ZoneWatcher
Features Integrations Compliance Pricing FAQ Blog
Sign In Register

Monitoring AWS Route 53

Monitoring your Route 53 DNS records automatically is made easy with ZoneWatcher. After you've added your account credentials, we will automatically import all of your domains and begin monitoring them for changes.

Generating your AWS Access Token

To get started adding your AWS Route 53 account, you'll first want to generate api credentials on AWS's IAM dashboard. We use this token to automatically fetch the domains and associated DNS records.

For monitoring-only use, we recommend you limit access credentials to only the AmazonRoute53ReadOnlyAccess policy. This will ensure that the token can only be used to read your DNS records and not modify them.

Cloudflare API Token Generation

Permissions for Change Management & Rollback

If you plan to use ZoneWatcher's Change Management or rollback features, the read-only policy above is not sufficient — those features write back to Route 53 on your behalf to apply approved changesets and revert unauthorized changes.

The simplest option is to attach the AWS-managed AmazonRoute53FullAccess policy. If you prefer to grant the minimum required permissions, attach a custom policy with the following actions instead: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:GetHostedZone",
                "route53:ListResourceRecordSets",
                "route53:ChangeResourceRecordSets",
                "route53:GetChange"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/*",
                "arn:aws:route53:::change/*"
            ]
        }
    ]
}

route53:ChangeResourceRecordSets is the action that lets ZoneWatcher apply or revert record changes; route53:GetChange lets us poll for propagation status afterward. If you only want change notifications, stick with the AmazonRoute53ReadOnlyAccess policy described above.

Creating your Route 53 Provider

Once you've generated your credentials on your AWS dashboard, you can create your new Route 53 provider on ZoneWatcher by giving it a descriptive name, selecting the region your resources are hosted in, and pasting the Access Key and Access Token.

Route 53 Provider Setup

Monitoring Your Zones

After you've created your Route 53 provider, we will sync all the zones associated with your account and their associated DNS records. You'll be able to view them from either the Provider's page or the Zone Dashboard.

Supported Record Types

Our AWS Route 53 integration currently monitors the following record types:

Never miss a DNS change again.
Start monitoring in minutes.

Start Trial Learn more