This check flags Route 53 registered domains that have auto-renewal turned off, which means they can silently expire and put your sites, email, and certificates at risk. Fix it with a single CLI call: aws route53domains enable-domain-auto-renew --domain-name example.com.
Domain expiry is one of those failures that feels impossible until it happens to you. The domain works fine for years, nobody thinks about it, and then one morning your production site returns NXDOMAIN, your MX records vanish, and your TLS certificates start failing validation because the CA can no longer resolve the domain. The Lensix check Domain Auto-Renewal Not Enabled exists to catch this before it becomes an incident.
What this check detects
The route53_noautorenew check inspects every domain registered through Amazon Route 53 in your account and reports any domain where the auto-renewal flag is set to false. When auto-renewal is disabled, AWS will not automatically pay the registry to extend the registration before the expiry date. The domain enters a renewal grace period after expiry, and if nobody intervenes it eventually drops back into the public pool where anyone can register it.
Note: Route 53 has two distinct concepts that people often confuse. Domain registration (the route53domains API) is about owning the domain name itself. Hosted zones (the route53 API) are about DNS records. This check is concerned with registration, not your DNS records. You can have perfectly healthy hosted zones for a domain that is about to expire.
Auto-renewal in Route 53 is enabled by default when you register a domain, but it can be turned off manually, and domains transferred in from other registrars do not always inherit a sensible setting. That gap is exactly what this check surfaces.
Why it matters
A lapsed domain is not a minor inconvenience. The blast radius touches almost everything that depends on the name:
- Website and API outages. Once the domain stops resolving, every service hosted on it goes dark, including customer-facing apps and internal tools.
- Email delivery failures. MX, SPF, DKIM, and DMARC records all hang off the domain. An expired domain means lost inbound mail and outbound mail that gets rejected as spoofed.
- Certificate validation breaks. ACM and other CAs revalidate domain ownership via DNS or HTTP. If the domain is gone, renewals fail and TLS errors cascade.
- Domain hijacking. This is the worst case. When an expired domain drops, attackers monitor expiry feeds and register it within seconds. They can then issue valid certificates, receive your email, and stand up phishing pages on a domain your customers and partners already trust.
Warning: Recovering an expired domain is rarely simple. Once it enters the registry's redemption period you typically pay a steep restoration fee, often $80 to $200 on top of the renewal cost, and the process can take days. If the domain has already been re-registered by someone else, you may not get it back at all.
The insidious part is timing. Domain expiry notifications are sent to the registrant contact email, and that mailbox is often an old shared alias nobody monitors. A renewal that should have cost ten dollars turns into a multi-day incident because the only warning landed in an unwatched inbox.
How to fix it
The fix is fast and free. Enabling auto-renewal does not charge you anything until the domain actually renews near its expiry date.
Option 1: AWS CLI
Enable auto-renewal for a single domain:
aws route53domains enable-domain-auto-renew \
--domain-name example.com \
--region us-east-1Note: The route53domains API is only available in us-east-1. Even if your infrastructure lives elsewhere, you must target that region for any domain registration commands.
Confirm the change took effect:
aws route53domains get-domain-detail \
--domain-name example.com \
--region us-east-1 \
--query 'AutoRenew'A return value of true means you are covered. To sweep your whole account and enable it everywhere in one pass:
aws route53domains list-domains \
--region us-east-1 \
--query 'Domains[?AutoRenew==`false`].DomainName' \
--output text | tr '\t' '\n' | while read domain; do
echo "Enabling auto-renew for $domain"
aws route53domains enable-domain-auto-renew \
--domain-name "$domain" \
--region us-east-1
doneOption 2: AWS Console
- Open the Route 53 console and go to Registered domains.
- Select the domain you want to update.
- In the Details section, find Auto-renew and click Enable.
- Confirm. The status switches to Enabled immediately.
Option 3: Terraform
If you manage registrations as code, set the flag explicitly so it never drifts:
resource "aws_route53domains_registered_domain" "example" {
domain_name = "example.com"
auto_renew = true
# While you are here, lock the domain against unauthorized transfers
transfer_lock = true
}Tip: The aws_route53domains_registered_domain resource manages an existing registration rather than creating one, so you import the domain into state with terraform import aws_route53domains_registered_domain.example example.com and then apply. From that point on, Terraform will detect and correct anyone who flips the setting off in the console.
How to prevent it from happening again
Fixing the current domains is the easy part. Keeping the setting on across new domains and over time takes a little process.
Manage registrations in IaC
The cleanest prevention is to put every domain under Terraform or CloudFormation with auto_renew = true hardcoded. Drift detection then becomes your safety net. A nightly terraform plan in CI that shows a diff is a loud signal that someone changed the setting out of band.
Add a policy-as-code gate
If you use Open Policy Agent or Conftest in your pipeline, reject any plan that sets auto-renew to false:
package route53
deny[msg] {
resource := input.resource_changes[_]
resource.type == "aws_route53domains_registered_domain"
resource.change.after.auto_renew == false
msg := sprintf("Domain %v must have auto_renew enabled", [resource.change.after.domain_name])
}Run the Lensix check continuously
Scheduled scans catch the domains that never made it into IaC, including ones registered manually during an emergency or transferred in from an acquisition. A recurring scan means you find out within hours rather than at expiry.
Tip: Pair the auto-renew check with a CloudWatch alarm on the DaysToExpiry behavior. You can run a small Lambda on a weekly schedule that calls get-domain-detail, parses ExpirationDate, and pages you if any domain is under 45 days out. That gives you a second line of defense even if auto-renewal somehow fails to process.
Best practices
Auto-renewal is the baseline. A few related habits make your domain portfolio genuinely resilient.
- Keep registrant contact details current and monitored. Use a distribution list that real people read, not a personal mailbox tied to one employee who might leave.
- Enable transfer lock. A lock (also called
clientTransferProhibited) stops unauthorized transfers to another registrar, which is a common hijacking vector. - Keep a valid payment method on the account. Auto-renewal still fails if the card on file is expired. AWS bills domain renewals to your normal account billing, so an account in good standing matters.
- Inventory every domain you own. Shadow domains registered for a campaign years ago are the ones that lapse and get hijacked. Reconcile your Route 53 list against marketing and legal records.
- Use account-level guardrails for critical domains. Consider restricting who can call
disable-domain-auto-renewwith an SCP so the setting cannot be turned off casually.
The cost of enabling auto-renewal is zero today and a few dollars a year later. The cost of forgetting is an outage, a hijacked domain, and a frantic call to AWS Support. The math is not close.
Turn it on, manage it in code, and let a recurring scan watch your back. Domain expiry should never be the reason your name disappears from the internet.