Skip to content
Ask AI about this
Help improve this page

Route 53 domains should have transfer lock enabled

An unlocked domain can be transferred to a different registrar by anyone who obtains the authorization code. Attackers who compromise email accounts associated with the domain registrant contact can initiate a transfer, effectively hijacking DNS resolution for all services tied to that domain. Recovering a stolen domain through ICANN dispute resolution takes weeks or months, during which your applications, email, and certificates all break.

Transfer lock is a one-click safeguard that blocks the registrar from processing outbound transfers until you explicitly disable it. There is no cost and no operational downside to keeping it enabled at all times.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_route53domains_registered_domain.

resource "aws_route53domains_registered_domain" "this" {
  domain_name = "pofix.click"

  transfer_lock = true
}

What this control checks

The aws_route53domains_registered_domain resource exposes a transfer_lock argument. Setting it to true passes; false fails. The underlying API call is EnableDomainTransferLock, which sets clientTransferProhibited on the domain. At plan time, the control validates that transfer_lock resolves to true for every managed domain.

Common pitfalls

  • Domains not managed via Terraform

    Domains registered through the AWS Console or CLI but never imported into Terraform as aws_route53domains_registered_domain resources are invisible to plan-time checks. Run aws route53domains list-domains to inventory all registered domains and bring any unmanaged ones in with terraform import.

  • Some TLDs do not support transfer lock

    Certain country-code TLDs (.uk, .co.uk) and some newer gTLDs don't support clientTransferProhibited at the registry level. Setting transfer_lock = true for these will produce an API error. Check the Route 53 documentation for supported TLDs before applying.

  • Temporary unlock for legitimate transfers

    Leave transfer lock disabled after a failed or abandoned registrar transfer and you may not notice until audit time. Set transfer_lock = false when initiating the transfer, then re-enable it once the transfer completes or is cancelled. Monitor CloudTrail for DisableDomainTransferLock events to catch domains left unlocked.

Audit evidence

An auditor expects the output of aws route53domains get-domain-detail --domain-name <domain> showing clientTransferProhibited in the StatusList array for each registered domain. Screenshots from the Route 53 Registered Domains console showing "Transfer lock: Enabled" are also acceptable as point-in-time evidence. CloudTrail logs for DisableDomainTransferLock and EnableDomainTransferLock API calls demonstrate that any temporary unlock was intentional and the lock was promptly re-enabled.

Framework-specific interpretation

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: route53_domain_transfer_lock_enabled

  • Checkov Check: CKV_AWS_377

  • Powerpipe Control: aws_compliance.control.route53_domain_transfer_lock_enabled

  • Prowler Check: route53_domains_transferlock_enabled

Last reviewed: 2026-03-09