SOLUTION of the MONTH:

How to transfer domains from one AWS account to another

by Patrick Shaeffer

Problem:

Your company is merging with another or it’s spinning off a portion of itself as a separate business entity. Either way you need to transfer a company’s domains to a different AWS billing account.

Here are the things you should consider, a step-by-step on how to do it, and all the stuff the other KB articles leave out, assume, or don’t tell you at all.

Solution:

Use the AWS-CLI program from any Linux system to manually transfer (and accept) AWS domain transfers.

 

Considerations:

  • Make sure you have a clean Linux instance to work from where you won’t mind installing the AWS-CLI program
  • Make sure the recipient and the source has their AWS account information before beginning
  • Make sure the person doing the transfer has the ability to create an IAM account or one has been created for them, including giving them their Access ID & Access Key

Bonus Section: How to do it

STEP 1 – Preparations

Make sure the current version of the following are installed on your Linux (Ubuntu in our case) machine:

  • curl
  • unzip
  • aws-cli

Install curl

apt install curl

curl –version

Install unzip

apt install unzip

Installing AWS-CLI

For this situation we found it best to just spin up small Ubuntu 20.04 Server VM so we had a clean system that we could turn on or off whenever we needed it. Our base user was named ‘ubuntu’.

cd /home/ubuntu/

sudo su

curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip

unzip awscliv2.zip

sudo ./aws/install

aws –version

Configure AWS-CLI

The fastest way to configure your AWS-CLI is with the aws configure command. You’ll be asked for 4 pieces of information.

  • Access key ID
  • Secret access key
  • AWS Region
  • Output format

Before you begin you’ll need to get an Access Key ID & Secret Access Key. You may already have these for your account but often that account may include more permissions than this requires. We recommend creating a new IAM user with just the permissions you’ll need to get the job done.

Note: Be sure to copy the ID and Key to a text file because you won’t be given access to them again in the future.

aws configure

Note: Make sure to provide a default region name in order for the transfer to work.

Step 2 – Initiate the Domain Transfer

Use the aws route53domains transfer-domain-to-another-aws-account command to start the process.

Note: Other commands are available if you use the /help switch

aws route53domains /help

aws route53domains transfer-domain-to-another-aws-account –domain-name mydomain.com –account-id 123412341234

After running this command you should receive a confirmation consisting of the Operation ID and a Password. Save these as you’ll need to check status and to give them to the domains new account owner.

{
“OperationId”: “1234abc1-XXXXXX”,
“Password”: “NXXXXX”
}

NOTE:

  1. Some domains cannot be transferred without assistance from AWS, requiring a service support ticket be created. Check the domain first by using the check-domain-transferability subcommand before attempting the transfer.
  2. Most domains have many DNS records (A Record, MX Record, CName Record, etc.) but none of these entries will be included in the transfer.

The AWS account that you’re transferring the domain to, must accept the transfer. Step 3 coming right up.

Step 3 – Accept the Transfer

Your recipient will now log into their machine (also configured with AWS-CLI) and run the following commands

aws route53domains accept-domain-transfer-from-another-aws-account –domain-name mydomain.com –password “password from the confirmation”

After running this command you should receive confirmation.

{
    “OperationId”: “9876b5ag-XXXX”
}

You can also check the status of the transfer at any time using the Operation ID it gives you.

aws route53domains get-operation-detail –operation-id 9876b5ag-XXXX

It’s output should look something like the following:

{
    “OperationId”: “9876b5ag-XXXX”,
    “Status”: “SUCCESSFUL”,
    “DomainName”: “mydomain.com”,
    “Type”: “INTERNAL_TRANSFER_IN_DOMAIN”,
    “SubmittedDate”: “2021-XXXXXX”
}

Why this Solution?

  1. Fast – faster than submitting a support ticket
  2. Easy – just for the instructions
  3. Cheap – never pay a third party organization to do this for you. You can do it.
    You’re likely to find out later that you don’t own your domains anymore and/or you’re stuck with them as the registrar. Seriously!

Challenges:

  • This will work with all domains except.ORG
  • AWS’s KB article specifically states that all of the old DNS records will not be transferred
    What the DON’T tell you is your base DNS records (NS and SOA) are included in the transfer, and they’re most likely the OLD, wrong ones!!!!
    You’re best off deleting the entire Hosted Zone and creating a new set or find the correct NS and SOA records and replace the old ones.

Take-Aways & Lessons Learned:

  1. When you do the aws configure you may receive an error if you use us-west-2. If so, try a different region like us-east-1.   We’re still researching why this was the case but us-east-1 was the only region we could get to work for some reason.
  2. Be sure to update the domain’s Who-Is account information (all 3 parts) before initiating the transfer. Once the recipient approves the changes in an email confirmation, they’re the primary point of contact.
    By doing this early, the recipient can communicate with AWS if there are any problems or questions. AWS won’t communicate with anyone who isn’t in the Account Information.