# Monitoring Amazon Route 53
Monitoring is an important part of maintaining the reliability, availability, and performance of your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution so that you can more easily debug a multi-point failure if one occurs. However, before you start monitoring, you should create a monitoring plan that includes answers to the following questions:
+ What are your monitoring goals?
+ What resources will you monitor?
+ How often will you monitor these resources?
+ What monitoring tools will you use?
+ Who will perform the monitoring tasks?
+ Who should be notified when something goes wrong?
**Topics**
+ [Public DNS query logging](query-logs.md)
+ [Resolver query logging](resolver-query-logs.md)
+ [Monitoring domain registrations](monitoring-domain-registrations.md)
+ [Monitoring your resources with Amazon Route 53 health checks and Amazon CloudWatch](monitoring-cloudwatch.md)
+ [Monitoring hosted zones using Amazon CloudWatch](monitoring-hosted-zones-with-cloudwatch.md)
+ [Monitoring Route 53 VPC Resolver endpoints with Amazon CloudWatch](monitoring-resolver-with-cloudwatch.md)
+ [Monitoring Resolver DNS Firewall rule groups with Amazon CloudWatch](monitoring-resolver-dns-firewall-with-cloudwatch.md)
+ [Managing Resolver DNS Firewall events using Amazon EventBridge](dns-firewall-eventbridge-integration.md)
+ [Logging Amazon Route 53 API calls with AWS CloudTrail](logging-using-cloudtrail.md)
# Public DNS query logging
You can configure Amazon Route 53 to log information about the public DNS queries that Route 53 receives, such as the following:
+ Domain or subdomain that was requested
+ Date and time of the request
+ DNS record type (such as A or AAAA)
+ Route 53 edge location that responded to the DNS query
+ DNS response code, such as `NoError` or `ServFail`
Once you configure query logging, Route 53 will send logs to CloudWatch Logs. You use CloudWatch Logs tools to access the query logs.
Query logs contain only the queries that DNS resolvers send to Route 53. If a DNS resolver has already cached the response to a query (such as the IP address for a load balancer for example.com), the resolver will continue to return the cached response without sending the query to Route 53 until the TTL for the corresponding record expires.
Depending on how many DNS queries are submitted for a domain name (example.com) or subdomain name (www.example.com), which resolvers your users are using, and the TTL for the record, query logs might contain information about only one query out of every several thousand queries that are submitted to DNS resolvers. For more information about how DNS works, see [How internet traffic is routed to your website or web application](welcome-dns-service.md).
If you don't need detailed logging information, you can use Amazon CloudWatch metrics to see the total number of DNS queries that Route 53 responds to for a hosted zone. For more information, see [Viewing DNS query metrics for a public hosted zone](hosted-zone-public-viewing-query-metrics.md).
**Topics**
+ [Configuring logging for DNS queries](#query-logs-configuring)
+ [Using Amazon CloudWatch to access DNS query logs](#query-logs-viewing)
+ [Changing the retention period for logs and exporting logs to Amazon S3](#query-logs-changing-retention-period)
+ [Stopping query logging](#query-logs-deleting-configuration)
+ [Values that appear in DNS query logs](#query-logs-format)
+ [Query log example](#query-logs-example)
## Configuring logging for DNS queries
To start logging DNS queries for a specified hosted zone, you perform the following tasks in the Amazon Route 53 console:
+ Choose the CloudWatch Logs log group that you want Route 53 to publish logs to, or create a new log group.
**Note**
The log group must be in the US East (N. Virginia) Region.
+ Choose **Create** to finish.
**Note**
If users are submitting DNS queries for your domain, you should start to see queries in the logs within several minutes after you create the query logging configuration.
**To configure logging for DNS queries**
1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).
1. In the navigation pane, choose **Hosted zones**.
1. Choose the hosted zone that you want to configure query logging for.
1. In the **Hosted zone details** pane, choose **Configure query logging**.
1. Choose an existing log group or create a new log group.
1. If you receive an alert about permissions (this happens if you haven't configured query logging with the new console before), do one of the following:
+ If you have 10 resource policies already, you can't create any more. Select any of your resource policies, and select **Edit **. Editing will give Route 53 permissions to write logs to your log groups. Choose **Save**. The alert goes away and you can continue to the next step.
+ If you have never configured query logging before (or if you haven't created 10 resource policies already), you need to grant permissions to Route 53 to write logs to your CloudWatch Logs groups. Choose **Grant permissions**. The alert goes away and you can continue to the next step.
1. Choose **Permissions - optional** to see a table that shows whether the resource policy matches the CloudWatch log group, and whether the Route 53 has the permission to publish logs to CloudWatch.
1. Choose **Create**.
## Using Amazon CloudWatch to access DNS query logs
Amazon Route 53 sends query logs directly to CloudWatch Logs; the logs are never accessible through Route 53. Instead, you use CloudWatch Logs to view logs in near real-time, search and filter data, and export logs to Amazon S3.
Route 53 creates one CloudWatch Logs log stream for each Route 53 edge location that responds to DNS queries for the specified hosted zone and sends query logs to the applicable log stream. The format for the name of each log stream is *hosted-zone-id*/*edge-location-ID*, for example, `Z1D633PJN98FT9/DFW3`.
Each edge location is identified by a three-letter code and an arbitrarily assigned number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.) For a list of edge locations, see "The Route 53 Global Network" on the [Route 53 Product Details](https://aws.amazon.com/route53/details/) page.
**Note**
You might see some prefixes or suffixes that don’t follow the above convention. Those encode attributes that are for internal use only.
For more information, see the applicable documentation:
+ [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/)
+ [Amazon CloudWatch Logs API Reference](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/)
+ [CloudWatch Logs section of the AWS CLI Command Reference](https://docs.aws.amazon.com/cli/latest/reference/logs/index.html)
+ [Values that appear in DNS query logs](#query-logs-format)
## Changing the retention period for logs and exporting logs to Amazon S3
By default, CloudWatch Logs stores query logs indefinitely. You can optionally specify a retention period so that CloudWatch Logs deletes logs that are older than the retention period. For more information, see [Change log data retention in CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/SettingLogRetention.html) in the *Amazon CloudWatch User Guide*.
If you want to retain log data but you don't need CloudWatch Logs tools to view and analyze the data, you can export logs to Amazon S3, which can reduce your storage costs. For more information, see [Exporting log data to Amazon S3](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3Export.html).
For information about pricing, see the applicable pricing page:
+ "Amazon CloudWatch Logs" on the [CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing) page
+ [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing)
**Note**
When you configure Route 53 to log DNS queries, you don't incur any Route 53 charges.
## Stopping query logging
If you want Amazon Route 53 to stop sending query logs to CloudWatch Logs, perform the following procedure to delete the query logging configuration.
**To delete a query logging configuration**
1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).
1. In the navigation pane, choose **Hosted zones**.
1. Choose the name for the hosted zone that you want to delete the query logging configuration for.
1. In the **Hosted zone details** pane, choose **Delete query logging configuration**.
1. Choose **Delete** to confirm.
## Values that appear in DNS query logs
Each log file contains one log entry for each DNS query that Amazon Route 53 received from DNS resolvers in the corresponding edge location. Each log entry includes the following values:
**Log format version**
The version number of this query log. If we add fields to the log or change the format of existing fields, we'll increment this value.
**Query timestamp**
The date and time that Route 53 responded to the request, in ISO 8601 format and Coordinated Universal Time (UTC), for example, `2017-03-16T19:20:25.177Z`.
For information about ISO 8601 format, see the Wikipedia article [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601). For information about UTC, see the Wikipedia article [Coordinated Universal Time](https://en.wikipedia.org/wiki/Coordinated_Universal_Time).
**Hosted zone ID**
The ID of the hosted zone that is associated with all the DNS queries in this log.
**Query name**
The domain or subdomain that was specified in the request.
**Query type**
Either the DNS record type that was specified in the request, or `ANY`. For information about the types that Route 53 supports, see [Supported DNS record types](ResourceRecordTypes.md).
**Response code**
The DNS response code that Route 53 returned in response to the DNS query.
**Layer 4 protocol**
The protocol that was used to submit the query, either `TCP` or `UDP`.
**Route 53 edge location**
The Route 53 edge location that responded to the query. Each edge location is identified by a three-letter code and an arbitrary number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.)
For a list of edge locations, see "The Route 53 Global Network" on the [Route 53 Product Detail](https://aws.amazon.com/route53/details/) page.
**Resolver IP address**
The IP address of the DNS resolver that submitted the request to Route 53.
**EDNS client subnet**
A partial IP address for the client that the request originated from, if available from the DNS resolver.
For more information, see the IETF draft [Client Subnet in DNS Requests](https://tools.ietf.org/html/draft-ietf-dnsop-edns-client-subnet-08).
