# What are Amazon Route 53 Profiles?
<a name="profiles"></a>

With Route 53 Profiles, you can apply and manage DNS-related Route 53 configurations across many VPCs and in different AWS accounts. Profiles make managing the DNS settings for many VPCs as easy as managing them for a single VPC and when you update a Profile, its settings are propagated to all the VPCs associated to the Profile. You can also share a Profile with AWS accounts in the same Regions by using AWS RAM. The currently Route 53 supported resources you can associate to a Profile are:
+ Private hosted zones and the settings specified in them. For more information about working with private hosted zones, see [Working with private hosted zones](hosted-zones-private.md).
+ Resolver rules, both forwarding and system. For more information about Resolver rules, see [Managing forwarding rules](resolver-rules-managing.md).
+ DNS Firewall rule groups. For more information about DNS Firewall rule groups, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md).
+ Interface VPC endpoints. For more information about interface VPC endpoints, see [interface VPC endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in the *Amazon VPC User Guide*.
+ VPC Resolver query logging configurations. For more information about VPC Resolver query logging, see [Resolver query logging](resolver-query-logs.md).

Some of the VPC configurations are directly managed on the Profile. The configurations are:
+ Reverse DNS lookup configuration for Resolver Rules.
+ DNS Firewall failure mode configuration.
+ DNSSEC validation configuration.

For example, you can enable the DNS Firewall failure mode configuration for all the VPCs the Profile is associated to, but keep the VPC's existing DNSSEC validation configuration.

**Important**  
Once you enable the Profile settings for the preceding configurations, and associate the Profile to a VPC, the Profile settings take effect immediately.

You can also use CloudFormation to set up consistent DNS settings for newly provisioned VPCs. 

You can associate one Profile per VPC and the number of resources you can associate per Profile varies. For more information, see [Quotas on Route 53 Profiles](DNSLimitations.md#limits-api-entities-route53-profiles).

## How Route 53 Profile settings are prioritized
<a name="profiles-priority"></a>

You can have the local DNS settings and associations set for Profiles for migration, or other testing purposes. When a DNS query matches both the Resolver rule for a private hosted zone that is directly associated with the VPC and a Resolver rule for a private hosted zone that is associated to the Profile, the local DNS settings take precedence. When DNS query is made for a conflicting domain name, the most specific one wins. The following table includes examples of the evaluation order:


| DNS query | Profile rule | VPC rule | Evaluated rule | 
| --- | --- | --- | --- | 
|  example.com  |  example.com  |  example.com  |  Local VPC  | 
|  test.example.com  |  test.example.com  |  example.com  |  Profile  | 
|  marketing.example.com  |  None  |  marketing.example.com  |  Local VPC  | 

## Route 53 Profiles Region availability
<a name="profiles-region-availability"></a>

To view the Region availability and the endpoints, see [Service endpoints for Route 53](https://docs.aws.amazon.com/general/latest/gr/r53.html) in the *AWS General Reference* guide.

# High-level steps for using Route 53 Profiles
<a name="profile-high-level-steps"></a>

To implement Amazon Route 53 Profiles in your Amazon Virtual Private Cloud VPCs, you perform the following high-level steps.

1. **Create an empty Profile** – The first step is to create an empty Profile to which you can associate DNS resources. For more information, see [Creating Route 53 Profiles](profile-create.md).

1. **Associate DNS resources to the Profile** – The resources you can currently associate to a Profile are private hosted zones, Resolver rules, both forwarding and system, DNS Firewall rule groups, VPC Resolver query logging configurations, and interface VPC endpoints. For more information, see [Associate DNS Firewall rule groups to a Route 53 Profile](profile-associate-dns-firewall.md), [Associate private hosted zones to a Route 53 Profile](profile-associate-private-hz.md), [Associate Resolver rules to a Route 53 Profile](profile-associate-resolver-rules.md), [Associate VPC Resolver query logging configurations to a Route 53 Profile](profile-associate-query-logging.md), and [Associate interface VPC endpoints to a Route 53 Profile](profile-associate-vpc-endpoints.md).

1. **Configure some of the VPC settings for the Profile** – Some of the DNS settings, like hosted zones associated to the Profile, are applied to the VPCs immediately. For DNSSEC validation, Resolver reverse DNS lookup, and DNS Firewall failure mode configurations you can choose one of the following options: 
   + For DNSSEC validation, you can choose to use the local VPC configuration (default), enable the validation, or disable the validation for all the VPCs associated to the Profile.
   + For Resolver reverse DNS lookup configuration you can enable it, disable it, or use the auto defined rules defined for the VPC locally (default).
   + For DNS Firewall failure mode configuration you can enable it, disable it, or use the failure mode configuration defined for the VPC locally (default).

   For more information, see [Edit Route 53 Profile configurations](profile-edit-configurations.md).

1. **Associate the Profile to one or more VPCs** – To begin using your Profile, associate it with one or more VPCs. For more information, see [Associate a Route 53 Profile to VPCs](profile-associate-vpcs.md).

