More Info:

All the domain names registered with AWS Route 53 or transferred to AWS Route 53 should be renewed 7 days before their validity period ends.

Risk Level

High

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the Route 53 Domain Expiry in 7 Days issue in AWS using AWS console, follow the below steps:
  1. Log in to the AWS Management Console.
  2. Navigate to the Route 53 service.
  3. Click on the Registered Domains option in the left-hand menu.
  4. Select the domain that has an expiry date in 7 days.
  5. Click on the Renew button.
  6. Follow the on-screen instructions to complete the renewal process.
  7. Once the renewal is complete, verify that the expiry date has been extended to a later date.
Note: It is recommended to set up auto-renewal for your domain to avoid such issues in the future.

To remediate the Route 53 Domain Expiry in 7 days issue in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine.
  2. Check the expiration date of the domain by running the following command: 
aws route53domains get-domain-detail --domain-name <your-domain-name>
  1. If the domain is set to expire in 7 days or less, you need to renew it. Run the following command to renew the domain:
aws route53domains renew-domain --domain-name <your-domain-name> --duration-in-years <number-of-years-to-renew>
Note: You can specify the number of years you want to renew the domain for by replacing <number-of-years-to-renew> with the desired value.
  1. After running the renew command, you will receive a confirmation message with the details of the renewal. Verify the details and confirm the renewal.
  2. Once the renewal is confirmed, the domain will be renewed for the specified number of years and the expiration date will be updated.
  3. Verify that the domain has been successfully renewed by running the get-domain-detail command again.
  4. You have successfully remediated the Route 53 Domain Expiry in 7 Days issue.
To remediate the Route 53 Domain Expiry in 7 days issue in AWS using Python, you can follow the below steps:
  1. Install the boto3 library using the following command:
pip install boto3
  1. Create an AWS IAM user with Route53 read-only access and generate the access key and secret key.
  2. Create a Python script with the following code: 
import boto3
from datetime import datetime, timedelta

# Set the AWS access key and secret key
access_key = 'YOUR_ACCESS_KEY'
secret_key = 'YOUR_SECRET_KEY'

# Create a Route53 client
client = boto3.client('route53', aws_access_key_id=access_key, aws_secret_access_key=secret_key)

# Get all the hosted zones
response = client.list_hosted_zones()

# Loop through each hosted zone
for zone in response['HostedZones']:
    zone_id = zone['Id']
    zone_name = zone['Name']

    # Get the details of the hosted zone
    zone_details = client.get_hosted_zone(Id=zone_id)

    # Get the expiration date of the domain
    domain_expiration_date = zone_details['DelegationSet']['NameServers'][0].split('.')[0]

    # Calculate the number of days left for the domain to expire
    days_left = (datetime.strptime(domain_expiration_date, '%Y%m%d') - datetime.now()).days

    # If the domain is expiring in 7 days or less, update the domain
    if days_left <= 7:
        # Update the domain registration
        response = client.update_domain_registration(
            DomainName=zone_name
        )

        # Print the status of the update
        print(f"Domain registration for {zone_name} has been updated. Status: {response['OperationStatus']}")
  1. Replace the YOUR_ACCESS_KEY and YOUR_SECRET_KEY placeholders with the actual access key and secret key.
  2. Run the script using the following command: 
python remediate_route53_expiry.py
This script will update the domain registration for all the hosted zones that are expiring in 7 days or less and print the status of the update.

Additional Reading: