Free AI web copilot to create summaries, insights and extended knowledge, download it at here

3360

Abstract

ords for a Subdomain on AWS with the AWS CLI</h2> <div><h3>ACM.244 Adding NS records to the primary domain in Route 53 for a subdomain used in a separate account</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*-pAMyi9UcPs28HxnRvuw1Q.png)"></div> </div> </div> </a> </div><p id="564c">I figured I probably only needed the ame of the record right? Why would I need the rest of the information just to delete it?</p><p id="29dc">That assumption turned out to be incorrect.</p><p id="49ed">Got this error trying to delete a CNAME record in AWS Route53.</p><blockquote id="699c"><p>An error occurred (InvalidInput) when calling the ChangeResourceRecordSets operation: Invalid request: Expected exactly one of [AliasTarget, all of [TTL, and ResourceRecords], or TrafficPolicyInstanceId], but found none in Change with [Action=DELETE, Name=x., Type=CNAME, SetIdentifier=null]</p></blockquote><p id="909c">Looking at this:</p><div id="3f7d" class="link-block"> <a href="https://docs.aws.amazon.com/cli/latest/reference/route53/change-resource-record-sets.html"> <div> <div> <h2>change-resource-record-sets - AWS CLI 1.29.2 Command Reference</h2> <div><h3>undefined</h3></div> <div><p>undefined</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><p id="9205">Well this sounds complicated and not cool but I don’t think this applies to me:</p><blockquote id="c0e2"><p>To delete the resource record set that is associated with a traffic policy instance, use <code>DeleteTrafficPolicyInstance</code> . Route 53 will delete the resource record set automatically. If you delete the resource record set by using <code>ChangeResourceRecordSets</code> , Route 53 doesn't automatically delete the traffic policy instance, and you'll continue to be charged for it even though it's no longer in use.</p></blockquote><p id="b1c8">I’m essentially trying to do this, but I left off the value. Why do I have to provide a value when I’m deleting the record??</p><figure id="545b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*06HPCSnMPJuicuFwchwpMQ.png"><figcaption></figcaption></figure><p id="d2f8">So anyway let’s add back in the value and see if it works.</p><p id="f076">Next up I get this:</p><figure id="79b2"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*hOYigoVJ9RXlxW7Gh4c9KA.png"><figcaption></figcaption></figure><blockquote id="4cb7"><p>An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: [Tried to delete resource record set [name=’_0d416a0c2c8b704e3e6866edc148b016.dev.rainierrhododendrons.com.’, type=’CNAME’] but the values provided do not match the current values]</p></blockquote><p id="b574">Hmm?</p><p id="0efd">Here’s what I’m providing to the CLI:</p><figure id="0651"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*D9lLW_p79BW8xs3O6mEW0Q.png"><figcaption></figcaption></figure><p id="b44b">Here’s

Options

an export:</p><figure id="54c3"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*5hVjDonI8AwXEc0GqVXlVw.png"><figcaption></figcaption></figure><p id="4a74">Specifically:</p><blockquote id="2785"><p><b>_0d416a0c2c8b704e3e6866edc148b016.dev.rainierrhododendrons.com. </b>300 CNAME _5aae181072984dfc69a7bd99991f5245.vrcmzfbvtx.acm-validations.aws.</p></blockquote><p id="a8a9">Looks right to me???</p><p id="0610">Oh wait — the TTL has to match too?</p><p id="a577">Ok……</p><p id="9f00">Finally:</p><figure id="24f8"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*FXslqtuC-KeyHDPj81kLpA.png"><figcaption></figcaption></figure><p id="20db">Here’s the whole function:</p><figure id="bb46"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*k-jdX-3yZYMACYsbeS_Ftg.png"><figcaption></figcaption></figure><p id="01ab">If I have more than one value do I have to provide all of them? Because that makes this much more complicated. Check my prior post where I’m creating an NS record. I have a bunch of name servers and I have to provide all the key value pairs in separate curly braces. That means I can’t just pass in a value to this existing function. I would need to modify the above function to accept all of that and then calculate the values in curly braces externally and pass them in.</p><p id="8936"><i>There must be a better way, no?</i></p><p id="86f6">I wish AWS would remove the requirement to pass in anything except the record name on delete.</p><p id="a129">But really what I want is to fix CloudFormation so it deletes the record when I delete the stack. 🙏 😁</p><p id="df03">And…it’s not really even done because I have to check if the record exists before trying to delete it…</p><p id="d4ee">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Delete a DNS Record in a Hosted Zone with the AWS CLI