# Creating Route 53 Profiles
<a name="profile-create"></a>

To create Route 53 Profiles, follow the guidance in this topic. Choose a tab to create a Route 53 Profile by using the Route 53 console, or AWS CLI. 
+ [Console](#profile_create_console)
+ [CLI](#profile_create_CLI)

------
#### [ Console ]<a name="profile-create-procedure"></a>

**To create a Route 53 Profile**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Profiles**.

1. On the navigation bar, choose the Region where you want to create the Profile.

1. Enter a name for the Profile, optionally add tags, and choose **Create Profile**.

   This creates an empty Profile with default configurations to which you can associate resources. After you associate resources to the Profile, you can associate it to a number of VPCs and edit the how some of the Resolver configurations apply to the VPCs.

------
#### [ CLI ]

You can create a Profile by running a AWS CLI command like the following and using your own value for `name`.

`aws route53profiles create-profile --name test`

The following is an example output after you run the command:

```
{
    "Profile": {
        "Arn": "arn:aws:route53profiles:us-east-1:123456789012:profile/rp-6ffe47d5example",
        "ClientToken": "2ca1a304-32b3-4f5f-bc4c-EXAMPLE11111",
        "CreationTime": 1710850903.578,
        "Id": "rp-6ffe47d5example",
        "ModificationTime": 1710850903.578,
        "Name": "test",
        "OwnerId": "123456789012",
        "ShareStatus": "NOT_SHARED",
        "Status": "COMPLETE",
        "StatusMessage": "Created Profile"
    }
}
```

------

To associate your Profiles with different resources and edit the VPC configurations for the Profile, see the following procedures:

**Topics**
+ [

# Associate DNS Firewall rule groups to a Route 53 Profile
](profile-associate-dns-firewall.md)
+ [

# Associate private hosted zones to a Route 53 Profile
](profile-associate-private-hz.md)
+ [

# Associate Resolver rules to a Route 53 Profile
](profile-associate-resolver-rules.md)
+ [

# Associate interface VPC endpoints to a Route 53 Profile
](profile-associate-vpc-endpoints.md)
+ [

# Associate VPC Resolver query logging configurations to a Route 53 Profile
](profile-associate-query-logging.md)
+ [

# Edit Route 53 Profile configurations
](profile-edit-configurations.md)
+ [

# Associate a Route 53 Profile to VPCs
](profile-associate-vpcs.md)

# Associate DNS Firewall rule groups to a Route 53 Profile
<a name="profile-associate-dns-firewall"></a>

For instructions for creating a rule group, see [Creating a rule group and rules](resolver-dns-firewall-rule-group-adding.md), and then choose a tab to associate DNS Firewall rule groups to a Route 53 Profile by using the Route 53 console, or AWS CLI.
+ [Console](#profile-rule-group-console)
+ [CLI](#profile-rule-group-CLI)

------
#### [ Console ]<a name="profile-associate-dns-firewall-procedure"></a>

**To associate DNS Firewall rule groups**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. On the navigation bar, choose the Region where you created the Profile.

1. In the navigation pane, choose **Profiles** and on the **Profiles** table, choose the linked name of the Profile you want to work with.

1. On the **<Profile name>** page, choose the **DNS Firewall rule groups** tab and then **Associate**.

1. In the **DNS Firewall rule groups** section you can select up to 10 rule groups you have previously created. If you want to associate more than 10 rule groups, use the APIs. For more information, see [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html).

   To create new rule groups, see [Creating a rule group and rules](resolver-dns-firewall-rule-group-adding.md).

1. Choose **Next**.

1. On the **Define priority** page you can set the order in which the rule groups are processed by clicking the pre-assigned priority number and typing in a new one. The allowed values for the priority are between 100 and 9900.

   The rule groups are evaluated starting with the lowest numeric priority setting and going up. You can change a rule group's priority at any time, for example to change the order of processing or make space for other rule groups.

   Choose **Submit**.

1. The association progress is displayed in the **Status** column in the **DNS Firewall** rule groups dialog box. 

------
#### [ CLI ]

You can associate rule group to a Profile by running a AWS CLI command like the following and using your own values for `name` `profile-id`, `resource-arn`, and `priority`:

`aws route53profiles associate-resource-to-profile --name test-resource-association --profile-id rp-4987774726example --resource-arn arn:aws:route53resolver:us-east-1:123456789012:firewall-rule-group/rslvr-frg-cfe7f72example --resource-properties "{\"priority\": 102}"`

The following is an example output after you run the command:

```
{
    "ProfileResourceAssociation": {
        "CreationTime": 1710851216.613,
        "Id": "rpr-001913120a7example",
        "ModificationTime": 1710851216.613,
        "Name": "test-resource-association",
        "OwnerId": "123456789012",
        "ProfileId": "rp-4987774726example",
        "ResourceArn": "arn:aws:route53resolver:us-east-1:123456789012:firewall-rule-group/rslvr-frg-cfe7f72example",
        "ResourceProperties": "{\"priority\":102}",
        "ResourceType": "FIREWALL_RULE_GROUP",
        "Status": "UPDATING",
        "StatusMessage": "Updating the Profile to DNS Firewall rule group association"
    }
}
```

------

# Associate private hosted zones to a Route 53 Profile
<a name="profile-associate-private-hz"></a>

For intructions for how to create a private hosted zone, see [Creating a private hosted zone](hosted-zone-private-creating.md), and then follow the steps in this procedure to associate a private hosted zone to a Profile.<a name="profile-associate-private-hz-procedure"></a>

**To associate private hosted zones**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. On the navigation bar, choose the Region where you created the Profile.

