This check flags any domain registered through Route 53 that expires within the next 30 days. A lapsed domain can take your website, email, and APIs offline, and in the worst case let someone else register it. Renew the domain and turn on auto-renew with aws route53domains enable-domain-auto-renew.
Domain expiry is one of those failures that looks trivial on paper and turns into a company-wide outage in practice. The domain is the front door to almost everything you run: your marketing site, your customer-facing app, your authentication flows, your transactional email. When it expires, all of that breaks at once, and the clock to fix it is measured in hours, not days.
The Domain Expiring Soon check exists because nobody owns domain renewals until the day they break. It watches your Route 53 registered domains and raises a finding when one is inside the 30-day expiry window, giving you time to act before the registration lapses.
What this check detects
Lensix queries the AWS Route 53 Domains API for every domain registered in your account and inspects the ExpirationDate field. If the expiration date is within 30 days of the current date, the check fails for that domain.
This is specifically about domain registration, not DNS records or hosted zones. A hosted zone can live forever; the registration behind it has to be renewed on a yearly (or multi-year) basis with the registrar. Route 53 is the registrar here, so the renewal is yours to manage.
Note: Route 53 splits domain management into two separate services. route53 handles DNS hosted zones and records. route53domains handles registration, transfers, contacts, and renewals. This check uses the route53domains API, which only operates in the us-east-1 region regardless of where the rest of your infrastructure lives.
Why it matters
A domain that lapses does not fail gracefully. It usually goes through a sequence that gets progressively harder and more expensive to recover from.
- Immediate outage. Once the registration expires, resolvers stop returning your records. Your site goes down, your API hostnames stop resolving, and email to your domain bounces.
- Email and auth breakage. SPF, DKIM, and DMARC all depend on the domain resolving. SSO and OAuth callbacks that point at your domain start failing. Password reset emails never arrive.
- Certificate fallout. ACM and other CAs validate ownership through DNS or HTTP on the domain. If the domain is gone, you cannot renew or reissue certificates either.
- Redemption fees. After expiry, most TLDs enter a redemption grace period where you can still recover the domain, but at a steep restore fee instead of a normal renewal price.
- Permanent loss and hijacking. If the domain drops out of redemption entirely, it becomes available to the public. Drop-catching services and squatters monitor expiring domains and can register yours within seconds. A bad actor who picks up your old domain can serve malware, run phishing against your users, or intercept email sent to your former addresses.
Danger: If your domain expires and someone else registers it, this is often unrecoverable. They control your brand, your traffic, and any inbound email. There is no AWS support ticket that gets it back once it leaves the redemption window. The 30-day warning exists precisely so you never reach this point.
The painful part is how avoidable this is. The expiry date is known a full year in advance. Outages from expired domains are almost always a process failure, not a technical one: the renewal email went to an inbox nobody reads, the card on file expired, or the person who owned it left the company.
How to fix it
If a domain is inside the 30-day window, you have two things to do: renew it now, and turn on auto-renew so this does not recur.
1. Check the current expiry date and auto-renew status
aws route53domains get-domain-detail \
--region us-east-1 \
--domain-name example.com \
--query '{Domain:DomainName,Expiry:ExpirationDate,AutoRenew:AutoRenew}'This confirms exactly when the domain expires and whether auto-renew is already enabled. To list expiry dates across every domain in the account:
aws route53domains list-domains \
--region us-east-1 \
--query 'Domains[].{Domain:DomainName,Expiry:Expiry,AutoRenew:AutoRenew}' \
--output table2. Renew the domain
You renew through the console or the API. In the console:
- Open the Route 53 console and go to Registered domains.
- Select the domain that is expiring.
- Choose Renew and pick the number of years to extend.
- Confirm the payment method and submit.
Via the CLI, you need the current expiry year, which the API requires as a safety check:
aws route53domains renew-domain \
--region us-east-1 \
--domain-name example.com \
--duration-in-years 1 \
--current-expiry-year 2025Warning: Renewals cost money and the charge happens immediately. Make sure a valid payment method is attached to the account before you renew, and confirm the renewal completes by re-checking the expiration date. A renewal can silently fail if the card on file has expired, which is one of the most common causes of an unintended lapse.
