will prevent your domain from being transferred to another registrar without your permission. This will make it more difficult for someone to hijack your domain or use it for malicious purposes.

Default Value:
By default, transfer lock is disabled for Route 53 domains.

Pre-requisites:

  • You must have access to the Route 53 console.
  • You must know the domain name that you want to enable transfer lock for.


Remediation Steps:

  1. Sign in to the Route 53 console.
  2. In the left navigation pane, click Domains.
  3. Click the name of the domain that you want to enable transfer lock for.
  4. In the Domain Settings section, click Transfer Lock.
  5. Select Enable Transfer Lock.
  6. Click Save.

Test Plan:

  1. After you have enabled transfer lock, you can verify that it is working by performing a WHOIS lookup on the domain name.
  2. The WHOIS lookup should show that the domain is clientTransferProhibited.

Implementation Plan:

AWS CLI:

aws route53 domains update-domain-contact --domain-name example.com --transfer-lock ENABLED


AWS GUI:

  1. Sign in to the Route 53 console.
  2. In the left navigation pane, click Domains.
  3. Click the name of the domain that you want to enable transfer lock for.
  4. In the Domain Settings section, click Transfer Lock.
  5. Select Enable Transfer Lock.
  6. Click Save.

Backout Plan:
To back out of enabling transfer lock, you can follow the same steps as the remediation steps, but select Disable Transfer Lock instead of Enable Transfer Lock.

Note:

  • You can enable transfer lock for all of your Route 53 domains at once by using the AWS CLI or the AWS GUI.
  • You can also disable transfer lock for a domain if you need to.

Reference:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-lock.html