Profile Applicability:

  • Level 1

Description:

Amazon Route 53 is a scalable Domain Name System (DNS) web service that manages your domain registration, DNS routing, and health checking. By default, domains registered in Route 53 can be transferred to another registrar. However, in certain cases, especially for high-value or sensitive domains, it is crucial to prevent unauthorized transfers to protect the domain's ownership and mitigate potential risks of domain hijacking.

Transfer Lock is a security feature that ensures your Route 53 domain cannot be transferred to another registrar without first disabling the transfer lock. Enabling Transfer Lock adds an additional layer of protection, ensuring that your domain remains with Route 53 unless explicitly unlocked.

This SOP ensures that Transfer Lock is enabled for your Route 53 domain, thereby enhancing the domain's security.

Rationale:

Enabling Transfer Lock for your domain helps ensure:

  • Domain Security: Prevents unauthorized parties from transferring your domain to another registrar without your consent.

  • Protection from Hijacking: Reduces the risk of domain hijacking or accidental transfers, which can be critical for protecting your brand and business.

  • Enhanced Control: Provides greater control over the domain’s registration, ensuring that it stays under your ownership and management unless you decide otherwise.

Impact:

Pros:

  • Increased Security: Prevents unauthorized transfers, safeguarding your domain from malicious activity or accidental changes.

  • Protection Against Hijacking: Helps prevent attackers from transferring your domain to a different registrar, thus protecting your brand.

  • Compliance: Aligns with best practices for domain security and helps meet regulatory requirements for domains.

Cons:

  • Inflexibility: If you need to transfer your domain to another registrar for any reason (e.g., changing providers), you must manually disable the transfer lock.

  • Management Overhead: Requires additional administrative action to enable and disable the lock, adding a small management overhead.

Default Value:

By default, Transfer Lock is disabled for domains registered in Route 53. It must be manually enabled for each domain you want to protect.

Pre-requisite:

  • AWS IAM Permissions:

    • route53domains:UpdateDomainContactPrivacy

    • route53domains:GetDomainDetail

    • route53domains:EnableDomainTransferLock

    • route53domains:DisableDomainTransferLock

  • AWS CLI installed and configured.

  • Domain registered with Amazon Route 53.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Route 53 under Services.

  3. In the Route 53 Dashboard, click on Registered Domains.

  4. Select the domain for which you want to enable Transfer Lock.

  5. Under the Domain Details section, check if Transfer Lock is enabled:

    • If Transfer Lock is not enabled, there will be an option to Enable Transfer Lock.

  6. Enable Transfer Lock by following the on-screen instructions and confirm the action.

  7. After enabling, ensure that the domain is locked by checking the WHOIS information or attempting a transfer.

Using AWS CLI:

To check if Transfer Lock is enabled for a domain, run:

aws route53domains get-domain-detail --domain-name <domain-name>

 The output will show whether the domain has Transfer Lock enabled:

{

  "DomainName": "<domain-name>",

  "TransferLock": true

}

If Transfer Lock is disabled, enable it by running:

aws route53domains enable-domain-transfer-lock --domain-name <domain-name>

After enabling, verify again to ensure Transfer Lock is set to true.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Route 53.

  2. In the Route 53 Dashboard, go to Registered Domains and select the domain to which you want to apply Transfer Lock.

  3. In the Domain Details, under the Transfer Lock section, click on Enable Transfer Lock.

  4. Confirm the action to apply Transfer Lock.

  5. After the lock is applied, confirm that the Transfer Lock is enabled by checking the domain details.

Using AWS CLI:

To enable Transfer Lock for a domain, use the following command:

aws route53domains enable-domain-transfer-lock --domain-name <domain-name>


Verify the status of the Transfer Lock:

aws route53domains get-domain-detail --domain-name <domain-name>

Ensure that TransferLock is true in the output.

Backout Plan:

If enabling Transfer Lock causes issues (e.g., if you need to transfer the domain but the lock is active):

Identify the domain that is locked.

To disable Transfer Lock, run:

aws route53domains disable-domain-transfer-lock --domain-name <domain-name>


Verify that Transfer Lock is now disabled:

aws route53domains get-domain-detail --domain-name <domain-name>

Ensure that Transfer Lock is set to false in the output.

Note :

  • Transfer Lock Limitations: Once Transfer Lock is enabled, you will need to manually disable it if you want to transfer your domain to another registrar. Ensure that you carefully consider this before applying the lock.

  • Additional Security: Consider combining Transfer Lock with other security measures such as WHOIS Privacy Protection to further safeguard your domain.

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.