By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I use the AWSSupport-ConfigureDNSQueryLogging runbook to configure DNS logging for my infrastructure?

3 minute read
0

I want to use the AWSSupport-ConfigureDNSQueryLogging runbook to set up Domain Name System (DNS) logging for my AWS infrastructure.

Short description

Monitoring maintains reliability, availability, and performance of your AWS solutions. You can use AWSSupport-ConfigureDNSQueryLogging Systems Manager automation runbook to log both public DNS query logging and Resolver query logging. Use these query logs for monitoring and troubleshooting your infrastructure.

The query logs can be published into Amazon CloudWatch, Amazon Simple Storage Service (Amazon S3), or the Amazon Kinesis Data Firehose.
Note: Publish public query logs only to Amazon CloudWatch. You can publish Resolver query logs to any of the above-mentioned Amazon services. If you don't need to log, delete the services using the AWS Management Console, AWS Command Line Interface (AWS CLI), or API.

For information about pricing, see Amazon Route 53 pricing.

Resolution

DNS query logs hold information about the DNS response code (NoError or ServFail), DNS record type, date and time of the request, and so on. For more information on DNS query logs, see Public DNS query logging and Resolver query logging.

Prerequisite

Before you run the automation, make sure your AWS Identity and Access Management (IAM) user or role has the required permissions. For more information, see the section Required IAM permissions in AWSSupport-ConfigureDNSQueryLogging.

Set up the automation workflow

  1. Navigate to the Systems Manager console.
  2. In the navigation pane, choose Documents.
  3. In the search bar, type the following AWSSupport-ConfigureDNSQueryLogging.
  4. Choose AWSSupport-ConfigureDNSQueryLogging.
  5. Choose Execute automation.
  6. For the input parameters enter the following:
    • AutomationAssumeRole (optional): The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses your current IAM user permissions to run the runbook.
    • ResourceId (required): The ID of the resource whose queries you want to log. If you specify Public for the QueryLogType parameter, the resource must be the ID of a Route 53 private hosted zone. If you specify Resolver/Private for the QueryLogType parameter, the resource must be the ID of a VPC.
    • QueryLogType (optional): The types of queries you want to log. Choose Public or Resolver/Private from the drop down list in the console.
    • LogDestinationArn (optional): The ARN of the CloudWatch Logs group, Amazon S3 bucket or Kinesis Data Firehose stream you want to send query logs to.
      Note: Route 53 public DNS query logging only supports CloudWatch Logs groups. If you don't specify a value for this parameter, the automation creates a CloudWatch Logs group. The group has the format AWSSupport-ConfigureDNSQueryLogging-{automation: EXECUTION_ID } and an IAM resource policy to publish the query logs. This CloudWatch Logs group has a retention period of 14 days.
  7. Choose Execute. Note that the automation workflow is now running.
  8. When done, review the Outputs section in the System Manager console for detailed results on the logging session.

Related information

Run an automation

Setting up Automation

Systems Manager Automation runbook reference

Topics
Networking & Content DeliveryEnd User Computing
Tags
Amazon VPCAWS Support Automation Workflows
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago
No comments

Relevant content