How to retrieve DNS records for a specific domain in AWS Route 53 via PowerShell

To be able to retrieve DNS records from AWS, you need 3 things:

  • AWS user account that has permissions to READ such DNS zone
  • DNS zone ID
  • Powershell function that will give you the results

Create a user account

Login to AWS and create a new user account in AWS IAM


Create a Security policy

This policy will grant members rights to READ data for selected DNS zone In IAM you create new policy: image.png

  • This policy needs to grant following permissions: image.png
  • You can find Hosted Zone ID for Resources restriction like image.png

Assign created policy to the user


Use PowerShell function to retrieve the results

Now when you have the user account that can be used to retrieve DNS data from AWS, use it in bellow Get-AWSDNSZoneRecord function with domainZoneID retrieved earlier

function Get-AWSDNSZoneRecord {
    Function will return DNS records for given DNS zone hosted in AWS.

    Function will return DNS records for given DNS zone hosted in AWS.

    .PARAMETER domainZoneID
    Zone ID.

    .PARAMETER credential
    Credentials for user that has read permission on given DNZ zone.

    Get-AWSDNSZoneRecord -domainZoneID Z019043928439

    param (
        [Parameter(Mandatory = $true)]
        [string] $domainZoneID
        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential] $credential

    try {
        Import-Module AWS.Tools.Common -ea stop
        Import-Module AWS.Tools.Route53 -ea stop
    } catch {
        throw "Important module is missing (AWS.Tools.Common or AWS.Tools.Route53). To download this modules use:`n`n
    Install-Module -Name AWS.Tools.Installer -Force
    Install-AWSToolsModule AWS.Tools.Common,AWS.Tools.Route53 -CleanUp"

    $accessKey = $credential.UserName
    $secretKey = $credential.GetNetworkCredential().password

    Set-AWSCredential -AccessKey $accessKey -SecretKey $secretKey

    # because results are returned by 100 items, you have to iterate (there is maxItem parameter but is limited to 300)
    $nextIdentifier = $null
    $nextType = $null
    $nextName = $null

    [System.Collections.ArrayList] $result = @()

    do {
        $recordSet = Get-R53ResourceRecordSet -HostedZoneId "/hostedzone/$domainZoneID" -StartRecordIdentifier $nextIdentifier -StartRecordName $nextName -StartRecordType $nextType

        $recordSet.ResourceRecordSets | select @{n = "name"; e = { $name = $; if ([string]::IsNullOrEmpty($name)) { "@" } else { $name } } }, type , @{n = "value"; e = { $_.ResourceRecords.value } } | % {
            $name = $
            $type = $_.type
            if ($_.value.getType().name -ne "String") {
                # for each value create separate object
                $_.value | % {
                    [void] $result.add(
                            name  = $name
                            type  = $type
                            value = $_
            } else {
                # value is string, there is no need to expand it
                [void] $result.add(
                        name  = $name
                        type  = $type
                        value = $_.value

        # set up for the next call
        if ($recordSet.IsTruncated) {
            $nextIdentifier = $recordSet.NextRecordIdentifier
            $nextType = $recordSet.NextRecordType
            $nextName = $recordSet.NextRecordName
    } while ($recordSet.IsTruncated)

    return $result

Get-AWSDNSZoneRecord -domainZoneID 'Z01whatever'

Similar approach can be used to retrieve any information from AWS.

Did you find this article valuable?

Support Ondrej Sebela by becoming a sponsor. Any amount is appreciated!