1. In the navigation pane, choose **Profiles** and on the **Profiles** table, choose the linked name of the Profile you want to work with.

1. On the **<Profile name>** page, choose the **Private hosted zones** tab, and then **Associate**.

1. On the **Associate private hosted zones** page you can select up to 10 private hosted zones you have previously created. If you want to associate more than 10 private hosted zones, use the APIs. For more information, see [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html).

   To create private hosted zones, see [Creating a private hosted zone](hosted-zone-private-creating.md).

1. Choose **Associate**

1. The association progress is displayed in the **Status** column on the **Private hosted zones** tab.

# Associate Resolver rules to a Route 53 Profile
<a name="profile-associate-resolver-rules"></a>

For instructions for how to create a Resolver rule, see [Creating forwarding rules](resolver-rules-managing.md#resolver-rules-managing-creating-rules), and then follow the steps in this procedure to associate Resolver rules to a Profile.<a name="profile-associate-resolver-rules-procedure"></a>

**To associate VPC Resolver rules**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. On the navigation bar, choose the Region where you created the Profile.

1. On the **<Profile name>** page, choose the **Resolver rules** tab, and then **Associate**.

1. On the **Associate Resolver rules** page, in the **Resolver rules** table you can select up to 10 Resolver rules you have previously created. If you want to associate more than 10 resolver rules, use the APIs. For more information, see [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html).

   To create Resolver rules, see [Creating forwarding rules](resolver-rules-managing.md#resolver-rules-managing-creating-rules).

1. Choose **Associate**

1. The association progress is displayed in the **Status** column on the **Resolver rules** tab.

# Associate interface VPC endpoints to a Route 53 Profile
<a name="profile-associate-vpc-endpoints"></a>

For instructions on how to create a interface VPC endpoint, see [Create a VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html#create-interface-endpoint-aws) in the *VPC User Guide.* and then follow the steps in this procedure to associate a VPC endpoint to a Profile.<a name="profile-associate-vpc-endpoints-procedure"></a>

**To associate VPC endpoints**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. On the navigation bar, choose the Region where you created the Profile.

1. On the **<Profile name>** page, choose the **VPC endpoints** tab, and then **Associate**.

1. On the **Associate VPC endpoints** page, in the **VPC endpoints** table you can select up to 10 endpoints you have previously created. If you want to associate more than 10 endpoints, use the APIs. For more information, see [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html).

   To create Resolver rules, see [Creating forwarding rules](resolver-rules-managing.md#resolver-rules-managing-creating-rules).

1. Choose **Associate**

1. The association progress is displayed in the **Status** column on the **VPC endpoints** tab.

# Associate VPC Resolver query logging configurations to a Route 53 Profile
<a name="profile-associate-query-logging"></a>

For instructions on how to create a VPC Resolver query logging configuration, see [Configuring (VPC Resolver query logging)](resolver-query-logging-configurations-managing.md#resolver-query-logs-configuring), and then choose a tab to associate VPC Resolver configuration to a Route 53 Profile by using the Route 53 console, or AWS CLI.
+ [Console](#profile-query-log-config-console)
+ [CLI](#profile-query-log-config-CLI)

------
#### [ Console ]<a name="profile-associate-query-logging-procedure"></a>

**To associate query logging configurations**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. On the navigation bar, choose the Region where you created the Profile.

1. On the **Profile name** page, choose the **Resolver query log configurations** tab, and then **Associate**.

1. On the **Associate query logging configurations** page, in the **Resolver query log configurations** table, you can select up to three configurations that you previously created. If you want to associate more than three query logging configurations, use the API. For more information, see [AssociateResourceToProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateResourceToProfile.html).

1. To create new VPC Resolver query logging configurations, see [Configuring (VPC Resolver query logging)](resolver-query-logging-configurations-managing.md#resolver-query-logs-configuring).

1. Choose **Associate**

1. The association progress is displayed in the **Status** column on the **Resolver query log configurations** tab.

------
#### [ CLI ]

You can associate a query log configuration to a Profile by running a AWS CLI command like the following and using your own values for `name` `profile-id` and `resource-arn`.