## Query log example
Here's an example query log (Region is a placeholder):
```
1.0 2017-12-13T08:16:02.130Z Z123412341234 example.com A NOERROR UDP Region 192.168.1.1 -
1.0 2017-12-13T08:15:50.235Z Z123412341234 example.com AAAA NOERROR TCP Region 192.168.3.1 192.168.222.0/24
1.0 2017-12-13T08:16:03.983Z Z123412341234 example.com ANY NOERROR UDP Region 2001:db8::1234 2001:db8:abcd::/48
1.0 2017-12-13T08:15:50.342Z Z123412341234 bad.example.com A NXDOMAIN UDP Region 192.168.3.1 192.168.111.0/24
1.0 2017-12-13T08:16:05.744Z Z123412341234 txt.example.com TXT NOERROR UDP Region 192.168.1.2 -
```
# Resolver query logging
You can log the following DNS queries:
+ Queries that originate in Amazon Virtual Private Cloud VPCs that you specify, as well as the responses to those DNS queries.
+ Queries from on-premises resources that use an inbound Resolver endpoint.
+ Queries that use an outbound Resolver endpoint for recursive DNS resolution.
+ Queries that use Resolver DNS Firewall rules to block, allow, or monitor domain lists.
VPC Resolver query logs include values such as the following:
+ The AWS Region where the VPC was created
+ The ID of the VPC that the query originated from
+ The IP address of the instance that the query originated from
+ The instance ID of the resource that the query originated from
+ The date and time that the query was first made
+ The DNS name requested (such as prod.example.com)
+ The DNS record type (such as A or AAAA)
+ The DNS response code, such as `NoError` or `ServFail`
+ The DNS response data, such as the IP address that is returned in response to the DNS query
+ A response to a DNS Firewall rule action
For a detailed list of all of the values logged and an example, see [Values that appear in VPC Resolver query logs](resolver-query-logs-format.md).
**Note**
As is standard for DNS resolvers, resolvers cache DNS queries for a length of time determined by the time-to-live (TTL) for the resolver. The Route 53 VPC Resolver caches queries that originate in your VPCs, and responds from the cache whenever possible to speed up responses. VPC Resolver query logging logs only unique queries, not queries that VPC Resolver is able to respond to from the cache.
For example, suppose that an EC2 instance in one of the VPCs that a query logging configuration is logging queries for, submits a request for accounting.example.com. VPC Resolver caches the response to that query, and logs the query. If the same instance’s elastic network interface makes a query for accounting.example.com within the TTL of the VPC Resolver’s cache, VPC Resolver responds to the query from the cache. The second query is not logged.
You can send the logs to one of the following AWS resources:
+ Amazon CloudWatch Logs (CloudWatch Logs) log group
+ Amazon S3 (S3) bucket
+ Firehose delivery stream
For more information, see [AWS resources that you can send VPC Resolver query logs to](resolver-query-logs-choosing-target-resource.md).
**Topics**
+ [AWS resources that you can send VPC Resolver query logs to](resolver-query-logs-choosing-target-resource.md)
+ [Managing Resolver query logging configurations](resolver-query-logging-configurations-managing.md)
# AWS resources that you can send VPC Resolver query logs to
**Note**
If you expect to log queries for workloads with high queries per second (QPS), you should use Amazon S3 to ensure your query logs are not throttled when written to your destination. If you use Amazon CloudWatch, you can increase your requests per second limit for the `PutLogEvents` operation. To learn more about increasing your CloudWatch limits, see [CloudWatch Logs quotas](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch_limits_cwl.html) in the *Amazon CloudWatch User Guide*.
You can send VPC Resolver query logs to the following AWS resources:
**Amazon CloudWatch Logs (Amazon CloudWatch Logs) log group**
You can analyze logs with Logs Insights and create metrics and alarms.
For more information, see the [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/).
**Amazon S3 (S3) bucket**
An S3 bucket is economical for long-term log archiving. Latency is typically higher.
All S3 server-side encryption options are supported. For more information, see [Protecting data with server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html) in the *Amazon S3 User Guide*.
If you choose Server-Side Encryption with AWS KMS Keys (SSE-KMS), you must update the key policy for your customer managed key so that the log delivery account can write to your Amazon S3 bucket. For more information about the required key policy for use with SSE-KMS, see [Amazon S3 bucket server-side encryption](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-S3.html#AWS-logs-SSE-KMS-S3-V2) in the *Amazon CloudWatch User Guide*.
If the S3 bucket is in an account that you own, the required permissions are automatically added to your bucket policy. If you want to send logs to an S3 bucket in an account that you don't own, the owner of the S3 bucket must add permissions for your account in their bucket policy. For example:
****
```
{
"Version":"2012-10-17",
"Id": "CrossAccountAccess",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your_bucket_name/AWSLogs/your_caller_account/*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::your_bucket_name"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "iam_user_arn_or_account_number_for_root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::your_bucket_name"
}
]
}
```
If you want to store logs in a central S3 bucket for your organization, we recommend that you set up your query logging configuration from a centralized account (with the necessary permissions to write to a central bucket) and use [RAM](query-logging-configurations-managing-sharing.md) to share the configuration across accounts.
For more information, see the [Amazon Simple Storage Service User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/).
**Firehose delivery stream**
You can stream logs in real time to Amazon OpenSearch Service, Amazon Redshift, or other applications.
For more information, see the [Amazon Data Firehose Developer Guide](https://docs.aws.amazon.com/firehose/latest/dev/).
For information about the pricing for Resolver query logging, see [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
CloudWatch Vended Logs charges apply when using VPC Resolver logs, even when logs are published directly to Amazon S3. For more information, see [*Logs pricing* at Amazon CloudWatch pricing](https://aws.amazon.com//cloudwatch/pricing/#Vended_Logs).
# Managing Resolver query logging configurations
## Configuring (VPC Resolver query logging)
You can configure VPC Resolver query logging in two ways:
+ **Direct VPC association** - Associate VPCs directly to a query logging configuration.
+ **Profile association** - Associate a query logging configuration to a Route 53 Profile, which applies the logging to all VPCs associated with that Profile. For more information, see [Associate VPC Resolver query logging configurations to a Route 53 Profile](profile-associate-query-logging.md).
To start logging DNS queries that originate in your VPCs, you perform the following tasks in the Amazon Route 53 console:
**To configure Resolver query logging**
1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).
1. Expand the Route 53 console menu. In the upper left corner of the console, choose the three horizontal bars (![\[Menu icon\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/images/menu-icon.png)) icon.
1. Within the Resolver menu, choose **Query logging**.
1. In the Region selector, choose the AWS Region where you want to create the query logging configuration. This must be the same Region where you created the VPCs that you want to log DNS queries for. If you have VPCs in multiple Regions, you must create at least one query logging configuration for each Region.
1. Choose **Configure query logging**.
1. Specify the following values:
**Query logging configuration name**
Enter a name for your query logging configuration. The name appears in the console in the list of query logging configurations. Enter a name that will help you find this configuration later.
**Query logs destination**
Choose the type of AWS resource that you want VPC Resolver to send query logs to. For information about how to choose among the options (CloudWatch Logs log group, S3 bucket, and Firehose delivery stream), see [AWS resources that you can send VPC Resolver query logs to](resolver-query-logs-choosing-target-resource.md).
After you choose the type of resource, you can either create another resource of that type or choose an existing resource that was created by the current AWS account.
You can choose only resources that were created in the AWS Region that you chose in step 4, the Region where you're creating the query logging configuration. If you choose to create a new resource, that resource will be created in the same Region.
**VPCs to log queries for**
This query logging configuration will log DNS queries that originate in the VPCs that you choose. Check the check box for each VPC in the current Region that you want VPC Resolver to log queries for, then choose **Choose**.
**Alternative**: Instead of associating VPCs directly, you can associate this query logging configuration to a Route 53 Profile, which will apply logging to all VPCs associated with that Profile. For more information, see [Associate VPC Resolver query logging configurations to a Route 53 Profile](profile-associate-query-logging.md).
VPC log delivery can be enabled only once for a specific destination type. The logs can't be delivered to multiple destinations of the same type, for example, VPC logs can't be delivered to 2 Amazon S3 destinations.
1. Choose **Configure query logging**.
**Note**
You should start to see DNS queries made by resources in your VPC in the logs within a few minutes of successfully creating the query logging configuration.
# Values that appear in VPC Resolver query logs
Each log file contains one log entry for each DNS query that Amazon Route 53 received from DNS resolvers in the corresponding edge location. Each log entry includes the following values:
**version**
The version number of the query log format. The current version is `1.1`.
The version value is a major and minor version in the form **major\$1version.minor\$1version**. For example, you can have a `version` value of `1.7`, where `1 `is the major version, and `7` is the minor version.
Route 53 increments the major version if a change is made to the log structure that is not backward-compatible. This includes removing a JSON field that already exists, or changing how the contents of a field are represented (for example, a date format).
Route 53 increments the minor version if a change adds new fields to the log file. This can occur if new information is available for some or all existing DNS queries within a VPC.
**account\$1id**
The ID of the AWS account that created the VPC.
**region**
The AWS Region that you created the VPC in.
**vpc\$1id**
The ID of the VPC that the query originated in.
**query\$1timestamp**
The date and time that the query was submitted, in ISO 8601 format and Coordinated Universal Time (UTC), for example, `2017-03-16T19:20:177Z`.
For information about ISO 8601 format, see the Wikipedia article [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601). For information about UTC, see the Wikipedia article [Coordinated Universal Time](https://en.wikipedia.org/wiki/Coordinated_Universal_Time).
