Control: 2 Route 53 public hosted zones should log DNS queries

Description

This control checks if DNS query logging is enabled for an Amazon Route 53 public hosted zone. The control fails if DNS query logging isn't enabled for a Route 53 public hosted zone.

Logging DNS queries for a Route 53 hosted zone addresses DNS security and compliance requirements and grants visibility. The logs include information such as the domain or subdomain that was queried, the date and time of the query, the DNS record type (for example, A or AAAA), and the DNS response code (for example, NoError or ServFail). When DNS query logging is enabled, Route 53 publishes the log files to Amazon CloudWatch Logs.

Remediation

To log DNS queries for Route 53 public hosted zones, see Configuring logging for DNS queries in the Amazon Route 53 Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_route53_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_route53_2 --share

SQL

This control uses a named query:

select
  id as resource,
  case
    when private_zone then 'skip'
    when query_logging_configs is not null or jsonb_array_length(query_logging_configs) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when private_zone then title || ' is private hosted zone.'
    when query_logging_configs is not null or jsonb_array_length(query_logging_configs) > 0 then title || ' query logging to CloudWatch enabled.'
    else title || ' query logging to CloudWatch disabled.'
  end as reason
  
  , region, account_id
from
  aws_route53_zone;

Control: 2 Route 53 public hosted zones should log DNS queries

Description

Remediation

Usage

SQL

Tags