`aws route53profiles associate-resource-to-profile --name test-resource-association --profile-id rp-4987774726example --resource-arn arn:aws:route53resolver:us-east-1:123456789012:resolver-query-log-config/rqlc-cfe7f72example `

The following is an example output after you run the command:

```
{
    "ProfileResourceAssociation": {
        "CreationTime": 1710851226.613,
        "Id": "rpr-001913120b8example",
        "ModificationTime": 1710851226.613,
        "Name": "test-resource-association",
        "OwnerId": "123456789012",
        "ProfileId": "rp-4987774726example",
        "ResourceArn": "arn:aws:route53resolver:us-east-1:123456789012:resolver-query-log-config/rqlc-cfe7f72example",
        "ResourceType": "RESOLVER_QUERY_LOG_CONFIG",
        "Status": "CREATING",
        "StatusMessage": "Creating rp-4987774726example to rqlc-cfe7f72example association"
    }
}
```

------

# Edit Route 53 Profile configurations
<a name="profile-edit-configurations"></a>

After you associate resources to a Profile, you can edit the default VPC configurations to decide how they are applied to the VPCs.<a name="profile-edit-configurations-procedure"></a>

**To edit Profile configurations**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. On the navigation bar, choose the Region where you created the Profile.

1. In the navigation pane, choose **Profiles** and on the **Profiles** table, choose the linked name of the Profile you want to work with.

1. On the **<Profile name>** page, choose the **Configuration** tab and then **Edit**.

1. On the **Edit Configuration** page, choose one of the values for the VPC DNSSEC configuration, Resolver reverse DNS lookup configuration, and DNS Firewall failure mode configuration.

   For more information about the values, see [Configuration settings for Route 53 Profile](values-for-profile-configuration.md).

1. Choose **Update**.

# Configuration settings for Route 53 Profile
<a name="values-for-profile-configuration"></a>

When you edit a Route 53 Profile configuration, you specify the following values:

**DNSSEC configuration**  
Choose one of the following values:  
+ **Use local VPC DNSSEC configuration - default**

  Choose this option to have all the VPCs associated to this Profile keep their local DNSSEC validation configuration.
+ **Enable DNSSEC validation**

   Choose this option to enable DNSSEC validation in all the VPCs associated to this Profile.
+ **Disable DNSSEC validation**

  Choose this option to disable DNSSEC validation in all VPCs that are associated to this Profile.

**Resolver reverse DNS lookup configuration**  
Choose one of the following values:  
+ **Enable**

  Choose this option to create auto defined rules for reverse DNS look up in all the associated VPCs.
+ **Not enabled** 

  Choose this option to not create auto defined rules for reverse DNS look up in all the associated VPCs.
+ **Use local auto defined rules - default**

  Choose this option to use the local VPC settings for reverse DNS lookup for the associated VPCs.

**DNS Firewall failure mode configuration**  
Choose one of the following values:  
+ **Disable**

  Choose this option to close the DNS Firewall failure mode for the associated VPCs. With this option, DNS Firewall will block all queries it can't properly evaluate.
+ **Enabled**

  Choose this option to keep the DNS Firewall failure mode open for all the associated VPCs. With this option, DNS Firewall will allow queries to proceed if it's unable to properly evaluate them.
+ **Use local failure mode settings - default**

  Choose this option to use the local VPC DNS Firewall failure mode settings. 

For more information about the configurations, see
+ [Enabling DNSSEC validation in Amazon Route 53](resolver-dnssec-validation.md)
+ [Forwarding rules for reverse DNS queries in VPC Resolver](resolver-rules-managing.md#resolver-automatic-forwarding-rules-reverse-dns)
+ [DNS Firewall VPC configuration](resolver-dns-firewall-vpc-configuration.md)

# Associate a Route 53 Profile to VPCs
<a name="profile-associate-vpcs"></a>

To associate a Route 53 Profile to a VPC, follow the guidance in this topic. Choose a tab to associate a Route 53 Profile to a VPC by using the Route 53 console, or AWS CLI. 
+ [Console](#profile-associate-vpcs-console)
+ [CLI](#profile-associate-vpcs-CLI)

------
#### [ Console ]<a name="profile-associate-vpcs-procedure"></a>

**To associate VPCs**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. On the navigation bar, choose the Region where you created the Profile.

1. On the **<Profile name>** page, choose the **VPCs** tab, and then **Associate**.

1. On the **Associate VPCs** page you can select up to 10 VPCs you have previously created. If you want to associate more than 10 VPCs, use the APIs. For more information, see [AssociateProfile](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53profiles_AssociateProfile.html).

1. Choose **Associate**

1. The association progress is displayed in the **Status** column on the **VPCs** page.

------
#### [ CLI ]

You can list the Profiles by running a AWS CLI command like the following and using your own values for `name`, `profile-id`, and `resource-id`:

`aws route53profiles associate-profile --name test-association --profile-id rp-4987774726example --resource-id vpc-0af3b96b3example`

The following is an example output after you run the command:

```
{
    "ProfileResourceAssociation": {
        "CreationTime": 1710851216.613,
        "Id": "rpr-001913120a7example",
        "ModificationTime": 1710851216.613,
        "Name": "test-resource-association",
        "OwnerId": "123456789012",
        "ProfileId": "rp-4987774726example",
        "ResourceArn": "arn:aws:route53resolver:us-east-1:123456789012:firewall-rule-group/rslvr-frg-cfe7f72example",
        "ResourceProperties": "{\"priority\":102}",
        "ResourceType": "FIREWALL_RULE_GROUP",
        "Status": "UPDATING",
        "StatusMessage": "Updating the Profile to DNS Firewall rule group association"
    }
}
```