**query\$1name**
The domain name (example.com) or subdomain name (www.example.com) that was specified in the query.
**query\$1type**
Either the DNS record type that was specified in the request, or `ANY`. For information about the types that Route 53 supports, see [Supported DNS record types](ResourceRecordTypes.md).
**query\$1class**
The class of the query.
**rcode**
The DNS response code that VPC Resolver returned in response to the DNS query. The response code indicates whether the query was valid or not. The most common response code is `NOERROR`, meaning that the query was valid. If the response is not valid, Resolver returns a response code that explains why not. For a list of possible response codes, see [DNS RCODEs](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6) on the IANA website.
**answer\$1type**
The DNS record type (such as A, MX, or CNAME) of the value that VPC Resolver is returning in response to the query. For information about the types that Route 53 supports, see [Supported DNS record types](ResourceRecordTypes.md).
**rdata**
The value that VPC Resolver returned in response to the query. For example, for an A record, this is an IP address in IPv4 format. For a CNAME record, this is the domain name in the CNAME record.
**answer\$1class**
The class of the VPC Resolver response to the query.
**srcaddr**
IP address of the host that originated the query.
**srcport**
The port on the instance that the query originated from.
**transport**
The protocol used to submit the DNS query.
**srcids**
IDs of the `instance`, `resolver_endpoint`, and the `resolver_network_interface` that the DNS query originated from or passed through.
**instance**
The ID of the instance that the query originated from.
If you see an instance ID in Route 53 VPC Resolver query logs which is not visible in your account, it might be because the DNS query originated from either AWS CloudShell, AWS Lambda, Amazon EKS, or Fargate console, which was used by you.
**resolver\$1endpoint**
The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers.
If you have CNAME records that chain across different forwarding rules using different resolver endpoints, query logs show only the ID of the last resolver endpoint used in the chain. To trace the complete resolution path through multiple endpoints, you can correlate logs across different query logging configurations.
**firewall\$1rule\$1group\$1id**
The ID of the DNS Firewall rule group that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
For more information about the firewall rule groups, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md).
**firewall\$1rule\$1action**
The action specified by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
**firewall\$1domain\$1list\$1id**
The domain list used by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
**additional\$1properties**
Additional information of the log delivery events. **is\$1delayed**: If there is a delay in delivering the logs.
# Route 53 VPC Resolver query log example
Here's a resolver query log example:
```
{
"srcaddr": "4.5.64.102",
"vpc_id": "vpc-7example",
"answers": [
{
"Rdata": "203.0.113.9",
"Type": "PTR",
"Class": "IN"
}
],
"firewall_rule_group_id": "rslvr-frg-01234567890abcdef",
"firewall_rule_action": "BLOCK",
"query_name": "15.3.4.32.in-addr.arpa.",
"firewall_domain_list_id": "rslvr-fdl-01234567890abcdef",
"query_class": "IN",
"srcids": {
"instance": "i-0d15cd0d3example"
},
"rcode": "NOERROR",
"query_type": "PTR",
"transport": "UDP",
"version": "1.100000",
"account_id": "111122223333",
"srcport": "56067",
"query_timestamp": "2021-02-04T17:51:55Z",
"region": "us-east-1"
}
```
# Sharing Resolver query logging configurations with other AWS accounts
You can share the query logging configurations that you created using one AWS account with other AWS accounts. To share configurations, the Route 53 VPC Resolver console integrates with AWS Resource Access Manager. For more information about Resource Access Manager, see the [Resource Access Manager User Guide](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html).
Note the following:
**Associating VPCs with shared query logging configurations**
If another AWS account has shared one or more configurations with your account, you can associate VPCs with the configuration the same way that you associate VPCs with configurations that you created.
**Deleting or unsharing a configuration**
If you share a configuration with other accounts and then either delete the configuration or stop sharing it, and if one or more VPCs were associated with the configuration, Route 53 VPC Resolver stops logging DNS queries that originate in those VPCs.
**Maximum number of query logging configurations and VPCs that can be associated with a config**
When an account creates a configuration and shares it with one or more other accounts, the maximum number of VPCs that can be associated with the configuration are applied per account. For example, if you have 10,000 accounts in your organization, you can create the query logging configuration in the central account and share it via AWS RAM to share it to the organization accounts. The organization accounts will then associate the configuration with their VPCs counting them against their account’s query log configuration VPC associations per AWS Region limit of 100. However, if all the VPCs are in a single account, then the account’s service limits might be needed to increased.
For current VPC Resolver quotas, see [Quotas on Route 53 VPC Resolver](DNSLimitations.md#limits-api-entities-resolver).
**Permissions**
To share a rule with another AWS account, you must have permission to use the [PutResolverQueryLogConfigPolicy](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_PutResolverQueryLogConfigPolicy.html) action.
**Restrictions on the AWS account that a rule is shared with**
The account that a rule is shared with can't change or delete the rule.
**Tagging**
Only the account that created a rule can add, delete, or see tags on the rule.
To view the current sharing status of a rule (including the account that shared the rule or the account that a rule is shared with), and to share rules with another account, perform the following procedure.
**To view sharing status and share query logging configurations with another AWS account**
1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).
1. In the navigation pane, choose **Query Logging**.
1. On the navigation bar, choose the Region where you created the rule.
The **Sharing status** column shows the current sharing status of rules that were created by the current account or that are shared with the current account:
+ **Not shared**: The current AWS account created the rule, and the rule is not shared with any other accounts.
+ **Shared by me**: The current account created the rule and shared it with one or more accounts.
+ **Shared with me**: Another account created the rule and shared it with the current account.
1. Choose the name of the rule that you want to display sharing information for or that you want to share with another account.
On the **Rule: *rule name*** page, the value under **Owner** displays ID of the account that created the rule. That's the current account unless the value of **Sharing status** is **Shared with me**. In that case, **Owner** is the account that created the rule and shared it with the current account.
The sharing status is also displayed.
1. Choose **Share configuration ** to open the AWS RAM console
1. To create a resource share, follow the steps in [Creating a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) in the *AWS RAM user guide*.
**Note**
You can't update sharing settings. If you want to change any of the following settings, you must reshare a rule with the new settings and then remove the old sharing settings.
# Monitoring domain registrations
The Amazon Route 53 dashboard provides detailed information about the status of your domain registrations, including the following:
+ Status of new domain registrations
+ Status of domain transfers to Route 53
+ List of domains that are approaching the expiration date
We recommend that you periodically check the dashboard in the Route 53 console, especially after you register a new domain or transfer a domain to Route 53, to confirm that there are no issues for you to address.
We also recommend that you confirm that the contact information for your domains is up to date. As the expiration date for a domain approaches, we email the registrant contact for the domain with information about when the domain expires and how to renew.
# Monitoring your resources with Amazon Route 53 health checks and Amazon CloudWatch
You can monitor your resources by creating Amazon Route 53 health checks, which use CloudWatch to collect and process raw data into readable, near real-time metrics. These statistics are recorded for a period of two weeks, so that you can access historical information and gain a better perspective on how your resources are performing. By default, metric data for Route 53 health checks is automatically sent to CloudWatch at one-minute intervals.
For more information about Route 53 health checks, see [Monitoring health checks using CloudWatch](monitoring-health-checks.md). For more information about CloudWatch, see [What is Amazon CloudWatch?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html) in the *Amazon CloudWatch User Guide*.
## Metrics and dimensions for Route 53 health checks
When you create a health check, Amazon Route 53 starts to send metrics and dimensions once a minute to CloudWatch about the resource that you specify. The Route 53 console lets you view the status of your health checks. You can also use the following procedures to view the metrics in the CloudWatch console or view them by using the AWS Command Line Interface (AWS CLI).
**To view metrics using the CloudWatch console**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**.
1. On the **All Metrics** tab, choose **Route 53**.
1. Choose **Health Check Metrics**.
**To view metrics using the AWS CLI**
+ At a command prompt, use the following command:
```
1. aws cloudwatch list-metrics --namespace "AWS/Route53"
```
**Topics**
+ [CloudWatch metrics for Route 53 health checks](#cloudwatch-metrics)
+ [Dimensions for Route 53 health check metrics](#cloudwatch-dimensions-route-53-metrics)
### CloudWatch metrics for Route 53 health checks
The `AWS/Route53` namespace includes the following metrics for Route 53 health checks.
**ChildHealthCheckHealthyCount**
For a calculated health check, the number of health checks that are healthy.
Valid statistics: Average (recommended), Minimum, Maximum
Units: Count
**ConnectionTime**
The average time, in milliseconds, that it took Route 53 health checkers to establish a TCP connection with the endpoint. You can view `ConnectionTime` for a health check either across all regions or for a selected geographic region.
Valid statistics: Average (recommended), Minimum, Maximum
Units: Milliseconds
**HealthCheckPercentageHealthy**
The percentage of Route 53 health checkers that consider the selected endpoint to be healthy.
Valid statistics: Average, Minimum, Maximum
Units: Percent
**HealthCheckStatus**
The status of the health check endpoint that CloudWatch is checking. **1** indicates healthy, and **0** indicates unhealthy.
