Search code examples
amazon-web-servicesamazon-route53

How to set clientDeleteProhibited, clientRenewProhibited, and clientUpdateProhibited EPP status codes in AWS Route 53?

An external vulnerability scanner flagged a domain I manage through AWS Route 53 as not having the clientDeleteProhibited, clientRenewProhibited, and clientUpdateProhibited EPP status codes set.

I confirmed this via whois:

Good whois entry for compliant domain

# whois.registrar.amazon.com
# ...
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited

Bad entry for non compliant domain

# whois.registrar.amazon.com
# ...
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

How can I configure AWS Route 53 to enable these status codes?

Solution

  • You can't. It is not even defined in AWS CLI/API (https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html).

    However, you are kind of protected because deletion of a domain in Route 53 requires confirmation as AWS states:

    Important: When we receive a request to delete a domain, ICANN requires us to get confirmation from the current registrant contact. We will send an email from [email protected] or [email protected] to the registrant contact

    I would not give much importance to the scan result of that tool, since what would actually keep your domain safe against unwanted deletion, renew or updates is securing your AWS account, for instance, setting 2FA (two factor authentication) for your root user. If your access to AWS is not for your personal account (like your own website or experiments) then it is strongly recommended that you avoid login in with the root user for common tasks, and instead create IAM Roles based on policies so each (group of) user has a specific task.

    Note that only clientTransferProhibited (Transfer Lock) is enabled in Route 53 because it refers to an operation that can be (maliciously) initiated externally and not only within Route 53.