AWS-AWS-Route53-Zones-are-not-logging-to-Cloudwatch
Severity: Medium
Description: This control ensures that AWS Route 53 zones are configured to log the DNS queries to Cloudwatch for monitoring purpose. Monitoring the queries is an important part of maintaining the reliability, availability, and performance of the hosted zone.
Remediation Steps:
Perform following to enable auto renew feature for registered domain:
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to o Route 53 console.
In the navigation pane, choose Hosted zones.
Choose the hosted zone for which reported in the alert.
In the Hosted zone details pane, choose Configure query logging.
Choose an existing log group or create a new log group.
If alert is shown about permissions, do one of following
If there are 10 resource policies already, Select any of your resource policies, and select Edit. Editing will give Route 53 permissions to write logs to your log groups. Choose Save.
If query logging never configured before, grant permissions to Route 53 to write logs to CloudWatch Logs groups. Choose Grant permissions.Â
Choose Permissions.
Choose Create.
Important:
There's a delay of up to several hours before the hosted zone can appear in CloudWatch. In addition, to display data, a DNS query for a record in the hosted zone must be submited.
Reference:
Blue Hexagon Proprietary