As you learned in Chapter 2, DNS Security is a feature added to Route 53 that adds digital signing for public hosted zones, and validation for the Route 53 Resolvers. Data origin, authentication, and integrity verifications are features of this security extension for DNS. Each record in a Route 53 hosted zone is signed with a cryptographic key. This prevents DNSSEC records from being tampered with. Turn on DNSSEC on Route 53 in the VPC you choose, and the resolver will apply the crypto security and keys to enable the feature. If you plan on using DNSSEC between Route 53 and external services, it is important to research the remote application and versions to make sure there is end-to-end compatibility. Since the records in the zone file are cryptographically signed by DNSSEC and apply DNSKEY and RRSIG records in the zone file, follow the AWS-recommended steps when modifying these records to make sure the crypto records are up-to-date with the data in these files.
Many AWS customers divide their operations into multiple accounts for security, operational groups, blast radius reduction, and billing purposes. This allows you to assign a master account and delegate access and operational control to accounts and organizations that belong to the group. The use of organizations also reduces the need to create duplicate resources in each account. This allows you to create a resource one time and share it to accounts you assign by creating shares.
The AWS Resource Access Manager (RAM) allows you to share resources across accounts while maintaining security and operational control. You can configure IAM accounts and policies for each account to delegate responsibilities and define what can be accessed in each account by configuring managed permissions for each resource type such as Route 53. The AWS RAM supports Route 53 Resolver rules, monitoring, policies, and all other Route 53 operations that are delegated.
The AWS Resource Access Manager is provided at no cost and is useful for maintaining a clean and organized operation in the AWS cloud.
The AWS RAM works by first creating a resource share to manage the access to resources. Then you select the resources to add to the share, which pushes the resource access to accounts that you define. Next, add the managed permissions that define what actions are allowed to be performed on each resource defined in the share. Then you enter which accounts, organizational units (OUs), IAM roles, and users are allowed to access the share. The resource is accessible based on your configuration.
As you learned in Chapter 2, DNS endpoints reside in a VPC and are the connection points for your on-premise resolvers to service DNS queries from your site to AWS or in both directions. Endpoints are also used for VPC-to-VPC resolution in AWS. When configuring resolver endpoints, the requirement is that there be a direct connection between the two networks. This can be either an AWS DX (Direct Connect) or VPN interconnection with appropriate routing to advertise the subnets between the two networks. Resolution can be inbound, outbound, or bidirectional from the perspective of the VPC. Note that bidirectional is actually configuring both inbound and outbound together, as shown in Figure 3.28.