------

# Viewing and updating Amazon Route 53 Profiles
<a name="profiles-editing"></a>

Choose the console tab to view and edit Route 53 Profile. Choose the CLI tab to use AWS CLI to list Profiles you own, are shared by you, or shared to you.
+ [Console](#profile-editing-console)
+ [CLI](#profile-editing-CLI)

------
#### [ Console ]<a name="profile-editing-procedure"></a>

**Viewing and updating Route 53 Profiles**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Profiles**.

1. Select the button next to the name of the Profile you want to view or edit.

1. On the **<Profile name>** page you can view the currently associated DNS resources, associate new ones, and edit the tags and VPC configurations.

------
#### [ CLI ]

You can list the Profiles by running a AWS CLI command like the following:

`aws route53profiles list-profiles`

The following is an example output after you run the command:

```
{
    "ProfileSummaries": [
        {
            "Arn": "arn:aws:route53profiles:us-east-1:123456789012:profile/rp-4987774726example",
            "Id": "rp-4987774726example",
            "Name": "test",
            "ShareStatus": "NOT_SHARED"
        }
    ]
}
```

You can get information about a particular VPS the Profile is associated to by running an AWS CLI command like the following and using your own value for `profile-association-id`:

`aws route53profiles get-profile-association --profile-association-id rpassoc-489ce212fexample`

The following is an example output after you run the command:

```
   "ProfileAssociation": {
        "CreationTime": 1709338817.148,
        "Id": "rrpassoc-489ce212fexample",
        "ModificationTime": 1709338974.772,
        "Name": "test-association",
        "OwnerId": "123456789012",
        "ProfileId": "rp-4987774726example",
        "ResourceId": "vpc-0af3b96b3example",
        "Status": "COMPLETE",
        "StatusMessage": "Created Profile Association"
    }   ]
}
```

------

## Deleting a Amazon Route 53 Profile
<a name="profiles-deleting"></a>

Choose a tab to delete a Route 53 Profile by using the Route 53 console, or AWS CLI.
+ [Console](#profile-delete-console)
+ [CLI](#profile-delete-CLI)

------
#### [ Console ]<a name="profile-deleting-procedure"></a>

**To delete a Route 53 Profile**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Profiles**.

1. Select the button next to the name of the Profile you want to delete, and then choose **Delete**.
**Important**  
You can't delete a Profile if it is associated to VPCs. Additionally, if the Profile is shared to another AWS account, any VPCs that the Profile configurations are associated to, will lose those configurations.

1. On the **Delete <Profile name>** dialog, type in **confirm**, and then choose **Delete**.

------
#### [ CLI ]

**Important**  
You can't delete a Profile if it is associated to VPCs. Additionally, if the Profile is shared to another AWS account, any VPCs that the Profile configurations are associated to, will lose those configurations.

You can delete a Profile by running an AWS CLI command like the following and using your own value for `profile-id`:

`aws route53profiles delete-profile --profile-id rp-6ffe47d5example`

The following is an example output after you run the command:

```
{
    "Profile": {
        "Arn": "arn:aws:route53profiles:us-east-1:123456789012:profile/rp-6ffe47d5example",
        "ClientToken": "0a15fec0-05d9-4f78-bec0-EXAMPLE11111",
        "CreationTime": 1710850903.578,
        "Id": "rp-6ffe47d5example",
        "ModificationTime": 1710850903.578,
        "Name": "test",
        "OwnerId": "123456789012",
        "ShareStatus": "NOT_SHARED",
        "Status": "DELETED",
        "StatusMessage": "Deleted Profile"
    }
}
```

------

# Viewing and updating Route 53 resources associated to an Amazon Route 53 Profile
<a name="profiles-resources-editing"></a>

Choose the console tab to view the Route 53 Profile resource associations, and optionally edit the DNS Firewall rule group priority. Choose the CLI tab to use AWS CLI to list the resource associations and to see an example update to a priority of a DNS Firewall rule group.
+ [Console](#profile-list-resource-console)
+ [CLI](#profile-list-resource-CLI)

------
#### [ Console ]<a name="profile-resources-editing-procedure"></a>

**To view and update resources associated to a Profile**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Profiles**.

1. On the navigation bar, choose the Region where you created the Profile.

1. Select the button next to the name of the Profile for which you want to view or edit the resource associations.

1. On the **<Profile name>** page choose the tab for the resource you want to view or edit, either , **DNS Firewall rule groups**, **Private hosted zones**, **Resolver rules**, or **VPC endpoints**.

1. On the tab page for a resource you can view the names, ARN and status for the associated resources. You can also choose the gear icon to adjust what is displayed in the resource table.

   On the **DNS Firewall rule groups** tab page you can also choose the rule group priority entry, and edit it to a smaller or a bigger number. The rule groups are evaluated in order starting from the lowest priority number in order to the highest priority number.

