By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Shield advanced for Route53 delegated subdomains

0

A customer has (all using Route 53):

  • a parent AWS account where the domain myapplication.com is hosted
  • multiple child AWS accounts that operate hosted zones for subdomains, such as app1.myapplication.com, app2.myapplication.com, etc.
  • the parent account delegates to the child accounts using NS records

They were wondering: if they are using Shield advanced for Route 53, do they only need to sign up the myapplication.com hosted zone in the parent account or do they also need to go to all child accounts and sign up the subdomain hosted zones for Shield advanced as well?

I was thinking the latter one, as the DNS servers for the parent domain may be different to the ones for the subdomains, but wanted to confirm here.

Thanks a lot for your input!

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS ShieldAmazon Route 53
Language
English
AWS-User-2749457
asked 6 years ago435 views
1 Answer
0
Accepted Answer

It is as you suspected. For Shield Advanced you specify the hosted zone that you wish to protect in the account that the zone is defined in, so unfortunately your customer will need to add in protection for each hosted zone across each of their sub-accounts. Shield Advanced is subscribed to and configured on a per account basis - of course, if these accounts are all in the same consolidated billing family then the customer is only charged once, but there is no automatic protection of sub-domains in sub-accounts across that billing family.

AWS
EXPERT
Dr Andrew Kane
answered 6 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content