Profile Applicability:

  • Level 1


Description:

This control ensures that Amazon Route 53 public hosted zones have DNS query logging enabled and that these logs are sent to Amazon CloudWatch Logs. Enabling query logging provides visibility into DNS requests received by Route 53, allowing administrators to monitor access patterns, detect anomalies, and investigate security incidents such as DNS-based attacks or data exfiltration attempts.


Rationale:

DNS query logs are essential for troubleshooting, detecting, and responding to security events. Without query logging, organizations lose visibility into domain name resolutions that could indicate compromised hosts, misconfigurations, or malicious activities such as DNS tunneling. Enabling query logging supports compliance with regulatory requirements and enhances forensic capabilities.


Impact:

  • Positive Impact:Provides detailed visibility into DNS traffic for security and operational insights.Enables detection of suspicious or unauthorized domain queries.Supports compliance and incident response requirements.
  • Negative Impact:May incur additional CloudWatch logging and storage costs depending on query volume.


Default Value:

By default, Route 53 public hosted zones do not have query logging enabled. Logging must be configured manually for each hosted zone.


Pre-Requisite:

  • A CloudWatch Logs group must be created in the same AWS Region where Route 53 queries are logged.

  • IAM permissions required:

    • route53:CreateQueryLoggingConfig

    • route53:ListQueryLoggingConfigs

    • logs:CreateLogGroup

    • logs:PutResourcePolicy


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Route 53 → Hosted zones → Public hosted zones.

  3. Select a hosted zone.

  4. In the Query logging section, check whether Query logging is enabled.

  5. Confirm that the logs are being delivered to a CloudWatch Logs group.

  6. If logging is not enabled, proceed with the implementation plan below.


Implementation Plan

Using AWS Console:

  1. Navigate to Route 53 → Hosted zones → Public hosted zones.
  2. Select the hosted zone you want to enable logging for.
  3. Under the Query logging section, click Configure query logging.
  4. Choose an existing CloudWatch Logs group or create a new one.
  5. Select an IAM role that allows Route 53 to publish logs to CloudWatch Logs (or create one automatically).
  6. Click Save configuration to enable query logging.

Backout Plan

Using AWS Console:

  1. Navigate to Route 53 → Hosted zones → Public hosted zones.

  2. Select the hosted zone.

  3. Under Query logging, click Delete query logging configuration.

  4. Confirm the deletion to stop sending logs to CloudWatch Logs.

References: