Skip to main content
LOWRoute 53Security

Route 53 Query Logging Disabled

route53-query-logging-disabled

What this rule checks

Detects Route 53 hosted zones without query logging.

How to fix it

  1. 1Create an AWS::Route53::QueryLoggingConfig pointing to a CloudWatch Logs group
FlaggedA public hosted zone (no VPCs) with no QueryLoggingConfig triggers the check.
import * as route53 from 'aws-cdk-lib/aws-route53';

// Public hosted zone (no VPCs) with no query logging configured.
new route53.CfnHostedZone(this, 'Zone', {
  name: 'example.com',
});
FixedThe same public zone now carries an inline QueryLoggingConfig.CloudWatchLogsLogGroupArn, which the check reads, so no finding is emitted.
import * as route53 from 'aws-cdk-lib/aws-route53';

// Public hosted zone with inline query logging to CloudWatch Logs.
new route53.CfnHostedZone(this, 'Zone', {
  name: 'example.com',
  queryLoggingConfig: {
    cloudWatchLogsLogGroupArn:
      'arn:aws:logs:us-east-1:111122223333:log-group:/aws/route53/example.com:*',
  },
});

CDK Insights pinpoints the exact file and line in your CDK source for every finding, so you can jump straight to the fix.

Affected resource types

AWS::Route53::HostedZoneAWS::Route53::QueryLoggingConfig

Compliance frameworks

SOC2HIPAANIST

AWS documentation

Read the AWS guidance

Intentional? Suppress this finding

Sometimes a flag is deliberate โ€” a genuinely public endpoint, say. You can dismiss route53-query-logging-disabled and the reason is kept in the report, not silently hidden.

In .cdk-insights.json:

{
  "ignoreRules": [
    { "id": "route53-query-logging-disabled", "reason": "Why this is intentional" }
  ]
}

Or inline in your CDK code:

Validations.of(scope).acknowledge({
  id: 'cdk-insights::route53-query-logging-disabled',
  reason: 'Why this is intentional',
});

Use the rule ID route53-query-logging-disabled shown above โ€” not the CDK-* ID from SARIF / GitHub code scanning. To dismiss every finding on one construct instead, use ignorePaths. Suppression docs โ†’

Catch this in your stack

$ npx cdk-insights scan

CDK Insights runs this and 118+ other rules locally against your synthesised CDK app โ€” free, no account, your code never leaves your machine.

More Route 53 rules