Lensix
Back to blog
AWSBest PracticesCloud SecurityNetworkingOperations & Compliance

Domain Transfer Lock Not Enabled on Route 53 Domains

Route 53 domains without transfer lock are open to hijacking. Learn the risk, how to enable transfer lock via CLI, and how to keep it on automatically.

TL;DR

This check flags Route 53 registered domains that don't have transfer lock enabled, leaving them open to unauthorized transfer to another registrar. Turn it on with a single API call: aws route53domains enable-domain-transfer-lock --domain-name example.com.

Your domain name is the front door to everything you run online: your website, your email, your SSO, your customer-facing APIs. Lose control of it and an attacker can reroute all of that to infrastructure they control. Transfer lock is one of the cheapest, simplest controls you have to stop that from happening, and yet plenty of organizations leave it off without realizing it.

The route53_notransferlock check looks at every domain registered through Amazon Route 53 and reports any that don't have transfer lock enabled.

What this check detects

Route 53 isn't just DNS. It also acts as a domain registrar, so you can buy and manage domains directly through AWS. Every registered domain has a setting called transfer lock (the registrar-level equivalent of the standard clientTransferProhibited EPP status code).

When transfer lock is enabled, the domain cannot be transferred to a different registrar until you explicitly disable it. This check inspects the StatusList for each domain and fails if clientTransferProhibited is missing.

Note: Transfer lock is different from DNSSEC and different from auto-renew. It governs whether ownership of the domain can move to another registrar, not how DNS records resolve or whether the registration renews automatically. All three are worth configuring, but they protect against different things.

The check applies only to domains registered in Route 53. If you registered a domain elsewhere (GoDaddy, Namecheap, Cloudflare) and only use Route 53 for hosted zones, the lock lives at your other registrar and this check won't see it.

Why it matters

Domain hijacking is one of the highest-impact attacks against a business because it bypasses almost everything else you've hardened. If an attacker gains control of your domain registration, they can:

  • Point www and your apex record at a phishing clone of your site
  • Redirect MX records to intercept inbound email, including password reset links
  • Issue valid TLS certificates for your domain using DNS or email validation, since they now control both
  • Take over SSO, OAuth callbacks, and any service that trusts your domain

Without transfer lock, an attacker who compromises your registrar account, or who succeeds with a social-engineering request to AWS Support, has a far shorter path to moving the domain entirely out of your account. Once a transfer completes, recovery becomes a slow, manual dispute process with ICANN rather than a setting you flip back.

A transfer is one of the few changes to a domain that is genuinely hard to undo quickly. Transfer lock turns a single-step attack into a multi-step one, and every extra step is a chance for detection.

There's also a compliance angle. Frameworks like SOC 2 and ISO 27001 expect you to demonstrate control over critical assets. A registered domain with no transfer protection is an easy finding for an auditor and a hard one to justify.

Warning: Transfer lock does not protect against an attacker who already has full access to your AWS account. They can simply disable the lock first. Treat this control as defense in depth, layered on top of tight IAM and MFA, not as a substitute for them.

How to fix it

Enabling transfer lock is fast and free. The domain registrar API for Route 53 lives in the us-east-1 region only, so make sure your CLI calls target it.

Option 1: AWS CLI

First, confirm the current status of a domain:

aws route53domains get-domain-detail \
  --region us-east-1 \
  --domain-name example.com \
  --query 'StatusList'

If clientTransferProhibited is not in the returned list, enable the lock:

aws route53domains enable-domain-transfer-lock \
  --region us-east-1 \
  --domain-name example.com

The command returns an OperationId. You can track it to completion:

aws route53domains get-operation-detail \
  --region us-east-1 \
  --operation-id ""

Option 2: AWS Console

  1. Open the Route 53 console and go to Registered domains.
  2. Select the domain you want to protect.
  3. In the domain detail page, find the Transfer lock field.
  4. Choose Enable and confirm.

Lock every domain at once

If you have a long list of domains, loop over them rather than doing it by hand:

aws route53domains list-domains \
  --region us-east-1 \
  --query 'Domains[].DomainName' \
  --output text | tr '\t' '\n' | while read domain; do
    echo "Enabling transfer lock on $domain"
    aws route53domains enable-domain-transfer-lock \
      --region us-east-1 \
      --domain-name "$domain"
done

Tip: Run a dry pass first by replacing the enable-domain-transfer-lock call with an echo so you can review which domains will be changed before committing.

When you legitimately need to transfer a domain out later, disable the lock with aws route53domains disable-domain-transfer-lock, complete the transfer, and you're done. Keep it disabled only for the window you actually need it.

Danger: Only disable transfer lock when you have an active, intentional transfer in progress. Leaving it off "temporarily" and forgetting is exactly the gap attackers wait for. Re-enable it the moment the transfer completes or is cancelled.

How to prevent it from happening again

Manual remediation fixes today's problem. Automation keeps it fixed.

Manage domains as code

Route 53 registered domains aren't natively managed by CloudFormation or Terraform's standard registrar resources in the same way hosted zones are, so most teams enforce the lock through a scheduled remediation function rather than IaC drift detection. A small Lambda on a daily EventBridge schedule works well:

import boto3

def handler(event, context):
    client = boto3.client("route53domains", region_name="us-east-1")
    domains = client.list_domains()["Domains"]

    for domain in domains:
        name = domain["DomainName"]
        detail = client.get_domain_detail(DomainName=name)
        statuses = detail.get("StatusList", [])

        if "clientTransferProhibited" not in statuses:
            print(f"Re-enabling transfer lock on {name}")
            client.enable_domain_transfer_lock(DomainName=name)

This makes the lock self-healing. Even if someone disables it for a transfer and forgets, it comes back on within a day.

Detect changes in real time

Route 53 Domains API calls are logged to CloudTrail. Alert on the one that matters:

{
  "source": ["aws.route53domains"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventName": ["DisableDomainTransferLock", "TransferDomain"]
  }
}

Wire that EventBridge rule to an SNS topic or your incident channel. If a transfer lock is disabled outside of a planned change, you want to know in minutes, not after the domain is gone.

Note: Route 53 Domains is a global service whose CloudTrail events appear in us-east-1. Make sure your trail captures that region, or these events will be invisible to your detections.

Gate it in your security baseline

Add the transfer-lock state to your regular cloud posture scans so a missing lock shows up as a tracked finding. Lensix runs route53_notransferlock as part of its Route 53 module, so any domain that drops its lock surfaces automatically alongside the rest of your DNS and registrar checks.

Best practices

  • Lock every production domain by default. There's no downside to having it on. Treat the unlocked state as a deliberate, temporary exception, never the resting state.
  • Lock down the AWS account that owns the domain. Enforce MFA, restrict who holds route53domains:* permissions, and avoid using the management account for domain registration. The lock only helps if account access is hard to obtain in the first place.
  • Pair transfer lock with the other domain protections. Enable auto-renew so the registration never lapses, turn on DNSSEC to protect resolution integrity, and keep registrant contact details current so any legitimate transfer notice reaches a monitored mailbox.
  • Use a dedicated, monitored email for registrar notifications. Transfer requests trigger email to the registrant. Route those to a shared mailbox the security team watches, not a single employee's inbox.
  • Document your transfer runbook. When you do need to move a domain, knowing the exact steps to disable the lock, complete the transfer, and re-lock prevents the "we'll turn it back on later" gap.
  • Review domains quarterly. Domains accumulate over the years through acquisitions, marketing campaigns, and abandoned projects. Make sure every one you still own is locked and that you've let go of the ones you don't.

Transfer lock is a five-second change that closes off one of the most damaging attacks a business can suffer. Turn it on everywhere, alert on anyone turning it off, and move on to harder problems with confidence that your front door is bolted.