Profile Applicability:

  • Level 1

Description:

Amazon Route 53 is a scalable Domain Name System (DNS) web service designed to route end users to infrastructure running in AWS. When you register a domain with Route 53, WHOIS information, including contact details such as your name, address, and phone number, is publicly available by default.

Privacy Protection (also known as WHOIS privacy) helps safeguard your personal contact information by replacing it with generic information, thus preventing it from being publicly visible. Enabling Privacy Protection for a Route 53 domain helps prevent potential spam, phishing, and identity theft, while ensuring that your registration details are kept private.

This SOP ensures that Privacy Protection is enabled for the Route 53 domain, thereby improving privacy and security.

Rationale:

Enabling Privacy Protection for a Route 53 domain is essential for:

  • Privacy: Prevents unauthorized individuals from accessing your personal contact information via WHOIS queries.

  • Security: Protects against identity theft, phishing attacks, and spam.

  • Compliance: Meets privacy requirements for businesses or individuals who need to keep their information confidential.

Impact:

Pros:

  • Increased Privacy: Protects sensitive registration details, such as personal email, phone number, and address.

  • Reduced Spam: Minimizes exposure to unsolicited emails or calls, protecting your domain from spam and phishing.

  • Enhanced Security: Adds a layer of security by obscuring ownership details from the public.

Cons:

  • Limited Contact Information: Some services, such as certain domain verification requests, may require access to the registrant’s contact details.

  • Additional Cost: While many registrars offer privacy protection for free, some may charge a fee for this service.

Default Value:

By default, Amazon Route 53 domains are registered without Privacy Protection enabled. You must explicitly enable this feature for each domain registered with Route 53.

Pre-requisite:

  • AWS IAM Permissions:

    • route53domains:UpdateDomainContactPrivacy

    • route53domains:ListDomains

  • AWS CLI installed and configured.

  • A domain registered in Amazon Route 53.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Route 53 under Services.

  3. In the Route 53 Dashboard, click on Registered Domains.

  4. Select the domain for which you want to enable Privacy Protection.

  5. Under the Domain Details section, check if Privacy Protection is currently enabled.

    • If Privacy Protection is not enabled, click on Enable Privacy Protection and confirm the action.

  6. After enabling, confirm that the WHOIS information for the domain no longer shows personal contact details.

Using AWS CLI:

To check if Privacy Protection is enabled for a domain, run:

aws route53domains get-domain-detail --domain-name <domain-name>


The output will show a PrivacyProtect attribute. If PrivacyProtect is set to false, privacy protection is disabled. To enable it, run:

aws route53domains update-domain-contact-privacy --domain-name <domain-name> --privacy-protect true

Verify that Privacy Protection is enabled:

aws route53domains get-domain-detail --domain-name <domain-name>


Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Route 53.

  2. Go to Registered Domains under Route 53.

  3. Select the domain you want to protect and go to the Domain Details section.

  4. Click on Enable Privacy Protection.

  5. Review the changes and confirm. Once enabled, WHOIS queries will display generic information instead of your personal contact details.

Using AWS CLI:

To enable Privacy Protection for a domain, run the following command:

aws route53domains update-domain-contact-privacy --domain-name <domain-name> --privacy-protect true


Confirm the change by checking the domain details:

aws route53domains get-domain-detail --domain-name <domain-name>

The output should show that PrivacyProtect is now set to true.

Backout Plan:

If enabling Privacy Protection causes issues (e.g., if you need to expose your contact information for verification purposes):

Identify the affected domain.

To disable Privacy Protection, run:

aws route53domains update-domain-contact-privacy --domain-name <domain-name> --privacy-protect false


Verify that Privacy Protection is disabled by running:

aws route53domains get-domain-detail --domain-name <domain-name>


Note :

  • WHOIS Privacy Services: WHOIS data is often required by domain registries or for compliance reasons. Ensure that the privacy settings you choose align with your operational needs.

  • Renewals: Privacy Protection might need to be re-enabled after domain renewals, so verify it periodically.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.