Domain Name System Security Extensions (DNSSEC) signing is not enabled for Amazon Route 53 public hosted zones

Description

This policy detects when Domain Name System Security Extensions (DNSSEC) signing is not enabled for Amazon Route 53 public hosted zones.

Code Example

# Define a Route 53 public hosted zone
resource "aws_route53_zone" "example" {
  name = "example.com"
}

# Enable DNSSEC for the hosted zone
resource "aws_route53_hosted_zone_dnssec" "example" {
  hosted_zone_id = aws_route53_zone.example.zone_id
}

# Optionally, define a key signing key (KSK) for DNSSEC
resource "aws_route53_key_signing_key" "example" {
  hosted_zone_id         = aws_route53_zone.example.zone_id
  name                   = "example-key"
  key_management_service_arn = "arn:aws:kms:us-west-2:123456789012:key/your-kms-key-id" # Replace with your KMS key ARN
  status                 = "ACTIVE"
}

Remediation

Terraform

Resource: aws_route53_zone, aws_route53_hosted_zone_dnssec, aws_route53_key_signing_key, aws_route53_zone_association

Rule Details

Field	Value
ID	IAC-0472
Severity	HIGH
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV2_AWS_38

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Domain Name System Security Extensions (DNSSEC) signing is not enabled for Amazon Route 53 public hosted zones

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Domain Name System Security Extensions (DNSSEC) signing is not enabled for Amazon Route 53 public hosted zones ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Domain Name System Security Extensions (DNSSEC) signing is not enabled for Amazon Route 53 public hosted zones

Description

Code Example

Remediation

Rule Details

References