Cross account DNS management on AWS

30 Mar, 2023
Xebia Background Header Wave

I recently created a few blog post on how you can build, deploy and host an application on AWS. This blog post is all about handling DNS records in a cross account setup. You might think AWS got you covered, but the sad reality is that they don't. (when dealing with cross account use cases.)

For example, if you have a domain called You will need to create the hosted zone in an AWS Account. Then from the context of that account you are able to manage the records through infrastructure as code. This will work until your using more than 1 AWS Account.

The problem

Because the Route53 hosted zone lives within a specific account. You cannot add records to the hosted zone from another account. So there are 3 options how you can solve this problem:

  • Option 1: Manage your DNS records by hand.
  • Option 2: Create a Route 53 hosted zone in each AWS Account. You will need entire different domains or subdomains to get this working.
  • Option 3: Use the cfn-cross-account-dns-provider 

So Option 1, I like to use infrastructure as code. So this is not an option. And for Option 2 you will need, either a different domain. Or you will need to use subdomains. Using a different domain is a bit of an overkill. So when you use subdomains you will need a hosted zone in every account. A single hosted zone will cost you $ 6 a year. Let say you have 3 workloads and 4 environments per workload. Now you pay $ 72 per year only for the hosted zone. This might be an option for your use case but not for my personal pet projects.

Thinking of a solution

So that brings us to option 3. In a nutshell its my solution to option 2.

My solution

I created a single AWS Account that I am using for DNS management. All the domains that I own are in this account, and are using Route53. I also deployed the cfn-cross-account-dns-provider in this account. This provider comes with a SNS Topic and all member accounts are allowed to publish to this topic.

Throwing dns record over the fence

Now you can use the resource definition in CloudFormation to create DNS records. It will use the SNS topic to invoke the Custom Cross Account DNS Provider in the AWS account that have the hosted zones. The provider will manage the records for you and will notify CloudFormation with the end result.

  Type: Custom::CrossAccountDNS
    ServiceToken: !Sub arn:aws:sns:${AWS::Region}:${HostedZoneAccountId}:binxio-cfn-cross-account-dns-provider
    HostedZoneId: !Ref HostedZoneId
    Type: CNAME

Cool, so now that we can create DNS records cross account you can do more fun stuff. For example, you also need DNS records for certificates that you request through ACM

When you are using CloudFront the certificate needs to exist in the us-east-1 region. This will become a problem when your application lives in a different region. For this Mark van Holsteijn created the cfn-certificate-provider. With this provider you can request a certificate in the us-east-1 region. While your stack lives in the eu-west-1 region. When you combine this with the cfn-cross-account-dns-provider your certificates will be issued automatically.


You can manage certificates and DNS records  across account and region. All you need is the cfn-certificate-provider and the cfn-cross-account-dns-provider. This will remove any manual steps from your deployment making them more predictable and reliable.

Photo by

Joris Conijn
Joris has been working with the AWS cloud since 2009 and focussing on building event driven architectures. While working with the cloud from (almost) the start he has seen most of the services being launched. Joris strongly believes in automation and infrastructure as code and is open to learn new things and experiment with them, because that is the way to learn and grow. In his spare time he enjoys running and runs a small micro brewery from his home.

Get in touch with us to learn more about the subject and related solutions

Explore related posts