Valid statistics: Minimum, Average, and Maximum
Units: none
**SSLHandshakeTime**
The average time, in milliseconds, that it took Route 53 health checkers to complete the SSL handshake. You can view `SSLHandshakeTime` for a health check either across all regions or for a selected geographic region.
Valid statistics: Average (recommended), Minimum, Maximum
Units: Milliseconds
**TimeToFirstByte**
The average time, in milliseconds, that it took Route 53 health checkers to receive the first byte of the response to an HTTP or HTTPS request. You can view `TimeToFirstByte` for a health check either across all regions or for a selected geographic region.
Valid statistics: Average (recommended), Minimum, Maximum
Units: Milliseconds
### Dimensions for Route 53 health check metrics
Route 53 metrics for health checks use the `AWS/Route53` namespace and provide metrics for `HealthCheckId`. When retrieving metrics, you must supply the `HealthCheckId` dimension.
In addition, for `ConnectionTime`, `SSLHandshakeTime`, and `TimeToFirstByte`, you can optionally specify `Region`. If you omit `Region`, CloudWatch returns metrics across all regions. If you include `Region`, CloudWatch returns metrics only for the specified region.
For more information, see [Monitoring health checks using CloudWatch](monitoring-health-checks.md).
# Monitoring hosted zones using Amazon CloudWatch
You can monitor your public hosted zones by using Amazon CloudWatch to collect and process raw data into readable, near real-time metrics. Metrics are available shortly after Route 53 receives the DNS queries that the metrics are based on. CloudWatch metric data for Route 53 hosted zones has a granularity of one minute.
For more information, see the following documentation
+ For an overview and information about how to view metrics in the Amazon CloudWatch console and how to retrieve metrics using the AWS Command Line Interface (AWS CLI), see [Viewing DNS query metrics for a public hosted zone](hosted-zone-public-viewing-query-metrics.md)
+ For information about the retention period for metrics, see [GetMetricStatistics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricStatistics.html) in the *Amazon CloudWatch API Reference*.
+ For more information about CloudWatch, see [What is Amazon CloudWatch?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html) in the *Amazon CloudWatch User Guide*.
+ For more information about CloudWatch metrics, see [Using Amazon CloudWatch metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html) in the *Amazon CloudWatch User Guide*.
**Topics**
+ [CloudWatch metrics for Route 53 public hosted zones](#cloudwatch-metrics-route-53-hosted-zones)
+ [CloudWatch dimension for Route 53 public hosted zone metrics](#cloudwatch-dimensions-route-53-hosted-zones)
## CloudWatch metrics for Route 53 public hosted zones
The `AWS/Route53` namespace includes the following metrics for Route 53 hosted zones:
**DNSQueries**
For a hosted zone, the number of DNS queries that Route 53 responds to in a specified time period.
Valid statistics: Sum, SampleCount
Units: Count
Region: Route 53 is a global service. To get hosted zone metrics, you must specify US East (N. Virginia) for the Region.
**DNSSECInternalFailure**
Value is 1 if any object in the hosted zone is in an INTERNAL\$1FAILURE state. Otherwise, value is 0.
Valid statistics: Sum
Units: Count
Volume: 1 per 4 hours per hosted zone
Region: Route 53 is a global service. To get hosted zone metrics, you must specify US East (N. Virginia) for the Region.
**DNSSECKeySigningKeysNeedingAction**
Number of key signing keys (KSKs) that have an ACTION\$1NEEDED state (due to KMS failure).
Valid statistics: Sum, SampleCount
Units: Count
Volume: 1 per 4 hours per hosted zone
Region: Route 53 is a global service. To get hosted zone metrics, you must specify US East (N. Virginia) for the Region.
**DNSSECKeySigningKeyMaxNeedingActionAge**
Time elapsed since the key signing key (KSK) was set to the ACTION\$1NEEDED state.
Valid statistics: Maximum
Units: Seconds
Volume: 1 per 4 hours per hosted zone
Region: Route 53 is a global service. To get hosted zone metrics, you must specify US East (N. Virginia) for the Region.
**DNSSECKeySigningKeyAge**
The time elapsed since the key signing key (KSK) was created (not since it was activated).
Valid statistics: Maximum
Units: Seconds
Volume: 1 per 4 hours per hosted zone
Region: Route 53 is a global service. To get hosted zone metrics, you must specify US East (N. Virginia) for the Region.
## CloudWatch dimension for Route 53 public hosted zone metrics
Route 53 metrics for hosted zones use the `AWS/Route53` namespace and provide metrics for `HostedZoneId`. To get the number of DNS queries, you must specify the ID of the hosted zone in the `HostedZoneId` dimension.
# Monitoring Route 53 VPC Resolver endpoints with Amazon CloudWatch
You can use Amazon CloudWatch to monitor the number of DNS queries that are forwarded by Route 53 VPC Resolver endpoints. Amazon CloudWatch collects and processes raw data into readable, near real-time metrics. These statistics are recorded for a period of two weeks, so that you can access historical information and gain a better perspective on how your resources are performing. By default, metric data for Resolver endpoints is automatically sent to CloudWatch at five-minute intervals. The five-minute interval is also the smallest interval at which the metric data can be sent.
For more information about VPC Resolver, see [What is Route 53 VPC Resolver?](resolver.md). For more information about CloudWatch, see [What is Amazon CloudWatch?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html) in the *Amazon CloudWatch User Guide*.
## Metrics and dimensions for Route 53 VPC Resolver
When you configure VPC Resolver to forward DNS queries to your network or vice versa, VPC Resolver starts to send [metrics](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-resolver-with-cloudwatch.html#cloudwatch-metrics-resolver) and [dimensions](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/monitoring-resolver-with-cloudwatch.html#cloudwatch-dimensions-resolver) once every five minutes to CloudWatch about the number of queries that are forwarded. You can use the following procedures to view the metrics in the CloudWatch console or view them by using the AWS Command Line Interface (AWS CLI).
**To view VPC Resolver metrics using the CloudWatch console**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. On the navigation bar, choose the Region where you created the endpoint.
1. In the navigation pane, choose **Metrics**.
1. On the **All metrics** tab, choose **Route 53 Resolver**.
1. Choose **By Endpoint** to view query counts for a specified endpoint. Then choose the endpoints that you want to view the number of queries for.
Choose **Across All Endpoints** to view query counts for all inbound endpoints or for all outbound endpoints that were created by the current AWS account. Then choose **InboundQueryVolume** or **OutboundQueryVolume** to view the desired counts.
**To view metrics using the AWS CLI**
+ At a command prompt, use the following command:
```
1. aws cloudwatch list-metrics --namespace "AWS/Route53Resolver"
```
**Topics**
+ [CloudWatch Basic Metrics for Route 53 VPC Resolver](#cloudwatch-metrics-resolver)
+ [CloudWatch Detailed Metrics for Route 53 VPC Resolver](#cloudwatch-detailed-metrics-resolver)
+ [Dimensions for Route 53 VPC Resolver metrics](#cloudwatch-dimensions-resolver)
### CloudWatch Basic Metrics for Route 53 VPC Resolver
`AWS/Route53Resolver` namespace includes basic metrics for Route 53 VPC Resolver endpoints and for IP addresses at free of cost.
**Topics**
+ [Metrics for Route 53 VPC Resolver endpoints](#cloudwatch-metrics-resolver-endpoint)
+ [Metrics for Route 53 VPC Resolver IP addresses](#cloudwatch-metrics-resolver-ip-address)
#### Metrics for Route 53 VPC Resolver endpoints
The `AWS/Route53Resolver` namespace includes the following metrics for Route 53 VPC Resolver endpoints.
**EndpointHealthyENICount**
The number of elastic network interfaces in the `OPERATIONAL` status. This means that the Amazon VPC network interfaces for the endpoint (specified by `EndpointId`) are correctly configured and able to pass inbound or outbound DNS queries between your network and Resolver.
Valid Statistics: Minimum, Maximum, Average
Units: Count
**EndpointUnhealthyENICount**
The number of elastic network interfaces in the `AUTO_RECOVERING` status.
This means that the resolver is trying to recover one or more of the Amazon VPC network interfaces that are associated with the endpoint (specified by `EndpointId`). During the recovery process, the endpoint functions with limited capacity and is unable to process DNS queries until it's fully recovered.
Valid Statistics: Minimum, Maximum, Average
Units: Count
**InboundQueryVolume**
For inbound endpoints, the number of DNS queries forwarded from your network to your VPCs through the endpoint specified by `EndpointId`.
Valid Statistics: Sum
Units: Count
**OutboundQueryVolume**
For outbound endpoints, the number of DNS queries forwarded from your VPCs to your network through the endpoint specified by `EndpointId`.
Valid Statistics: Sum
Units: Count
**OutboundQueryAggregateVolume**
For outbound endpoints, the total number of DNS queries forwarded from Amazon VPCs to your network, including the following:
+ The number of DNS queries forwarded from your VPCs to your network through the endpoint that is specified by `EndpointId`.
+ When the current account shares Resolver rules with other accounts, queries from VPCs that are created by other accounts that are forwarded to your network through the endpoint that is specified by `EndpointId`.
