How can I associate a Route 53 health check from a different AWS account to a record set in my account?

Last updated: 2020-06-11

How can I associate an Amazon Route 53 health check from a different AWS account to a record set in my account?

Resolution

You can associate a Route 53 health check with a record set, even if the health check and record set aren't in the same AWS account. To do this, use the AWS Command Line Interface (AWS CLI) to run the change-resource-record-sets command. Use CREATE or UPSERT to add or update a record set, specifying the health check ID from the other AWS account.

aws route53 change-resource-record-sets --hosted-zone-id Z1XYZ123XYZ --change-batch file://route53.json

Note: Be sure to replace the placeholders in the above command with your corresponding values.

An AWS Identity and Access Management (IAM) trust relationship between accounts is not required. However, you must create an IAM trust relationship to:

  • View the other account's health checks from the Health Check drop-down list in the Route 53 console.
  • Use the get-health-check command.

To confirm that the health check is available in the other account:

  • In the Route 53 console, choose Health Checks. Then, check the "Health check ID" column to confirm that the correct health check is in use in the route53.json file.
  • Use the list-resource-record-sets command.

The route53.json file contains the following data:

{
    "Comment": "This is route53.json file",
    "Changes": [{
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "abc.example.com",
                "Type": "A",
                "SetIdentifier": "primary-record",
                "Failover": "PRIMARY",
                "TTL": 60,
                "ResourceRecords": [{
                    "Value": "1.1.1.1"
                }],
                "HealthCheckId": "0385ed2d-d65c-4f63-a19b-2412a31ef431"
            }
        },
        {
            "Action": "CREATE",
            "ResourceRecordSet": {
                "Name": "abc.example.com",
                "Type": "A",
                "SetIdentifier": "secondary-record",
                "Failover": "SECONDARY",
                "TTL": 60,
                "ResourceRecords": [{
                    "Value": "2.2.2.2"
                }]
            }
        }
    ]

Important: The Route 53 console won't show the associated health check on the RRSet because the health check belongs to a different account. However, you can use the AWS CLI to see the associated health check for the RRSet:

$ aws route53 list-resource-record-sets --hosted-zone-id Z1XYZ123XYZ --query "ResourceRecordSets[?Name == 'abc.example.com.']" --output json

[
    {
        "HealthCheckId": "0385ed2d-d65c-4f63-a19b-2412a31ef431",
        "Name": "abc.example.com.", 
        "Type": "A", 
        "Failover": "PRIMARY", 
    "ResourceRecords": [
            {
                "Value": "1.1.1.1"
    }
        ], 
        "TTL": 60, 
        "SetIdentifier": "primary-record"
    }, 
    {
    "Name": "abc.example.com.", 
        "Type": "A", 
        "Failover": "SECONDARY", 
        "ResourceRecords": [
    {
                "Value": "2.2.2.2"
            }
        ], 
    "TTL": 60, 
        "SetIdentifier": "secondary-record"
    }
]

Note: Be sure to replace the placeholders in this script with your corresponding values.


Did this article help you?

Anything we could improve?


Need more help?