These rules catch Route 53 configurations that generate unnecessary DNS query charges: low TTL records that increase query volume, and orphaned health checks billing for monitoring no one uses.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-ROUTE53-1 | Discovery | Route 53 Record Higher TTL |
| CLDBRN-AWS-ROUTE53-2 | Discovery | Route 53 Health Check Unused |
CLDBRN-AWS-ROUTE53-1
Route 53 Record Higher TTL
Scan type: Discovery
What it checks
Flags Route 53 DNS records with a TTL below 3,600 seconds (1 hour). Low TTLs cause DNS resolvers to re-query Route 53 more frequently, which increases the number of billable queries. Alias records are excluded because they don't have configurable TTLs.
Why it matters
Route 53 charges $0.40 per million queries for standard records. A record with a 60-second TTL generates 60x more queries than the same record with a 3,600-second TTL. For high-traffic domains, low TTLs can add up to meaningful DNS query costs. Unless you need rapid failover or frequent IP changes, a higher TTL reduces both cost and DNS resolution latency for end users.
What triggers a finding
The record is a non-alias record with a TTL value below 3,600 seconds.
How to remediate
Increase the record's TTL to at least 3,600 seconds unless you have a specific operational reason for a lower value (active failover, blue-green deployments, or frequently changing IPs):
aws route53 change-resource-record-sets \
--hosted-zone-id Z1EXAMPLE \
--change-batch '{
"Changes": [{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "app.example.com",
"Type": "A",
"TTL": 3600,
"ResourceRecords": [{"Value": "203.0.113.1"}]
}
}]
}'
If you need low TTLs for failover, consider using Route 53 alias records with health checks instead, since alias queries to AWS resources are free.
CLDBRN-AWS-ROUTE53-2
Route 53 Health Check Unused
Scan type: Discovery
What it checks
Flags Route 53 health checks that are not associated with any DNS record in your hosted zones. Orphaned health checks run their monitoring endpoints but serve no routing purpose.
Why it matters
Each Route 53 health check costs $0.50-$2.00/month depending on the configuration (basic vs. HTTPS, string matching, fast interval). Health checks that aren't attached to any DNS record provide no failover benefit but still incur monthly charges.
What triggers a finding
The health check's ID is not referenced by any DNS record's HealthCheckId field across all hosted zones in the account.
How to remediate
Verify the health check is truly orphaned (it may be referenced by a record in another account or used by a third-party integration), then delete it:
aws route53 delete-health-check --health-check-id hc-1234567890
See Also
- CLI discover command - scan live Route 53 resources
- SDK Reference - run discovery programmatically