Valid Statistics: Sum
Units: Count
**ResolverEndpointCapacityStatus**
The capacity status of the Resolver endpoint. The metric indicates the current capacity utilization state where: 0 = OK (Normal operating capacity), 1 = Warning (At least one elastic network interface exceeds 50% capacity utilization), and 2 = Critical (At least one elastic network interface exceeds 75% capacity utilization).
The capacity status is determined by multiple factors including query volume, query latency, DNS protocols, DNS packet size, and connection tracking status.
Valid Statistics: Maximum
Units: None
**Best practices for VPC Resolver Endpoints Capacity Management**
To address capacity issues, we generally recommend increasing the number of elastic network interfaces for your Resolver endpoint. However, there are important considerations for specific endpoint types:
For **inbound endpoints** the traffic load balancing is customer-dependent. Therefore capacity warnings or critical alerts may indicate a "hot spot" where a subset of elastic network interfaces is disproportionately utilized.
+ To identify potential load balancing issues, examine the [InboundQueryVolume](#cloudwatch-metrics-resolver-ip-address) metrics for each elastic network interface individually.
For **outbound endpoints** the traffic is automatically balanced across elastic network interfaces. Capacity issues may be due to problems with the target name server, or because high-latency queries of timeouts overwhelm the Resolver network interfaces.
+ In these cases, simply increasing the elastic network interfaces might not be effective, and we recommend fixing the target name server.
#### Metrics for Route 53 VPC Resolver IP addresses
The `AWS/Route53Resolver` namespace includes the following metrics for each IP address that's associated with a Resolver inbound or outbound endpoint. (When you specify an endpoint, VPC Resolver creates an Amazon VPC [elastic network interface](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html).)
**InboundQueryVolume**
For each IP address for your inbound endpoints, the number of DNS queries forwarded from your network to the specified IP address. Each IP address is identified by the IP address ID. You can get this value using the Route 53 console. On the page for the applicable endpoint, in the IP addresses section, see the **IP address ID** column. You can also get the value programmatically using [ListResolverEndpointIpAddresses](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_ListResolverEndpointIpAddresses.html).
Valid Statistics: Sum
Units: Count
**OutboundQueryAggregateVolume**
For each IP address for your outbound endpoints, the total number of DNS queries forwarded from Amazon VPCs to your network, including the following:
+ The number of DNS queries forwarded from your VPCs to your network using the specified IP address.
+ When the current account shares Resolver rules with other accounts, queries from VPCs that are created by other accounts that are forwarded to your network through using the specified IP address.
Each IP address is identified by the IP address ID. You can get this value using the Route 53 console. On the page for the applicable endpoint, in the IP addresses section, see the **IP address ID** column. You can also get the value programmatically using [ListResolverEndpointIpAddresses](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_ListResolverEndpointIpAddresses.html).
Valid Statistics: Sum
Units: Count
### CloudWatch Detailed Metrics for Route 53 VPC Resolver
Route 53 VPC Resolver provides RNI Enhanced and Target Name Server Metrics as opt in features for endpoints. These metrics are sent to CloudWatch at 1-minute intervals.
**Note**
Detailed metrics are not enabled by default, but can be enabled at the endpoint level. These metrics can be enabled programmatically while creating or updating endpoints using the RniEnhancedMetricsEnabled and TargetNameServerMetricsEnabled flags. For more information, see [CreateResolverEndpoint](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_CreateResolverEndpoint.html) and [UpdateResolverEndpoint](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_UpdateResolverEndpoint.html).
Standard CloudWatch pricing and charges are applied for using the Route 53 Resolver endpoint detailed metrics. For more information, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/).
**Topics**
+ [RNI Enhanced Metrics](#cloudwatch-detailed-metrics-resolver-endpoints-ip-addresses)
+ [Target Name Server Metrics](#cloudwatch-detailed-metrics-resolver-endpoints-target-nameservers)
#### RNI Enhanced Metrics
Route 53 Resolver publishes RNI enhanced metrics to Amazon CloudWatch for monitoring the performance and health of Resolver endpoints and Resolver IP addresses. The `AWS/Route53Resolver` namespace includes the following RNI enhanced metrics for Route 53 Resolver inbound and outbound endpoints in `EndpointId`, `RniId` dimension:
**P90ResponseTime**
The 90th percentile response latency of DNS queries received by the Resolver IP (`RniId`) associated with the Resolver endpoint (`EndpointId`)
Valid Statistics: Maximum
Units: Microseconds
**ServFailQueries**
Number of SERVFAIL responses for DNS queries sent to the Resolver IP (`RniId`) associated with the Resolver endpoint (`EndpointId`)
Valid Statistics: Sum
Units: Count
**NxDomainQueries**
Number of NXDOMAIN responses for DNS queries sent to the Resolver IP (`RniId`) associated with the Resolver endpoint (`EndpointId`)
Valid Statistics: Sum
Units: Count
**RefusedQueries**
Number of REFUSED responses for DNS queries sent to the Resolver IP (`RniId`) associated with the Resolver endpoint (`EndpointId`)
Valid Statistics: Sum
Units: Count
**FormErrorQueries**
Number of FORMERR responses for DNS queries sent to the Resolver IP (`RniId`) associated with the Resolver endpoint (`EndpointId`)
Valid Statistics: Sum
Units: Count
**TimeoutQueries**
Number of timeouts for DNS queries sent to the Resolver IP (`RniId`) associated with the Resolver endpoint (`EndpointId`)
Valid Statistics: Sum
Units: Count
#### Target Name Server Metrics
Route 53 Resolver publishes target name server metrics to Amazon CloudWatch for monitoring the performance and availability of target name servers associated with Resolver endpoints. The `AWS/Route53Resolver` namespace includes the following detailed metrics for Route 53 Resolver outbound endpoints in `EndpointID`, `TargetNameServerIP` dimensions:
**P90ResponseTime**
The 90th percentile response latency of the Target Name Server IP (`TargetNameServerIP`) for DNS queries sent via the Resolver endpoint (`EndpointID`)
Valid Statistics: Maximum
Units: Microseconds
**RequestQueries**
Number of DNS queries sent to the Target Name Server IP (`TargetNameServerIP`) via the Resolver endpoint (`EndpointID`).
Valid Statistics: Sum
Units: Count
**TimeoutQueries**
Number of DNS queries sent via the Resolver endpoint (`EndpointID`) that timed out at the Target Name Server IP (`TargetNameServerIP`).
Valid Statistics: Sum
Units: Count
**Note**
In some cases, gaps might be observed in VPC Resolver metrics (ResolverEndpointCapacityStatus) and RNI enhanced metrics. These gaps can occur when your network interfaces undergo consecutive scheduled maintenance or updates. After we return a network interface to service, it takes at least 1 minute for our service to collect operational data and publish these metrics. These gaps do not indicate that your VPC Resolver endpoint is experiencing an outage. If you're configuring a CloudWatch alarm for these metrics, we recommend the following:
Set the alarm to "Treat missing data as ignore", or
Configure an evaluation period of more than five minutes for the alarm threshold.
These settings will help reduce false alarms during normal maintenance activities.
### Dimensions for Route 53 VPC Resolver metrics
Route 53 VPC Resolver metrics for inbound and outbound endpoints use the `AWS/Route53Resolver` namespace and provide metrics for the following dimensions:
+ `EndpointId`: If you specify a value for the `EndpointId` dimension, CloudWatch returns the number of DNS queries for the specified endpoint. If you don't specify `EndpointId`, CloudWatch returns the number of DNS queries for all endpoints that were created by the current AWS account.
+ `RniId` dimension is supported for `OutboundQueryAggregateVolume` and `InboundQueryVolume` metrics.
+ `EndpointId`, `RniId` dimension is supported for `P90ResponseTime`, `ServFailQueries`, `NxDomainQueries`, `RefusedQueries`, `FormErrorQueries`, and `TimeoutQueries` for the Resolver IP Address associated with the resolver endpoint.
+ `EndpointID`, `TargetNameServerIP` dimension is supported for `P90ResponseTime`, `RequestQueries`, and `TimeoutQueries` for the target name server associated with the resolver endpoint.
# Monitoring Resolver DNS Firewall rule groups with Amazon CloudWatch
You can use Amazon CloudWatch to monitor the number of DNS queries that are filtered by Resolver DNS Firewall rule groups. Amazon CloudWatch collects and processes raw data into readable, near real-time metrics. These statistics are recorded for a period of two weeks, so that you can access historical information and gain a better perspective on how your resources are performing. By default, metric data for DNS Firewall rule groups is automatically sent to CloudWatch at five-minute intervals.
For more information about DNS Firewall, see [Using DNS Firewall to filter outbound DNS traffic](resolver-dns-firewall.md). For more information about CloudWatch, see [What is Amazon CloudWatch?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html) in the *Amazon CloudWatch User Guide*.
## Metrics and dimensions for Resolver DNS Firewall
When you associate a Resolver DNS Firewall rule group with a VPC to filter DNS queries, DNS Firewall starts to send metrics and dimensions once every 5 minutes to CloudWatch about the queries that it filters. For information about the metrics and dimensions for DNS Firewall, see [CloudWatch metrics for Resolver DNS Firewall](#cloudwatch-metrics-resolver-dns-firewall).