------
#### [ CLI ]

You can list resources associated to a Profile by running an AWS CLI command like the following and using your own value for `profile-id`:

`aws route53profiles list-profile-resource-associations --profile-id rp-4987774726example`

The following is an example output after you run the command:

```
{
    "ProfileResourceAssociations": [
        {
            "CreationTime": 1710851216.613,
            "Id": "rpr-001913120a7example",
            "ModificationTime": 1710851216.613,
            "Name": "test-resource-association",
            "OwnerId": "123456789012",
            "ProfileId": "rp-4987774726example",
            "ResourceArn": "arn:aws:route53resolver:us-east-1:123456789012:firewall-rule-group/rslvr-frg-cfe7f72example",
            "ResourceProperties": "{\"priority\":102}",
            "ResourceType": "FIREWALL_RULE_GROUP",
            "Status": "COMPLETE",
            "StatusMessage": "Completed creation of Profile to DNS Firewall rule group association"
        }
    ]
}
```

You can update the priority of a DNS Firewall rule group associated to a Profile by running an AWS CLI command like the following and using your own value for and using your own values for `profile-resource-association-id` and `--resource-properties`:

`aws route53profiles update-profile-resource-association --profile-resource-association-id rpr-001913120a7example --resource-properties "{\"priority\": 105}"`

The following is an example output after you run the command:

```
{
    "ProfileResourceAssociation": {
        "CreationTime": 1710851216.613,
        "Id": "rpr-001913120a7example",
        "ModificationTime": 1710852303.798,
        "Name": "test-resource-association",
        "OwnerId": "123456789012",
        "ProfileId": "rp-4987774726example",
        "ResourceArn": "arn:aws:route53resolver:us-east-1:123456789012:firewall-rule-group/rslvr-frg-cfe7f72example",
        "ResourceProperties": "{\"priority\":105}",
        "ResourceType": "FIREWALL_RULE_GROUP",
        "Status": "UPDATING",
        "StatusMessage": "Updating the Profile to DNS Firewall rule group association"
    }
}
```

------

# Disassociating a resource from an Amazon Route 53 Profile
<a name="profiles-disassociate-resources"></a>

Before you delete a Profile, you must dissociate all resources from it.<a name="profiles-disassociate-resources-procedure"></a>

**To disassociate a resource associated to a Route 53 Profile**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Profiles**.

1. On the navigation bar, choose the Region where the Profile from which you want to disassociate a resource was created.

1. Select the button next to the name of the Profile from which you want to disassociate a resource.

1. On the **Profile name** page choose the tab for the resource you want to delete, either , **DNS Firewall rule groups**, **Private hosted zones**, **Resolver query logging**, **Resolver rules** or **VPC endpoints**.

1. On the tab page for the resource, choose the resource you want to disassociate and then **Disassociate**.

1. In the **Disassociate resources** dialog, type in **confirm**, and then choose **Disassociate**.

# Viewing VPCs associated to an Amazon Route 53 Profile
<a name="profiles-vpcs-editing"></a>

Choose the console tab to view and edit Route 53 Profile to VPC associations. Choose the CLI tab to use AWS CLI to list Profile to VPC associations, or to get information about a specific association
+ [Console](#profiles-vpcs-editing-console)
+ [CLI](#profiles-vpcs-editing-CLI)

------
#### [ Console ]<a name="profiles-vpcs-editing-procedure"></a>

**To view VPCs associated to a Profile**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Profiles**.

1. On the navigation bar, choose the Region where you created the Profile.

1. Select the button next to the name of the Profile for which you want to view the associated VPCs.

1. On the **<Profile name>** page choose the **VPCs** tab.

1. On the tab page for VPCs you can view the names, ARN and status for the associated VPCs. 

------
#### [ CLI ]

You can list the VPCs the Profile is associated to by running an AWS CLI command like the following:

`aws route53profiles list-profile-associations`

The following is an example output after you run the command:

```
{
    "ProfileAssociations": [
        {
            "CreationTime": 1709338817.148,
            "Id": "rpassoc-489ce212fexample",{
    "ProfileAssociations": [
        {
            "CreationTime": 1709338817.148,
            "Id": "rpassoc-489ce212fexample",
            "ModificationTime": 1709338974.772,
            "Name": "test-association",
            "OwnerId": "123456789012",
            "ProfileId": "rp-4987774726example",
            "ResourceId": "vpc-0af3b96b3example",
            "Status": "COMPLETE",
            "StatusMessage": "Created Profile Association"
        }
    ]
}
            "ModificationTime": 1709338974.772,
            "Name": "test-association",
            "OwnerId": "123456789012",
            "ProfileId": "rp-4987774726example",
            "ResourceId": "vpc-0af3b96b3example",
            "Status": "COMPLETE",
            "StatusMessage": "Created Profile Association"
        }
    ]
}
```

You can get information about a particular VPS the Profile is associated to by running an AWS CLI command like the following and using your own value for `profile-association-id`:

`aws route53profiles get-profile-association --profile-association-id rpassoc-489ce212fexample`

