Route53 public hosted zone has query logging enabled to a CloudWatch Logs log group
route53_public_hosted_zones_cloudwatch_logging_enabled
Route 53 public hosted zones have DNS query logging enabled to CloudWatch Logs, recording resolver requests for the zone and writing events to an associated log group.
Risk
Missing DNS query logs removes visibility into domain use, weakening detection of:
- Data exfiltration via DNS
- Malware C2/DGA patterns
- Hijacking or misconfigurations This degrades incident response, threatens data confidentiality and integrity, and slows availability troubleshooting.
prowler aws --checks route53_public_hosted_zones_cloudwatch_logging_enabled
Recommendation
Enable Route 53 query logging for public zones to a centralized CloudWatch Logs group. Apply least privilege to log delivery, set retention and metric filters/alerts, and stream to your SIEM. Use defense in depth by correlating DNS logs with network and endpoint telemetry and regularly review baselines.
Remediation
aws route53 create-query-logging-config --hosted-zone-id <HOSTED_ZONE_ID> --cloud-watch-logs-log-group-arn <LOG_GROUP_ARN>
- Open the AWS Console and go to Route 53 > Hosted zones
- Select the public hosted zone
- Choose Query logging > Enable
- Select the target CloudWatch Logs log group and click Save
- If prompted, allow Route 53 to write to the log group (approve the CloudWatch Logs resource policy)
Source Code
Resource Type
AwsRoute53HostedZone