Skip to content
Ask AI about this
Help improve this page

Route 53 domains auto renew should be enabled

Losing a domain because renewal was missed can take your entire application offline and expose your organization to domain hijacking. Attackers actively monitor expiring domains to register them and intercept traffic, harvest credentials, or impersonate your brand.

Auto-renew costs nothing extra beyond the standard renewal fee and eliminates a class of outage that is entirely preventable. Manual renewal processes depend on someone remembering, receiving the reminder email, and acting on it in time. Any break in that chain means downtime.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_route53domains_registered_domain.

resource "aws_route53domains_registered_domain" "this" {
  domain_name = "pofix.click"

  auto_renew = true
}

What this control checks

Checks that aws_route53domains_registered_domain has auto_renew set to true. Route 53 enables auto-renew by default on newly registered domains, but Terraform can explicitly disable it. A domain passes when auto_renew = true or is left unset (the AWS default is enabled). It fails when auto_renew is explicitly set to false. For domains managed outside Terraform, verify auto-renew status in the Route 53 console or with aws route53domains get-domain-detail --domain-name <domain> and confirm AutoRenew is true.

Common pitfalls

  • Domains registered outside Terraform are invisible to plan-time checks

    Domains registered via the console or CLI and not imported into Terraform state are completely invisible to plan-time enforcement. To bring them under Terraform management, run terraform import aws_route53domains_registered_domain.<name> <domain>, then explicitly set auto_renew = true. Until that's done, auto-renew status on those domains is unverified by any IaC tooling.

  • Auto-renew does not guarantee renewal if payment fails

    Route 53 charges the payment method on file at renewal time. An expired card or billing issue on the account will cause renewal to fail even with auto-renew enabled. Monitor for RenewDomain CloudTrail events and keep billing alerts active.

  • Some TLDs have non-standard renewal windows

    Some TLDs, particularly country-code domains like .co.za, require renewal well before expiration, and Route 53 doesn't support auto-renew for all of them. Check the Route 53 domain registration documentation for your specific TLD before relying on auto-renew.

  • Terraform default is provider-dependent

    Get this wrong and Terraform will silently preserve a disabled auto-renew state. The auto_renew argument defaults to whatever is currently set in AWS, not true. If someone turned off auto-renew in the console before you imported the resource, Terraform will lock in that disabled state unless you explicitly add auto_renew = true.

Audit evidence

Auditors look for Route 53 Domains console screenshots or aws route53domains list-domains CLI output showing AutoRenew: true for each registered domain. If a custom Config rule covers this check, Config evaluation results are acceptable, as are CSPM scan exports. For organizations with many domains, a consolidated CSPM report listing every Route 53 registered domain with its auto-renew status is the cleanest artifact to hand to an auditor.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: route53_domain_auto_renew_enabled

  • Powerpipe Control: aws_compliance.control.route53_domain_auto_renew_enabled

Last reviewed: 2026-03-09