Domain Name System (DNS) query logging is not enabled for Amazon Route 53 hosted zones
Description
This policy detects if DNS query logging is not enabled for Amazon Route 53 hosted zones.
Code Example
go
resource "aws_route53_query_logging_config" "example" {
name = "example-logging-config"
record_type = "QUERY_LOGGING"
cloudwatch_logs_group_arn = aws_cloudwatch_log_group.example.arn
}
resource "aws_route53_zone" "example" {
name = "example.com."
query_logging_config {
id = aws_route53_query_logging_config.example.id
region = "us-east-1"
}
}
resource "aws_cloudwatch_log_group" "example" {
name = "example-logs"
}Remediation
Terraform
- Resource: aws_route53_query_logging_config, aws_route53_zone
- Arguments: query_logging_config and zone_id
To fix this issue, enable DNS query logging for the Route 53 hosted zones in your Terraform code. You can do this by adding the `query_logging_config` argument along with the corresponding `zone_id` argument to the `aws_route53_zone` resource block in your Terraform code.
Secure code example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0473 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_AWS_39 |