Route 53 Domain Privacy Protection
Overview
This check verifies that your Route 53 registered domains have privacy protection enabled. When activated, WHOIS queries return redacted or proxy contact information (e.g., "REDACTED FOR PRIVACY" or "On behalf of example.com owner") instead of your actual personal details.
Privacy protection is a simple but effective way to keep your registration details out of public databases.
Risk
When privacy protection is disabled, anyone can look up your personal information through a WHOIS query. This exposes:
- Your name, address, phone number, and email to the public internet
- Social engineering attacks - attackers can use your contact details to impersonate registrar support
- Domain hijacking - exposed information makes it easier to trick registrars into transferring your domain
- Spam and harassment - your email and phone number become easy targets
- SIM-swap attacks - your phone number can be used to take over accounts
Enabling privacy protection removes this low-hanging fruit for attackers.
Remediation Steps
Prerequisites
You need access to the AWS Console or AWS CLI with permissions to manage Route 53 domains. The relevant IAM permission is route53domains:UpdateDomainContactPrivacy.
Note: Some top-level domains (TLDs) do not support privacy protection, or only support partial privacy. If your domain's TLD does not allow privacy, you will not see the privacy option in the console.
AWS Console Method
- Open the Route 53 console
- In the left navigation, click Registered domains
- Click the domain name you want to protect
- In the Contact information section, click Edit
- Enable privacy protection for all contact types (Admin, Registrant, Technical, Billing)
- Click Save changes
AWS recommends enabling privacy protection for all contact types at once.
AWS CLI (optional)
Enable privacy protection for all contact types on your domain:
aws route53domains update-domain-contact-privacy \
--region us-east-1 \
--domain-name example.com \
--admin-privacy \
--registrant-privacy \
--tech-privacy \
--billing-privacy
Replace example.com with your actual domain name.
Output:
The command returns an operation ID you can use to track progress:
{
"OperationId": "b3a219e9-d801-4244-b533-b7256example"
}
To check operation status:
aws route53domains get-operation-detail \
--region us-east-1 \
--operation-id b3a219e9-d801-4244-b533-b7256example
Important: Route 53 Domains operations are only available in us-east-1.
CloudFormation (optional)
AWS CloudFormation does not currently provide a dedicated resource type for managing Route 53 domain registration settings including privacy protection.
To enable privacy protection via infrastructure-as-code, use one of these alternatives:
- AWS CLI in a Custom Resource - Create a Lambda-backed custom resource that calls the Route 53 Domains API
- Terraform - Use the
aws_route53domains_registered_domainresource (see Terraform section) - AWS CDK with Custom Resources - Similar to the CloudFormation approach
Example Custom Resource (Lambda-backed):
AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Route53 domain privacy via custom resource
Resources:
DomainPrivacyFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: EnableDomainPrivacy
Runtime: python3.11
Handler: index.handler
Timeout: 60
Role: !GetAtt LambdaExecutionRole.Arn
Code:
ZipFile: |
import boto3
import cfnresponse
def handler(event, context):
try:
if event['RequestType'] in ['Create', 'Update']:
client = boto3.client('route53domains', region_name='us-east-1')
domain = event['ResourceProperties']['DomainName']
client.update_domain_contact_privacy(
DomainName=domain,
AdminPrivacy=True,
RegistrantPrivacy=True,
TechPrivacy=True,
BillingPrivacy=True
)
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
except Exception as e:
cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)})
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: Route53DomainsAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- route53domains:UpdateDomainContactPrivacy
Resource: '*'
EnablePrivacy:
Type: Custom::DomainPrivacy
Properties:
ServiceToken: !GetAtt DomainPrivacyFunction.Arn
DomainName: example.com # Replace with your domain
Note: This is a simplified example. Production use should include error handling, idempotency, and proper deletion handling.
Terraform (optional)
Use the aws_route53domains_registered_domain resource to manage privacy settings:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_route53domains_registered_domain" "example" {
domain_name = "example.com"
admin_privacy = true
registrant_privacy = true
tech_privacy = true
}
Replace example.com with your actual domain name.
Important notes:
- This resource "adopts" an existing domain into Terraform management; it does not register new domains
- Running
terraform destroyremoves the domain from Terraform state but does not delete the domain registration - Route 53 Domains operations are only available in
us-east-1 - Some TLDs may require consent for contact changes; check the Terraform provider documentation for details
Verification
After enabling privacy protection, verify it is active:
- Go to the Route 53 console > Registered domains
- Click your domain name
- Confirm that Privacy protection shows as Enabled for all contact types
CLI verification
Check the current privacy settings for your domain:
aws route53domains get-domain-detail \
--region us-east-1 \
--domain-name example.com \
--query '{AdminPrivacy: AdminPrivacy, RegistrantPrivacy: RegistrantPrivacy, TechPrivacy: TechPrivacy}'
Expected output when privacy is enabled:
{
"AdminPrivacy": true,
"RegistrantPrivacy": true,
"TechPrivacy": true
}
You can also verify using a public WHOIS lookup service to confirm your personal details are no longer visible.
Additional Resources
- Enabling or disabling privacy protection for contact information for a domain - AWS Documentation
- UpdateDomainContactPrivacy API Reference - AWS API Documentation
- Terraform aws_route53domains_registered_domain - Terraform Registry
- Privacy Protection - Trend Micro Cloud One Conformity
Notes
-
TLD limitations: Not all top-level domains support privacy protection. Some TLDs (especially country-code TLDs like
.us) may have restrictions or may not support privacy at all. If you do not see the privacy option, your TLD may not support it. -
Region requirement: Route 53 Domains API calls must be made to the
us-east-1region, regardless of where your other AWS resources are located. -
Consistency: AWS recommends setting the same privacy value for all contact types (admin, registrant, technical, and billing).
-
Processing time: Privacy changes typically take effect within minutes, but WHOIS caches may take longer to reflect the change.
-
Cost: Privacy protection for Route 53 domains is included at no additional cost for most TLDs.