The following is an example output after you run the command:

```
   "ProfileAssociation": {
        "CreationTime": 1709338817.148,
        "Id": "rrpassoc-489ce212fexample",
        "ModificationTime": 1709338974.772,
        "Name": "test-association",
        "OwnerId": "123456789012",
        "ProfileId": "rp-4987774726example",
        "ResourceId": "vpc-0af3b96b3example",
        "Status": "COMPLETE",
        "StatusMessage": "Created Profile Association"
    }   ]
}
```

------

## Disassociating a VPC from an Amazon Route 53 Profile
<a name="profiles-disassociate-vpc"></a>

Choose a tab to dissociate a Route 53 Profile from a VPC by using the Route 53 console, or AWS CLI.
+ [Console](#profile-disassociating-vpc-console)
+ [CLI](#profile-disassociating-vpc-CLI)

------
#### [ Console ]<a name="profile-disassociating-vpc-procedure"></a>

**To disassociate a VPC associated to a Route 53 Profile**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Profiles**.

1. On the navigation bar, choose the Region where the Profile from which you want to disassociate a VPC was created.

1. Select the button next to the name of the Profile from which you want to disassociate a VPC.

1. On the **<Profile name>** page choose the **VPCs** tab.

1. On the VPCs tab page for the resource, choose the VPC you want to disassociate and then **Disassociate**.

1. In the **Disassociate resources** dialog, type in **confirm**, and then choose **Disassociate**.

------
#### [ CLI ]

You can dissociate a Profile from a VPC by running an AWS CLI command like the following and using your own value for `profile-id` and `--resource-id`:

`aws route53profiles disassociate-profile --profile-id rp-4987774726example --resource-id vpc-0af3b96b3example`

he following is an example output after you run the command:

```
"ProfileAssociation": {
        "CreationTime": 1710851336.527,
        "Id": "rpassoc-489ce212fexample",
        "ModificationTime": 1710851401.362,
        "Name": "test-association",
        "OwnerId": "123456789012",
        "ProfileId": "rp-4987774726example",
        "ResourceId": "vpc-0af3b96b3example",
        "Status": "DELETING",
        "StatusMessage": "Deleting Profile Association"
    }
```

------

# Working with shared Route 53 Profiles
<a name="sharing-profiles"></a>

You can share a Profile with other accounts by:
+ Granting read-only permissions, which means the other account can associate the Profile to their VPCs. In this case all the DNS resources and configurations will be in effect on the associated VPCs.
+ Granting admin permissions. In this case the accounts with the shared Profile can modify the Profile and then associate it with their VPCs. An owner can also create customer managed permissions that can be used to specify which actions can be performed by the consumer account. For more information, see [Customer managed permissions](https://docs.aws.amazon.com//ram/latest/userguide/create-customer-managed-permissions.html) in the *AWS RAM User Guide*.

Amazon Route 53 Profile integrates with AWS Resource Access Manager (AWS RAM) to enable resource sharing. AWS RAM is a service that enables you to share some Route 53 resources with other AWS accounts or through AWS Organizations. With AWS RAM, you share resources that you own by creating a *resource share*. A resource share specifies the resources to share, and the consumers with whom to share them. Consumers can include:
+ Specific AWS accounts 
+ An organizational unit inside its organization in AWS Organizations
+ Its entire organization in AWS Organizations

For more information about AWS RAM, see the *[AWS RAM User Guide](https://docs.aws.amazon.com/ram/latest/userguide/)*.

This topic explains how to share resources that you own, and how to use resources that are shared with you.

**Topics**
+ [

## Granting permissions for sharing Route 53 Profiles
](#sharing-prereqs)
+ [

## Prerequisites for sharing Route 53 Profiles
](#sharing-prereqs)
+ [

## Sharing a Route 53 Profile
](#sharing-share)
+ [

## Unsharing a shared Route 53 Profile
](#sharing-unshare)
+ [

## Identifying a shared Route 53 Profile
](#sharing-identify)
+ [

## Responsibilities and permissions for shared Route 53 Profiles
](#sharing-perms)
+ [

## Billing and metering
](#sharing-billing)
+ [

## Instance quotas
](#sharing-quotas)

## Granting permissions for sharing Route 53 Profiles
<a name="sharing-prereqs"></a>

A minimum set of permissions is required for an IAM principal to share a Profile. We recommend using the `AmazonRoute53ProfilesFullAccess` managed IAM policy to ensure your IAM principals have the required permissions to share and use shared Profiles.

If you use a custom IAM policy, the `route53profiles:GetProfilePolicy` and `route53profiles:PutProfilePolicy` actions are required. These are permission-only IAM actions. If an IAM principal doesn't have these permissions granted, an error will occur when attempting to share the Profile using the AWS RAM service.

## Prerequisites for sharing Route 53 Profiles
<a name="sharing-prereqs"></a>
+ To share a Route 53 Profile, you must own it in your AWS account. This means that the resource must be allocated or provisioned in your account. You cannot share a Route 53 Profile that has been shared with you.
+ To share a Route 53 Profile with your organization or an organizational unit in AWS Organizations, you must enable sharing with AWS Organizations. For more information, see [ Enable Sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS RAM User Guide*.