You can use the following procedures to view the metrics in the CloudWatch console or view them by using the AWS Command Line Interface (AWS CLI).
**To view DNS Firewall metrics using the CloudWatch console**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. On the navigation bar, choose the Region that you want to view.
1. In the navigation pane, choose **Metrics**.
1. On the **All metrics** tab, choose **Route 53 VPC Resolver**.
1. Choose a metric that you're interested in.
**To view metrics using the AWS CLI**
+ At a command prompt, use the following command:
```
1. aws cloudwatch list-metrics --namespace "AWS/Route53Resolver"
```
**Topics**
+ [CloudWatch metrics for Resolver DNS Firewall](#cloudwatch-metrics-resolver-dns-firewall)
### CloudWatch metrics for Resolver DNS Firewall
The `AWS/Route53Resolver` namespace includes metrics for Resolver DNS Firewall rule groups.
**Topics**
+ [Metrics for Resolver DNS Firewall rule groups](#cloudwatch-metrics-resolver-dns-firewall-rule-group)
+ [Metrics for VPCs](#cloudwatch-metrics-resolver-vpc)
+ [Metrics for firewall rule group and VPC association](#cloudwatch-metrics-resolver-firewall-vpc)
+ [Metrics for a domain list in a firewall rule group](#cloudwatch-metrics-domain-list-firewall)
#### Metrics for Resolver DNS Firewall rule groups
**FirewallRuleGroupQueryVolume**
The number of DNS Firewall queries that match a firewall rule group (specified by `FirewallRuleGroupId`).
Dimensions: `FirewallRuleGroupId`
Valid statistics: Sum
Units: Count
#### Metrics for VPCs
**VpcFirewallQueryVolume**
The number of DNS Firewall queries from a VPC (specified by `VpcId`).
Dimensions: `VpcId`
Valid statistics: Sum
Units: Count
#### Metrics for firewall rule group and VPC association
**FirewallRuleGroupVpcQueryVolume**
The number of DNS Firewall queries from a VPC (specified by `VpcId`) that match a firewall rule group (specified by `FirewallRuleGroupId`).
Dimensions: `FirewallRuleGroupId, VpcId`
Valid statistics: Sum
Units: Count
#### Metrics for a domain list in a firewall rule group
**FirewallRuleQueryVolume**
The number of DNS firewall queries that match a firewall domain list (specified by `FirewallDomainListId`) within a firewall rule group (specified by `FirewallRuleGroupId`).
Dimensions: `FirewallRuleGroupId, FirewallDomainListId`
Valid statistics: Sum
Units: Count
# Managing Resolver DNS Firewall events using Amazon EventBridge
Amazon EventBridge is a serverless service that uses events to connect application components together, making it easier for you to build scalable event-driven applications. Event-driven architecture is a style of building loosely-coupled software systems that work together by emitting and responding to events. Events represent a change in a resource or environment.
As with many AWS services, DNS Firewall generates and sends events to the EventBridge default event bus. (The default event bus is automatically provisioned in every AWS account.) An event bus is a router that receives events and delivers them to zero or more destinations, or *targets*. Rules you specify for the event bus evaluate events as they arrive. Each rule checks whether an event matches the rule's *event pattern*. If the event does match, the event bus sends the event to the specified target(s).
![\[AWS services send events to the EventBridge default event bus. If the event matches a rule's event pattern, EventBridge sends the event to the targets specified for that rule.\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/images/eventbridge-integration-how-it-works.png)
**Topics**
+ [Resolver DNS Firewall events](#supported-events)
+ [Sending Resolver DNS Firewall events using EventBridge rules](#eventbridge-using-events-rules)
+ [Amazon EventBridge permissions](#eventbridge-permissions)
+ [Additional EventBridge resources](#eventbridge-additonal-resources)
+ [Resolver DNS Firewall events detail reference](events-detail-reference.md)
## Resolver DNS Firewall events
VPC Resolver sends DNS Firewall events to the default EventBridge event bus automatically. You can create rules on the event bus; each rule includes an event pattern and one or more targets. Events that match a rule's event pattern are delivered to the specified targets on a [best-effort basis](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-service-event.html#eb-service-event-delivery-level). Events might be delivered out of order.
The following events are generated by DNS Firewall. For more information, see [EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-events.html) in the *Amazon EventBridge User Guide.*.
| Event detail type | Description |
| --- | --- |
| [DNS Firewall Block](events-detail-reference.md#dns-firewall-alert) | Any block action performed on a domain. |
| [DNS Firewall Alert](events-detail-reference.md#dns-firewall-block) | Any alert action performed on a domain. |
## Sending Resolver DNS Firewall events using EventBridge rules
To have the EventBridge default event bus send DNS Firewall events to a target, you must create a rule that contains an event pattern that matches the data in the desired DNS Firewall events.
Creating a rule consists of the following general steps:
1. Creating an event pattern for the rule that specifies:
+ VPC Resolver is the source of events being evaluated by the rule.
+ (Optional): Any other event data to match against.
For more information, see [Creating event patterns for Resolver DNS Firewall events](#eventbridge-using-events-rules-patterns)
1. (Optional): Creating an *input transformer* that customizes the data from the event before EventBridge passes the information to the target of the rule.
For more information, see [Input transformation](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-transform-target-input.html) in the *EventBridge User Guide*.
1. Specifying the target(s) to which you want EventBridge to deliver events that match the event pattern.
Targets can be other AWS services, software-as-a-service (SaaS) applications, API destinations, or other custom endpoints. For more information, see [Targets](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html) in the *EventBridge User Guide*.
For comprehensive instructions on creating event bus rules, see [Creating rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html) in the *EventBridge User Guide*.
### Creating event patterns for Resolver DNS Firewall events
When DNS Firewall delivers an event to the default event bus, EventBridge uses the event pattern defined for each rule to determine if the event should be delivered to the rule's target(s). An event pattern matches the data in the desired DNS Firewall events. Each event pattern is a JSON object that contains:
+ A `source` attribute that identifies the service sending the event. For DNS Firewall events, the source is `aws.route53resolver`.
+ (Optional): A `detail-type` attribute that contains an array of the event types to match.
+ (Optional): A `detail` attribute containing any other event data on which to match.
For example, the following event pattern matches against both alert and block events from DNS Firewall:
```
{
"source": ["aws.route53resolver"],
"detail-type": ["DNS Firewall Block", "DNS Firewall Alert"]
}
```
While the following event pattern matches against a BLOCK action:
```
{
"source": ["aws.route53resolver"],
"detail-type": ["DNS Firewall Block"]
}
```
DNS Firewall sends the same event for the same domain only once within a 6-hour window. For example:
1. Instance i-123 sent a DNS query exampledomain.com at time T1. DNS Firewall sends an alert or block event as this is the first occurrence.
1. Instance i-123 sent a DNSquery exampledomain.com at time T1\$130 minutes. DNS Firewall doesn't send an alert or block event as this is a repeat occurrence within the 6-hour window.
1. Instance i-123 sent a DNS query exampledomain.com at time T1\$17 hours. DNS Firewall sends an alert or block event as this is occurred outside the 6-hour window.
For more information on writing event patterns, see [Event patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html) in the *EventBridge User Guide*.
### Testing event patterns for DNS Firewall events in EventBridge
You can use the EventBridge Sandbox to quickly define and test an event pattern, without having to complete the larger process of creating or editing a rule. Using the Sandbox, you can define an event pattern and use a sample event to confirm the pattern matches the desired events. EventBridge give you the option of creating a new rule using that event pattern, directly from the sandbox.
For more information, see [Testing an event pattern using the EventBridge Sandbox](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-pattern-sandbox.html) in the *EventBridge User Guide*.
### Creating an EventBridge rule and target for DNS Firewall
The following procedure shows you how to create a rule that enables EventBridge to send events for all the DNS Firewall alert and block actions, and add an AWS Lambda function as a target for the rule.
1. Use AWS CLI to create an EventBridge rule:
```
aws events put-rule \
--event-pattern "{\"source\":
[\"aws.route53resolver\"],\"detail-type\":
[\"DNS Firewall Block\", \"DNS Firewall Alert\"]}" \
--name dns-firewall-rule
```
1. Attach a Lambda function as a target for the rule:
`AWS events put-targets --rule dns-firewall-rule --targets Id=1,Arn=arn:aws:lambda:us-east-1:111122223333:function:`
1. To add the permissions required to invoke the target, run the following Lambda AWS CLI command:
`AWS lambda add-permission --function-name --statement-id 1 --action 'lambda:InvokeFunction' --principal events.amazonaws.com`
## Amazon EventBridge permissions
DNS Firewall doesn't require any additional permissions to deliver events to Amazon EventBridge.
The targets you specify may need specific permissions or configuration. For more details on using specific services for targets, see [Amazon EventBridge targets](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html) in the *Amazon EventBridge User Guide*.
## Additional EventBridge resources
Refer to the following topics in the [https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) for more information on how to use EventBridge to process and manage events.