3. Enable auto-renew
This is the fix that actually keeps the problem from coming back. Auto-renew tells Route 53 to renew the domain automatically before it expires.
aws route53domains enable-domain-auto-renew \
--region us-east-1 \
--domain-name example.comVerify it stuck:
aws route53domains get-domain-detail \
--region us-east-1 \
--domain-name example.com \
--query 'AutoRenew'Tip: Enable auto-renew on every domain at once with a quick loop. This is worth running across the whole account so nothing slips through:
for domain in $(aws route53domains list-domains \
--region us-east-1 \
--query 'Domains[?AutoRenew==`false`].DomainName' \
--output text); do
echo "Enabling auto-renew for $domain"
aws route53domains enable-domain-auto-renew \
--region us-east-1 \
--domain-name "$domain"
done4. Confirm your contact details are valid
Auto-renew is only half the story. AWS sends renewal notices, billing alerts, and ICANN verification mail to the registrant contact. If that email address is wrong or unmonitored, you will miss every warning. Make sure the registrant email is a shared team mailbox, not a personal address.
aws route53domains get-domain-detail \
--region us-east-1 \
--domain-name example.com \
--query 'RegistrantContact.Email'How to prevent it from happening again
Renewing one domain by hand is fine once. The goal is to make expiry impossible to reach by accident.
Set auto-renew as a default with IaC
If you manage domains in Terraform, set auto_renew on the registration so the desired state is enforced and drift gets flagged:
resource "aws_route53domains_registered_domain" "example" {
domain_name = "example.com"
auto_renew = true
registrant_contact {
email = "[email protected]"
}
}Anyone who disables auto-renew through the console will now show up as drift on the next terraform plan, which gives you a chance to catch it in review.
Add a scheduled check
Even with auto-renew on, renewals can fail. A lambda or scheduled job that lists domains and alerts on anything expiring soon gives you a backstop. Here is the core logic you can wire into a daily run:
#!/usr/bin/env bash
THRESHOLD_DAYS=30
NOW=$(date +%s)
aws route53domains list-domains --region us-east-1 \
--query 'Domains[].{Domain:DomainName,Expiry:Expiry}' \
--output json | jq -c '.[]' | while read -r row; do
domain=$(echo "$row" | jq -r '.Domain')
expiry=$(echo "$row" | jq -r '.Expiry')
expiry_ts=$(date -d "$expiry" +%s)
days_left=$(( (expiry_ts - NOW) / 86400 ))
if [ "$days_left" -lt "$THRESHOLD_DAYS" ]; then
echo "ALERT: $domain expires in $days_left days ($expiry)"
fi
doneTip: Lensix runs this check continuously across all your accounts, so you do not have to build and maintain the cron job yourself. The point of the script above is to show the logic. If you already have Lensix watching your environment, the finding lands in your dashboard the moment a domain crosses the 30-day line.
Gate on it in CI/CD
For teams running scheduled compliance scans, treat an expiring domain as a build-failing condition in your security pipeline. Run the listing query, fail the job if any domain is under the threshold, and route the failure to the team that owns the domain. This turns a quiet background risk into something a human has to acknowledge.
Best practices
- Turn on auto-renew everywhere, then verify it. Auto-renew is the single highest-leverage control. But check it periodically, because a billing failure can cancel an auto-renewal without obvious warning.
- Register critical domains for multiple years. A multi-year registration shrinks the number of renewal events and the number of chances to get one wrong.
- Use a monitored, shared inbox for the registrant contact. Never tie domain ownership to an individual's email. People change roles and leave companies; the domain outlives them.
- Enable transfer lock. A transfer lock prevents anyone from moving the domain to another registrar without your approval, which blocks one common hijacking path.
- Keep payment methods current. Audit the card on file the same way you audit anything else that silently expires. An expired payment method is the quiet cause behind most "but we had auto-renew on" outages.
- Inventory your domains. Many companies own dozens of domains across teams and acquisitions. You cannot protect a domain you forgot you owned. Pull the full
list-domainsoutput regularly and reconcile it against an owned-domains register.
Domain expiry is a low-probability, high-impact failure. The fix is cheap and takes minutes. The cost of getting it wrong is an outage that hits everything at once, plus the very real chance of losing the domain for good. Renew, enable auto-renew, point the registrant contact at a monitored inbox, and let automation watch the rest.