Support for Route 53 Resolver Query Logging

[reedloden]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Today, we are announcing the availability of Route 53 Resolver Query Logging, which lets you log the DNS queries that originate in your Amazon Virtual Private Clouds (VPCs). With query logging enabled, you can see which domain names have been queried, the AWS resources from which the queries originated—including source IP and instance ID—and the responses that were received.

Route 53 Resolver is the Amazon DNS server (also sometimes referred to as “AmazonProvidedDNS” or the “.2 resolver”) that is available by default in all Amazon VPCs. Route 53 Resolver responds to DNS queries from AWS resources within a VPC for public DNS records, Amazon VPC-specific DNS names, and Amazon Route 53 private hosted zones. Customers concerned about security, or those under compliance mandates, may need the ability to monitor, debug, search, and archive a record of the DNS lookups originating from inside of their Amazon VPCs. With today’s release, Route 53 Resolver now supports the logging of DNS queries and responses for DNS queries originating from within customer VPCs, whether those queries are answered locally by Route 53 Resolver, resolved over the public internet, or are forwarded to on-premises DNS servers via Resolver Endpoints. The DNS queries forwarded by on-premises DNS servers to VPCs via inbound endpoints are also logged. Even the DNS queries made by your AWS Lambda functions, Amazon EKS clusters, and Amazon WorkSpaces instances can be logged. With today’s release, you no longer need to manage your own infrastructure in order to log the DNS activity within your VPC.

You can enable and configure query logging for specific VPCs, by using the Route 53 Resolver API or the Route 53 Resolver Console. If you need to log queries across multiple accounts, you can share your query logging configurations by using AWS Resource Access Manager (RAM). You can choose to send your query logs to Amazon S3, Amazon CloudWatch Logs, or Amazon Kinesis Data Firehose. If you send logs to CloudWatch, you can configure CloudWatch to process the logs automatically to distill log data into more actionable information. For example, with CloudWatch Contributor Insights you can create rules to generate high cardinality data, such as instances making the most DNS queries over time (“top talkers”) or the most frequently queried domain names.

New or Affected Resource(s)

• aws_route53_resolver_query_log
• aws_route53_resolver_query_log_association

Potential Terraform Configuration

Didn't put a ton of thought into this, so treat this as very much an example / WIP

resource "aws_route53_resolver_query_log" "example" {
  name = "example"

  s3_destination {
    bucket_arn = aws_s3_bucket.example.arn
    role_arn   = aws_iam_role.example.arn
  }

  cloudwatch_destination {
     log_group_name  = aws_cloudwatch_log_group.example.name
     log_stream_name = aws_cloudwatch_log_stream.example.name
  }

  kinesis_destination {
    stream_arn = aws_kinesis_firehose_delivery_stream.example.arn
    role_arn   = aws_iam_role.example.arn
  }

  tags = {
    Environment = "Prod"
  }
}

resource "aws_route53_resolver_query_log_association" "example" {
  resolver_query_log_arn = aws_route53_resolver_query_log.example.arn
  vpc_id                 = aws_vpc.example.id
}

References

• https://aws.amazon.com/about-aws/whats-new/2020/08/amazon-route-53-resolver-supports-vpc-dns-query-logging/

[ewbankkit]

@reedloden Thanks for raising this issue.
It has already been noticed in #14877. I'm going to close this one as a duplicate so that we can concentrate discussion in the linked issue.
Please add any additional comments there.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!