+ For detailed information on how event buses work, see [Amazon EventBridge event bus](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-bus.html).
+ For information on event structure, see [Events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-events.html).
+ For information on constructing event patterns for EventBridge to use when matching events against rules, see [Event patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html).
+ For information on creating rules to specify which events EventBridge processes, see [Rules](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html).
+ For information on to specify what services or other destinations EventBridge sends matched events to, see [Targets](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-targets.html).
# Resolver DNS Firewall events detail reference
All events from AWS services have a common set of fields containing metadata about the event, such as the AWS service that is the source of the event, the time the event was generated, the account and region in which the event took place, and others. For definitions of these general fields, see [Event structure reference](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-events-structure.html) in the *Amazon EventBridge User Guide*.
In addition, each event has a `detail` field that contains data specific to that particular event. The reference below defines the detail fields for the various DNS Firewall events.
When using EventBridge to select and manage DNS Firewall events, it's useful to keep the following in mind:
+ The `source` field for all events from DNS Firewall is set to `aws.route53resolver`.
+ The `detail-type` field specifies the event type.
For example, `DNS Firewall Block` or `DNS Firewall Alert`.
+ The `detail` field contains the data that is specific to that particular event.
For information on constructing event patterns that enable rules to match DNS Firewall events, see [Event patterns](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html) in the *Amazon EventBridge User Guide*.
For more information on events and how EventBridge processes them, see [Amazon EventBridge events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-events.html) in the *Amazon EventBridge User Guide*.
**Topics**
+ [DNS Firewall alert event detail](#dns-firewall-alert)
+ [DNS Firewall block event detail](#dns-firewall-block)
## DNS Firewall alert event detail
Below are the detail fields for Alert status event detail .
The `source` and `detail-type` fields are included because they contain specific values for Route 53 events.
```
{...,
"detail-type": "DNS Firewall Alert",
"source": "aws.route53resolver",
...,
"detail": {
"account-id": "string",
"last-observed-at": "string",
"query-name": "string",
"query-type": "string",
"query-class": "string",
"transport": "string",
"firewall-rule-action": "string",
"firewall-rule-group-id": "string",
"firewall-domain-list-id": "string",
"firewall-protection": "string",
"resources": [{
"resource-type": "string",
"instance-details": {
"id": "string",
}
},
{
"resource-type": "string",
"resolver-endpoint-details": {
"id": "string"
}
}
]
```
`detail-type`
Identifies the type of event.
For this event, this value is `DNS Firewall Alert`.
`source`
Identifies the service that generated the event. For DNS Firewall events, this value is `aws.route53resolver`.
`detail`
A JSON object that contains information about the event. The service generating the event determines the content of this field.
For this event, this data includes:
`account-id`
The ID of the AWS account that created the VPC.
`last-observed-at`
The timestamp of when the Alert/Block query was made in the VPC.
`query-name`
The domain name (example.com) or subdomain name (www.example.com) that was specified in the query.
`query-type`
Either the DNS record type that was specified in the request, or ANY. For information about the types that Route 53 supports, see [Supported DNS record types](ResourceRecordTypes.md).
`query-class`
The class of the query.
`transport`
The protocol used to submit the DNS query.
`firewall-rule-action`
The action specified by the rule that matched the domain name in the query. Either `ALERT` or `BLOCK`.
`firewall-rule-group-id`
The ID of the DNS Firewall rule group that matched the domain name in the query. For more information about the firewall rule groups, see DNS Firewall [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md).
`firewall-domain-list-id`
The domain list used by the rule that matched the domain name in the query.
`firewall-protection`
The DNS Firewall Advanced protection: DGA, DICTIONARY\$1DGA, or DNS\$1TUNNELING. For more information, see DNS Firewall [Resolver DNS Firewall Advanced](firewall-advanced.md).
`resourcese`
Contains resource types and additional details about them.
`resource-type`
Specifies the resource type, such as resolver endpoint or a VPC instance.
`resource-type-detail`
Additional details about the resource.
**Example DNS Firewall alert event**
The following is an example alert event.
```
{
"version": "1.0",
"id": "8e5622f9-d81c-4d81-612a-9319e7ee2506",
"detail-type": "DNS Firewall Alert",
"source": "aws.route53resolver",
"account": "123456789012",
"time": "2023-05-30T21:52:17Z",
"region": "us-west-2",
"resources": [],
"detail": {
"account-id": "123456789012",
"last-observed-at": "2023-05-30T20:15:15.900Z",
"query-name": "15.3.4.32.in-addr.arpa.",
"query-type": "A",
"query-class": "IN",
"transport": "UDP",
"firewall-rule-action": "ALERT",
"firewall-rule-group-id": "rslvr-frg-01234567890abcdef",
"firewall-domain-list-id": "rslvr-fdl-01234567890abcdef",
"firewall-protection": "DGA",
"resources": [{
"resource-type": "instance",
"instance-details": {
"id": "i-05746eb48123455e0",
}
},
{
"resource-type": "resolver-endpoint",
"resolver-endpoint-details": {
"id": "i-05746eb48123455e0"
}
}
],
"src-addr": "4.5.64.102",
"src-port": "56067",
"vpc-id": "vpc-7example"
}
}
```
## DNS Firewall block event detail
Below are the detail fields for *event name*.
The `source` and `detail-type` fields are included because they contain specific values for Route 53 events.
```
{...,
"detail-type": "DNS Firewall Block",
"source": "aws.route53resolver",
...,
"detail": {
"account-id": "string",
"last-observed-at": "string",
"query-name": "string",
"query-type": "string",
"query-class": "string",
"transport": "string",
"firewall-rule-action": "string",
"firewall-rule-group-id": "string",
"firewall-domain-list-id": "string",
"firewall-protection": "string",
"resources": [{
"resource-type": "string",
"instance-details": {
"id": "string",
}
},
{
"resource-type": "string",
"resolver-endpoint-details": {
"id": "string"
}
}
]
```
`detail-type`
Identifies the type of event.
For this event, this value is `DNS Firewall Alert`.
`source`
Identifies the service that generated the event. For DNS Firewall events, this value is `aws.route53resolver`.
`detail`
A JSON object that contains information about the event. The service generating the event determines the content of this field.
For this event, this data includes:
`account-id`
The ID of the AWS account that created the VPC.
`last-observed-at`
The timestamp of when the Alert/Block query was made in the VPC.
`query-name`
The domain name (example.com) or subdomain name (www.example.com) that was specified in the query.
`query-type`
Either the DNS record type that was specified in the request, or ANY. For information about the types that Route 53 supports, see [Supported DNS record types](ResourceRecordTypes.md).
`query-class`
The class of the query.
`transport`
The protocol used to submit the DNS query.
`firewall-rule-action`
The action specified by the rule that matched the domain name in the query. Either `ALERT` or `BLOCK`.
`firewall-rule-group-id`
The ID of the DNS Firewall rule group that matched the domain name in the query. For more information about the firewall rule groups, see DNS Firewall [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md).
`firewall-domain-list-id`
The domain list used by the rule that matched the domain name in the query.
`firewall-protection`
The DNS Firewall Advanced protection: DGA, DICTIONARY\$1DGA, or DNS\$1TUNNELING. For more information, see DNS Firewall [Resolver DNS Firewall Advanced](firewall-advanced.md).
`resourcese`
Contains resource types and additional details about them.
`resource-type`
Specifies the resource type, such as resolver endpoint or a VPC instance.
`resource-type-detail`
Additional details about the resource.
**Example event**
The following is an example block event.
```
{
"version": "1.0",
"id": "8e5622f9-d81c-4d81-612a-9319e7ee2506",
"detail-type": "DNS Firewall Block",
"source": "aws.route53resolver",
"account": "123456789012",
"time": "2023-05-30T21:52:17Z",
"region": "us-west-2",
"resources": [],
"detail": {
"account-id": "123456789012",
"last-observed-at": "2023-05-30T20:15:15.900Z",
"query-name": "15.3.4.32.in-addr.arpa.",
"query-type": "A",
"query-class": "IN",
"transport": "UDP",
"firewall-rule-action": "BLOCK",
"firewall-rule-group-id": "rslvr-frg-01234567890abcdef",
"firewall-domain-list-id": "rslvr-fdl-01234567890abcdef",
"firewall-protection": "DNS_TUNNELING",
"resources": [{
"resource-type": "instance",
"instance-details": {
"id": "i-05746eb48123455e0"
}
},
{
"resource-type": "resolver-endpoint",
"resolver-endpoint-details": {
"id": "i-05746eb48123455e0",
}
}
],
"src-addr": "4.5.64.102",
"src-port": "56067",
"vpc-id": "vpc-7example"
}
}
```
# Logging Amazon Route 53 API calls with AWS CloudTrail
Route 53 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Route 53. CloudTrail captures all API calls for Route 53 as events, including calls from the Route 53 console and from code calls to the Route 53 APIs. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Route 53. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to Route 53, the IP address that the request was made from, who made the request, when it was made, and additional details.
