Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Set up Amazon Route 53 zone file transfer

Author: Government Digital Service

Set up Amazon Route 53 zone file transfer

This guide explains the technical steps to allow you to share your organisation’s domains and subdomains with the Government Digital Service (GDS) using the Amazon Route 53 service.

Connecting GDS to Amazon Route 53

GDS will only have access to your DNS zones in your Amazon Route 53 account. They will not have access to any other information in AWS and you can revoke this access at any time.

You need to configure AWS to grant the GDS team read only access to your DNS zones in Route 53, and share the details with them.

How to set up your Route 53 configuration

Step 1

Sign in to your AWS console and select ‘create role’ to set up a new AWS IAM Role.

Step 2

Select the ‘Custom trust policy’ from the ‘Trusted entity type’ section.

Step 3

Copy and paste the following trust policy into the code box on your screen.

The sts:ExternalId line should have a random alphanumeric string inserted, which is used to improve security.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::175717025496:role/domains.gov.uk-route53-ingest"
            },
            "Action": "sts:AssumeRole",
            “Condition": {
                "StringEquals": {
                    "sts:ExternalId": "[insert random string here]"
                }
            }
        }
    ]
}

Step 4

Assign the role a single Policy: AmazonRoute53ReadOnlyAccess. This is a pre-existing policy in all AWS accounts.

Step 5

Set the role name to ‘domain-management-route53-zone-ingest’ (without quotes). A different name won’t work. GDS have internal access control policies that prevent the zone transfer process from assuming roles by any other name.

Step 6

Add a description of the role that is meaningful to you and documents that the role is used by GDS to ingest zone data from Route 53. For example, ‘Role created to allow GDS to ingest zone information from this AWS account every night.’

Step 7

Check the details and select ‘Create role’.

Share your Route 53 details with GDS

When you have configured your Amazon Route 53 to share your domains, send an email to support@domains.gov.uk

This must include:

  • confirmation you have configured access and you approve the zone ingest
  • the Amazon Resource Name (ARN) for the IAM role
  • the External ID sts:ExternalId string you added in step 3.

The Cyber and Domains Protection team will then configure the ingest on their side and let you know when it will start.

Contact us

If you need more information email support@domains.gov.uk

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now