Skip to main content

The CDK Construct Library for AWS::Route53Resolver

Project description

Amazon Route53 Resolver Construct Library

---

cdk-constructs: Experimental

The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.


DNS Firewall

With Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private connections (VPCs). To do this, you create reusable collections of filtering rules in DNS Firewall rule groups and associate the rule groups to your VPC.

DNS Firewall provides protection for outbound DNS requests from your VPCs. These requests route through Resolver for domain name resolution. A primary use of DNS Firewall protections is to help prevent DNS exfiltration of your data. DNS exfiltration can happen when a bad actor compromises an application instance in your VPC and then uses DNS lookup to send data out of the VPC to a domain that they control. With DNS Firewall, you can monitor and control the domains that your applications can query. You can deny access to the domains that you know to be bad and allow all other queries to pass through. Alternately, you can deny access to all domains except for the ones that you explicitly trust.

Domain lists

Domain lists can be created using a list of strings, a text file stored in Amazon S3 or a local text file:

block_list = route53resolver.FirewallDomainList(self, "BlockList",
    domains=route53resolver.FirewallDomains.from_list(["bad-domain.com", "bot-domain.net"])
)

s3_list = route53resolver.FirewallDomainList(self, "S3List",
    domains=route53resolver.FirewallDomains.from_s3_url("s3://bucket/prefix/object")
)

asset_list = route53resolver.FirewallDomainList(self, "AssetList",
    domains=route53resolver.FirewallDomains.from_asset("/path/to/domains.txt")
)

The file must be a text file and must contain a single domain per line.

Use FirewallDomainList.fromFirewallDomainListId() to import an existing or AWS managed domain list:

# AWSManagedDomainsMalwareDomainList in us-east-1
malware_list = route53resolver.FirewallDomainList.from_firewall_domain_list_id(self, "Malware", "rslvr-fdl-2c46f2ecbfec4dcc")

Rule group

Create a rule group:

# my_block_list: route53resolver.FirewallDomainList

route53resolver.FirewallRuleGroup(self, "RuleGroup",
    rules=[route53resolver.FirewallRule(
        priority=10,
        firewall_domain_list=my_block_list,
        # block and reply with NODATA
        action=route53resolver.FirewallRuleAction.block()
    )
    ]
)

Rules can be added at construction time or using addRule():

# my_block_list: route53resolver.FirewallDomainList
# rule_group: route53resolver.FirewallRuleGroup


rule_group.add_rule(
    priority=10,
    firewall_domain_list=my_block_list,
    # block and reply with NXDOMAIN
    action=route53resolver.FirewallRuleAction.block(route53resolver.DnsBlockResponse.nx_domain())
)

rule_group.add_rule(
    priority=20,
    firewall_domain_list=my_block_list,
    # block and override DNS response with a custom domain
    action=route53resolver.FirewallRuleAction.block(route53resolver.DnsBlockResponse.override("amazon.com"))
)

Use associate() to associate a rule group with a VPC:

import aws_cdk.aws_ec2 as ec2

# rule_group: route53resolver.FirewallRuleGroup
# my_vpc: ec2.Vpc


rule_group.associate("Association",
    priority=101,
    vpc=my_vpc
)

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

Built Distribution

File details

Details for the file aws_cdk_aws_route53resolver_alpha-2.167.1a0.tar.gz.

File metadata

File hashes

Hashes for aws_cdk_aws_route53resolver_alpha-2.167.1a0.tar.gz
Algorithm Hash digest
SHA256 7417c12c29bb791a88ae6db89a1bfdda7a12dedb2b8822c00816d59d9bd7e194
MD5 bd2fc27bae6633af0d25b7a2fe0aa8e4
BLAKE2b-256 b4f5ad91f6b6690045be854e5af33f07698b8d82244b4b04fbae3285e0fc23ca

See more details on using hashes here.

File details

Details for the file aws_cdk.aws_route53resolver_alpha-2.167.1a0-py3-none-any.whl.

File metadata

File hashes

Hashes for aws_cdk.aws_route53resolver_alpha-2.167.1a0-py3-none-any.whl
Algorithm Hash digest
SHA256 6b17ab322871efb6c63e111260049ba3bcbdee2239e5a58a53eac68f00b9a429
MD5 f5d9b2c474571bdfbf8b5615978bc42a
BLAKE2b-256 1efa63baf2015f4f8f806d32927f7322442dc70c136542415630aa4dbff813d3

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page