ACM.249 It’s not as simple as you might imagine (as far as I know at the time of this writing)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Application Security | Deploying a Static Website | DNS

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I got sucked into this rabbit hole trying to redeploy a TLS Certificate and the CNAME used to validate it so I wrote about that in my last post.

How to Fix TLS Certificate Deployment Via CloudFormation

ACM.248 This process needs some love ❤️

medium.com

Back to my S3 bucket attempt I just wanted to delete the CloudFormation stack for the CNAME which is now in a failed state and the underlying DNS record. I wrote about those complications here, where I started a function to delete a DNS record:

Bug Re-deploying AWS TLS Certificate

Can’t redeploy a TLS certificate on AWS

medium.com

But that turned into a significant amount of time as well so now you get this post — how to delete a DNS record using the AWS CLI.

I based my initial function on what I wrote about in this post — using the AWS CLI to create a record in a route 53 hosted zone, and I later changed this to update a record as well.

Updating the NS Records for a Subdomain on AWS with the AWS CLI

ACM.244 Adding NS records to the primary domain in Route 53 for a subdomain used in a separate account

medium.com

I figured I probably only needed the ame of the record right? Why would I need the rest of the information just to delete it?

That assumption turned out to be incorrect.

Got this error trying to delete a CNAME record in AWS Route53.

An error occurred (InvalidInput) when calling the ChangeResourceRecordSets operation: Invalid request: Expected exactly one of [AliasTarget, all of [TTL, and ResourceRecords], or TrafficPolicyInstanceId], but found none in Change with [Action=DELETE, Name=x., Type=CNAME, SetIdentifier=null]

Looking at this:

change-resource-record-sets - AWS CLI 1.29.2 Command Reference

undefined

Well this sounds complicated and not cool but I don’t think this applies to me:

To delete the resource record set that is associated with a traffic policy instance, use DeleteTrafficPolicyInstance . Route 53 will delete the resource record set automatically. If you delete the resource record set by using ChangeResourceRecordSets , Route 53 doesn't automatically delete the traffic policy instance, and you'll continue to be charged for it even though it's no longer in use.

I’m essentially trying to do this, but I left off the value. Why do I have to provide a value when I’m deleting the record??

So anyway let’s add back in the value and see if it works.

Next up I get this:

An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: [Tried to delete resource record set [name=’_0d416a0c2c8b704e3e6866edc148b016.dev.rainierrhododendrons.com.’, type=’CNAME’] but the values provided do not match the current values]

Hmm?

Here’s what I’m providing to the CLI:

Here’s an export:

Specifically:

_0d416a0c2c8b704e3e6866edc148b016.dev.rainierrhododendrons.com. 300 CNAME _5aae181072984dfc69a7bd99991f5245.vrcmzfbvtx.acm-validations.aws.

Looks right to me???

Oh wait — the TTL has to match too?

Ok……

Finally:

Here’s the whole function:

If I have more than one value do I have to provide all of them? Because that makes this much more complicated. Check my prior post where I’m creating an NS record. I have a bunch of name servers and I have to provide all the key value pairs in separate curly braces. That means I can’t just pass in a value to this existing function. I would need to modify the above function to accept all of that and then calculate the values in curly braces externally and pass them in.

There must be a better way, no?

I wish AWS would remove the requirement to pass in anything except the record name on delete.

But really what I want is to fix CloudFormation so it deletes the record when I delete the stack. 🙏 😁

And…it’s not really even done because I have to check if the record exists before trying to delete it…

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab