Shield advanced for Route53 delegated subdomains

Question

A customer has (all using Route 53):

- a parent AWS account where the domain myapplication.com is hosted
 - multiple child AWS accounts that operate hosted zones for subdomains, such as app1.myapplication.com, app2.myapplication.com, etc. 
 - the parent account delegates to the child accounts using NS records

They were wondering: if they are using Shield advanced for Route 53, do they only need to sign up the myapplication.com hosted zone in the parent account or do they also need to go to all child accounts and sign up the subdomain hosted zones for Shield advanced as well?

I was thinking the latter one, as the DNS servers for the parent domain may be different to the ones for the subdomains, but wanted to confirm here.

Thanks a lot for your input!

Accepted Answer

It is as you suspected.  For Shield Advanced you specify the hosted zone that you wish to protect in the account that the zone is defined in, so unfortunately your customer will need to add in protection for each hosted zone across each of their sub-accounts.  Shield Advanced is subscribed to and configured on a per account basis - of course, if these accounts are all in the same consolidated billing family then the customer is only charged once, but there is no automatic protection of sub-domains in sub-accounts across that billing family.

Shield advanced for Route53 delegated subdomains

関連するコンテンツ