Root domain Hosted Zones within dedicated AWS Accounts

Using AWS Accounts as a hard boundary for isolating root domain hosted zones

Table Of Contents

Today I Explained

When a subdomain hosted zone, such as subdomain.aeydr.dev, is created within an AWS Account it isn’t automatically setup for resolution in the wider AWS Organization or internet. This is because the root domain aeydr.dev hosted zone isn’t delegating to this new subdomain hosted zone for managing those records. Within AWS, subdomain delegation is necessary to enable another hosted zone to be responsible for DNS records on a domain.

To continue with creating this subdomain, it is necessary to create the nameserver (NS) records within the root domain hosted zone to allow for the delegation. This hosted zone typically isn’t within the same AWS Account as the subdomain hosted zone being created. This is a pattern in which the hosted zone of a root domain is isolated into a separate AWS Account. As the root domain is of notable security & compliance concern, it can be isolated into it’s own account, while delegating the individual application records to a subdomain.

This approach will look something like:

┌─AWS─────────────────┐       ┌───AWS─────┐
│                     │       │           │
│ subdomain.aeydr.dev ├──NS──►│ aeydr.dev │
│                     │       │           │
└─────────────────────┘       └───────────┘

Two AWS Accounts, one containing a hosted zone named ‘subdomain.aeydr.dev’, and another containing a hosted zone named ‘aeydr.dev’. An arrow is pointing from the subdomain to the ‘aeydr.dev’, with a NS (nameserver) text label.

Isolating this kind of critical networking infrastructure into its own account, with strictly controlled access permissions makes it easier to:

  • Audit modifications to the root domain, as the only reason to connect to the account is to work with the domains
  • Ensure modifications to the root domain are through a change process (infrastructure as code, GitOps)
  • Protect domains that do not send email in a consistent way
  • Limit access to only select individuals, and require elevated permissions to make modifications