**Topics**
+ [Route 53 information in CloudTrail](#route-53-info-in-cloudtrail)
+ [Viewing Route 53 events in event history](#route-53-events-in-cloudtrail-event-history)
+ [Understanding Route 53 log file entries](#understanding-route-53-entries-in-cloudtrail)
## Route 53 information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Route 53, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for Route 53, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all regions. The trail logs events from all regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see:
+ [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail supported services and integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail log files from multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
All Route 53 actions are logged by CloudTrail and are documented in the [Amazon Route 53 API Reference](https://docs.aws.amazon.com/Route53/latest/APIReference/). For example, calls to the `CreateHostedZone`, `CreateHealthCheck`, and `RegisterDomain` actions generate entries in the CloudTrail log files.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or IAM user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
For more information, see the [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
## Viewing Route 53 events in event history
CloudTrail lets you view recent events in **Event history**. To view events for Route 53 API requests, you must choose **US East (N. Virginia)** in the region selector at the top of the console. For more information, see [Viewing events with CloudTrail event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) in the *AWS CloudTrail User Guide*.
## Understanding Route 53 log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files are not an ordered stack trace of the public API calls, so they do not appear in any specific order.
The `eventName` element identifies the action that occurred. (In CloudTrail logs, the first letter is lowercase for domain registration actions even though it's uppercase in the names of the actions. For example, `UpdateDomainContact` appears as `updateDomainContact` in the logs). CloudTrail supports all Route 53 API actions. The following example shows a CloudTrail log entry that demonstrates the following actions:
+ List the hosted zones that are associated with an AWS account
+ Create a health check
+ Create two records
+ Delete a hosted zone
+ Update information for a registered domain
+ Create a Route 53 VPC Resolver outbound endpoint
```
{
"Records": [
{
"apiVersion": "2013-04-01",
"awsRegion": "us-east-1",
"eventID": "1cdbea14-e162-43bb-8853-f9f86d4739ca",
"eventName": "ListHostedZones",
"eventSource": "route53.amazonaws.com",
"eventTime": "2015-01-16T00:41:48Z",
"eventType": "AwsApiCall",
"eventVersion": "1.02",
"recipientAccountId": "444455556666",
"requestID": "741e0df7-9d18-11e4-b752-f9c6311f3510",
"requestParameters": null,
"responseElements": null,
"sourceIPAddress": "192.0.2.92",
"userAgent": "Apache-HttpClient/4.3 (java 1.5)",
"userIdentity": {
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:user/smithj",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"type": "IAMUser",
"userName": "smithj"
}
},
{
"apiVersion": "2013-04-01",
"awsRegion": "us-east-1",
"eventID": "45ec906a-1325-4f61-b133-3ef1012b0cbc",
"eventName": "CreateHealthCheck",
"eventSource": "route53.amazonaws.com",
"eventTime": "2018-01-16T00:41:57Z",
"eventType": "AwsApiCall",
"eventVersion": "1.02",
"recipientAccountId": "444455556666",
"requestID": "79915168-9d18-11e4-b752-f9c6311f3510",
"requestParameters": {
"callerReference": "2014-05-06 64832",
"healthCheckConfig": {
"iPAddress": "192.0.2.249",
"port": 80,
"type": "TCP"
}
},
"responseElements": {
"healthCheck": {
"callerReference": "2014-05-06 64847",
"healthCheckConfig": {
"failureThreshold": 3,
"iPAddress": "192.0.2.249",
"port": 80,
"requestInterval": 30,
"type": "TCP"
},
"healthCheckVersion": 1,
"id": "b3c9cbc6-cd18-43bc-93f8-9e557example"
},
"location": "https://route53.amazonaws.com/2013-04-01/healthcheck/b3c9cbc6-cd18-43bc-93f8-9e557example"
},
"sourceIPAddress": "192.0.2.92",
"userAgent": "Apache-HttpClient/4.3 (java 1.5)",
"userIdentity": {
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:user/smithj",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"type": "IAMUser",
"userName": "smithj"
}
},
{
"additionalEventData": {
"Note": "Do not use to reconstruct hosted zone"
},
"apiVersion": "2013-04-01",
"awsRegion": "us-east-1",
"eventID": "883b14d9-2f84-4005-8bc5-c7bf0cebc116",
"eventName": "ChangeResourceRecordSets",
"eventSource": "route53.amazonaws.com",
"eventTime": "2018-01-16T00:41:43Z",
"eventType": "AwsApiCall",
"eventVersion": "1.02",
"recipientAccountId": "444455556666",
"requestID": "7081d4c6-9d18-11e4-b752-f9c6311f3510",
"requestParameters": {
"changeBatch": {
"changes": [
{
"action": "CREATE",
"resourceRecordSet": {
"name": "prod.example.com.",
"resourceRecords": [
{
"value": "192.0.1.1"
},
{
"value": "192.0.1.2"
},
{
"value": "192.0.1.3"
},
{
"value": "192.0.1.4"
}
],
"tTL": 300,
"type": "A"
}
},
{
"action": "CREATE",
"resourceRecordSet": {
"name": "test.example.com.",
"resourceRecords": [
{
"value": "192.0.1.1"
},
{
"value": "192.0.1.2"
},
{
"value": "192.0.1.3"
},
{
"value": "192.0.1.4"
}
],
"tTL": 300,
"type": "A"
}
}
],
"comment": "Adding subdomains"
},
"hostedZoneId": "Z1PA6795UKMFR9"
},
"responseElements": {
"changeInfo": {
"comment": "Adding subdomains",
"id": "/change/C156SRE0X2ZB10",
"status": "PENDING",
"submittedAt": "Jan 16, 2018 12:41:43 AM"
}
},
"sourceIPAddress": "192.0.2.92",
"userAgent": "Apache-HttpClient/4.3 (java 1.5)",
"userIdentity": {
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:user/smithj",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"type": "IAMUser",
"userName": "smithj"
}
},
{
"apiVersion": "2013-04-01",
"awsRegion": "us-east-1",
"eventID": "0cb87544-ebee-40a9-9812-e9dda1962cb2",
"eventName": "DeleteHostedZone",
"eventSource": "route53.amazonaws.com",
"eventTime": "2018-01-16T00:41:37Z",
"eventType": "AwsApiCall",
"eventVersion": "1.02",
"recipientAccountId": "444455556666",
"requestID": "6d5d149f-9d18-11e4-b752-f9c6311f3510",
"requestParameters": {
"id": "Z1PA6795UKMFR9"
},
"responseElements": {
"changeInfo": {
"id": "/change/C1SIJYUYIKVJWP",
"status": "PENDING",
"submittedAt": "Jan 16, 2018 12:41:36 AM"
}
},
"sourceIPAddress": "192.0.2.92",
"userAgent": "Apache-HttpClient/4.3 (java 1.5)",
"userIdentity": {
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"accountId": "111122223333",
"arn": "arn:aws:iam::111122223333:user/smithj",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"type": "IAMUser",
"userName": "smithj"
}
},
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "smithj",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-01T19:43:59Z"
}
},
"invokedBy": "test"
},
"eventTime": "2018-11-01T19:49:36Z",
"eventSource": "route53domains.amazonaws.com",
"eventName": "updateDomainContact",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.92",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0",
"requestParameters": {
"domainName": {
"name": "example.com"
}
},
"responseElements": {
"requestId": "034e222b-a3d5-4bec-8ff9-35877ff02187"
},
"additionalEventData": "Personally-identifying contact information is not logged in the request",
"requestID": "015b7313-bf3d-11e7-af12-cf75409087f6",
"eventID": "f34f3338-aaf4-446f-bf0e-f72323bac94d",
"eventType": "AwsApiCall",
"recipientAccountId": "444455556666"
},
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-01T14:33:09Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIUZEZLWWZOEXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "Admin"
}
}
},
"eventTime": "2018-11-01T14:37:19Z",
"eventSource": "route53resolver.amazonaws.com",
"eventName": "CreateResolverEndpoint",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.176",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0",
"requestParameters": {
"creatorRequestId": "123456789012",
"name": "OutboundEndpointDemo",
"securityGroupIds": [
"sg-05618b249example"
],
"direction": "OUTBOUND",
"ipAddresses": [
{
"subnetId": "subnet-01cb0c4676example"
},
{
"subnetId": "subnet-0534819b32example"
}
],
"tags": []
},
"responseElements": {
"resolverEndpoint": {
"id": "rslvr-out-1f4031f1f5example",
"creatorRequestId": "123456789012",
"arn": "arn:aws:route53resolver:us-west-2:123456789012:resolver-endpoint/rslvr-out-1f4031f1f5example",
"name": "OutboundEndpointDemo",
"securityGroupIds": [
"sg-05618b249example"
],
"direction": "OUTBOUND",
"ipAddressCount": 2,
"hostVPCId": "vpc-0de29124example",
"status": "CREATING",
"statusMessage": "[Trace id: 1-5bd1d51e-f2f3032eb75649f71example] Creating the Resolver Endpoint",
"creationTime": "2018-11-01T14:37:19.045Z",
"modificationTime": "2018-11-01T14:37:19.045Z"
}
},
"requestID": "3f066d98-773f-4628-9cba-4ba6eexample",
"eventID": "cb05b4f9-9411-4507-813b-33cb0example",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
}
]
}
```