Route 53 Domain Transfer Lock

Overview

This check verifies that your Route 53 registered domains have transfer lock enabled. Transfer lock (technically called clientTransferProhibited) prevents anyone from moving your domain to another registrar without your explicit permission.

Risk

Without transfer lock, your domain is vulnerable to domain hijacking. An attacker who gains access to your AWS account (or tricks a registrar) could:

• Transfer your domain away and hold it for ransom
• Redirect your website visitors to malicious content
• Intercept emails sent to your domain
• Damage your brand and customer trust

This is a high-severity risk because losing control of a domain can be difficult and time-consuming to recover from.

Remediation Steps

Prerequisites

• Access to the AWS Console with permission to manage Route 53 domains
• The domain must be registered through Route 53 (not just hosted there)

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to Route 53 (search for it in the top search bar)
3. In the left sidebar, click Registered domains
4. Click the domain name you want to protect
5. In the Actions dropdown menu, select Turn on transfer lock
6. Confirm when prompted

The transfer lock is now active. You should see the status update to show the lock is enabled.

AWS CLI (optional)

Enable transfer lock for a domain:

aws route53domains enable-domain-transfer-lock \
    --domain-name example.com \
    --region us-east-1

Replace example.com with your actual domain name.

Note: Route 53 Domains operations must use us-east-1 region regardless of where your other resources are located.

Check the current lock status:

aws route53domains get-domain-detail \
    --domain-name example.com \
    --region us-east-1 \
    --query 'StatusList'

If transfer lock is enabled, you will see clientTransferProhibited in the status list.

List all your registered domains:

aws route53domains list-domains \
    --region us-east-1

Terraform (optional)

Use the aws_route53domains_registered_domain resource with transfer_lock = true:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_route53domains_registered_domain" "example" {
  domain_name = "example.com"

  transfer_lock = true
}

Important notes:

• This resource manages an existing registered domain; it does not register new domains
• Replace example.com with your actual domain name
• Route 53 Domains operations require the us-east-1 region

Import an existing domain into Terraform:

terraform import aws_route53domains_registered_domain.example example.com

Verification

In the AWS Console:

1. Go to Route 53 > Registered domains
2. Click your domain name
3. Look for Transfer lock status - it should show as Enabled or On

CLI verification

aws route53domains get-domain-detail \
    --domain-name example.com \
    --region us-east-1 \
    --query 'StatusList'

Expected output should include:

[
    "clientTransferProhibited"
]

Additional Resources

• AWS Documentation: Locking a domain to prevent unauthorized transfer
• AWS Documentation: Transferring a domain to Route 53
• Terraform: aws_route53domains_registered_domain

Notes

• Region requirement: Route 53 Domains is a global service, but API calls must be made to us-east-1.
• Planned transfers: If you need to legitimately transfer a domain, you must disable the transfer lock first. Re-enable it immediately after the transfer completes (or if you cancel the transfer).
• Not all TLDs support transfer lock: Some top-level domains (TLDs) do not support transfer lock. Check AWS documentation for your specific TLD.
• Additional protection: Consider enabling MFA on your AWS account and using IAM policies to restrict who can manage domain settings.