## Sharing a Route 53 Profile
<a name="sharing-share"></a>

When you share a Profile that you own with another AWS account, you enable them to apply the DNS-related settings of the Profile to their VPCs. This makes it easier to apply uniform DNS configurations across thousands of VPCs with minimal management overhead. 

To share a Route 53 Profile, you must add it to a resource share. A resource share is an AWS RAM resource that lets you share your resources across AWS accounts. A resource share specifies the resources to share, and the consumers with whom they are shared. When you share a Route 53 Profile using the Route 53 console, you add it to an existing resource share. To add the Route 53 Profile to a new resource share, you must first create the resource share using the [AWS RAM console](https://console.aws.amazon.com/ram).

If you are part of an organization in AWS Organizations and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared Route 53 Profile. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared Route 53 Profile after accepting the invitation.

You can get started sharing a Route 53 Profile that you own on the Route 53 console and continue on the AWS RAM console.

**To share a Route 53 Profile that you own using the Route 53 console**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Profiles**.

1. Select the Profile you want to share, and on the **Profile details** page, choose **Share profile**.

1. You're taken to the AWS RAM console where you can follow these steps: [Creating a Resource Share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-create) in the *AWS RAM User Guide*.

1. If a Profile is shared to you, the **Profiles** table includes the text **Shared with me**.

   When you have shared a Profile, it is listed as **Shared** in the **Profiles** table.

**To share a Route 53 Profile that you own using the AWS RAM console**  
See [Creating a Resource Share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-create) in the *AWS RAM User Guide*.

**To share a Route 53 Profile that you own using the AWS CLI**  
Use the [create-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/create-resource-share.html) command.

## Unsharing a shared Route 53 Profile
<a name="sharing-unshare"></a>

When you unshare a Profile, and VPCs that have that Profile's configurations associated to them, will lose them, and default to the VPC-specific configurations.

To unshare a shared Route 53 Profile that you own, you must remove it from the resource share. You can do this using the Route 53 console, AWS RAM console, or the AWS CLI.

**To unshare a shared Route 53 Profile that you own using the Route 53 console**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Profiles**.

1. Select the linked name of the Profile you want to unshare, and on the **<Profile name>** page, choose **Manage sharing**.

1. You're taken to the AWS RAM console where you can follow these steps: [Updating a Resource Share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-update) in the *AWS RAM User Guide*.

**To unshare a shared Route 53 Profile that you own using the AWS RAM console**  
See [Updating a Resource Share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-update) in the *AWS RAM User Guide*.

**To unshare a shared Route 53 Profile that you own using the AWS CLI**  
Use the [disassociate-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/disassociate-resource-share.html) command.

## Identifying a shared Route 53 Profile
<a name="sharing-identify"></a>

Owners and consumers can identify shared Route 53 Profiles using the Route 53 console and AWS CLI.

**To identify a shared Route 53 Profile using the Route 53 console**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Profiles**.

1. If a Profile is shared to you, the **Profiles** table includes the text **Shared with me**.

   When you have shared a Profile, it is listed as **Shared** in the **Profiles** table.

**To identify a shared Route 53 Profile using the AWS CLI**  
Use the [get-profile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/route53profiles/get-profile.html) or the [list-profile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/_route53profiles/list-profile.html) command. The commands returns information about the Route 53 Profiles that you own and the Route 53 Profiles sharing status. 

## Responsibilities and permissions for shared Route 53 Profiles
<a name="sharing-perms"></a>

### Permissions for owners
<a name="perms-owner"></a>

A Profile owner can view, manage, and delete Profile resource associations, including resource associations made by the consumer accounts. The owner is able to view and delete the VPC associations they own. Additionally, only a Profile owner can delete a Profile they own, and this also automatically removes all resource associations of the Profile.

**Note**  
You must create a custom managed permission which includes the `route53profiles:AssociateResourceToProfile` action in addition to the default ones to associate any resources from the accounts the Profile is shared to, because the default policy `AWSRAMPermissionRoute53ProfileAllowAssociation` does not include it.

### Permissions for consumers
<a name="perms-consumer"></a>

 Default permission for consumers of a shared Profile is read-only. With read-only permission they can see the associated resources and associate it to VPCs, but can't manage the resource associations.

An owner can also create customer managed permissions on the AWS RAM console. For more information, see [Creating and using customer managed permissions](https://docs.aws.amazon.com/ram/latest/userguide/create-customer-managed-permissions.html) in the *AWS RAM User Guide*.

## Billing and metering
<a name="sharing-billing"></a>

Route 53 Profiles are billed based on the number of VPC associations. The Profile owner is responsible for the bill for the VPC associations by the customer.

## Instance quotas
<a name="sharing-quotas"></a>

The Profile owners and consumers share the same quota, except for the number of Route 53 Profiles per account in a Region. For more information, see [Quotas on Route 53 Profiles](DNSLimitations.md#limits-api-entities-route53-profiles)