This is a pattern to deploy a scheduled serverless function to list and export all the Resource Records in an AWS Route53 zone into an S3 Bucket.
Route53 is an AWS Server which provide DNS Server services (DNS Hosting), it is globally highly availabel, and offers other services like Domain name registrar, and many more advanced Zone features that are out of scope for this article.
In order to operate in Route53, you can simply create Resource Records. These could be manual, via CloudFormation, or service discovery records among others. To ensure any failure or accidental deletion or updates can be rolled back, we need to ensure we have a backup. Unlike AWS S3, we don’t have versioning ability, or a backup method built into AWS Backup.
To ensure we have a backup, we need to implement a service to perform this action.
To implement a AWS Route53 Backup method, we utilise the AWS API calls. In the case of this pattern we are using Python and the boto3 library to call the AWS Route53 and S3 API calls.
To run our backup we utilise an AWS CloudWatch Scheduled Event. In our implementation this is a simple daily cron job to start our Serverless Lambda function.
When the AWS Lambda function starts, we request a list of all Route53 zones in the account, this ensures we backup all zones without manually having to add them into the backup script later. As the backup size is small, it is highly recommended to simply backup all zones.
Once we have the list, we request all the Resource Records for each zone into a dictionary. This is then written to a file in an S3 bucket for storage.
The file are stored as ZoneName_ZoneId_YYYYMMDD.json. This allows a simple daily backup, and ensures if you have a Public and Private zone of the same name, we still take unique backups of each.
The format of this file is compatible with the Route53 Import function to allow quick recovery as needed. Given the format of this file is JSON, it is also easy to make changes prior to a restoration being performed.
Key actions are written to AWS CloudWatch for monitoring.
For this deployment we will use the AWS SAM (Serverless Application Model). Make sure you have installed the AWS Serverless Application Model CLI, setup AWS credentials, and created a bucket to store SAM artefacts in.
Refer to here for OS specific setup: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-getting-started.html
This function requires an existing Route53 Hosted Zone created that you want to be backed up. We don’t create a new one as part of this script.
Clone the Git Repository https://github.com/steven-geo/aws-route53-backup
./scripts/prj_var.sh file to customise the SAM and APP Configuration parameters. Set the appropriate SAM Artefact bucket (SAM_BUCKET_NAME), Route53 Bucket Location (APP_BUCKETNAME), prefix path to place the backups under in this bucket (APP_BUCKETPREFIX) and log retention days (as per CloudWatch requirements).
At a minimum the two bucket names must be specified.
From the root of the git repository run the
./scripts/sam_package.sh, then the
./scripts/sam_deploy.sh script to deploy the AWS Serverless Template and create the CloudFormation stack.
This script runs on a schedule, once per day to perform the backup of the route53 zones.
It uses a simple List, to iterate through all zones in an account. After this it lists all resource records and dumps them out to a JSON file for storage in an S3 bucket.
If you create a new Route 53 zone after deployment, this will automatically get added into the daily backup without any further action.
To change the backup time, edit the cron Schedule under the Lambda function to your appropriate time. Keep in mind this is in UTC time!
This serverless function typically runs for around 5 seconds per day, and the storage costs are based on the size of your Route53 zones, the costs are likely to be close to being completely free, particularly if your account is only used for Route53 in an enterprise level, otherwise it is likely to be in the 1-10c/month range for anyone else.
This is a really simple backup that is often overlooked as it isn’t implemented as part of AWS Backup. Route 53 Zones can store some very critical data like SPF, DKIM, DMARC, AWS Certificate Manager Validation records and other TXT records above any dynamic references you will have to AWS Load Balancers and other services. It is critical that this isn’t overlooked as part of your environment.
Implementing S3 bucket replication could also protect about account level access without a significant change to the script. Or alter the script and create the S3 Bucket in another account with an appropriate Role or Bucket Policy applied, and provide Put only access to the backups from the Route53 account.
Clone this repo https://github.com/steven-geo/aws-route53-backup