To be able to retrieve DNS records from AWS, you need 3 things:

• AWS user account that has permissions to READ such DNS zone
• DNS zone ID
• Powershell function that will give you the results

---

Create a user account

Login to AWS and create a new user account in AWS IAM

---

Create a Security policy

This policy will grant members rights to READ data for selected DNS zone In IAM you create new policy:

• This policy needs to grant following permissions:
• You can find Hosted Zone ID for Resources restriction like

---

Assign created policy to the user

---

Use PowerShell function to retrieve the results

Now when you have the user account that can be used to retrieve DNS data from AWS, use it in bellow Get-AWSDNSZoneRecord function with domainZoneID retrieved earlier

function Get-AWSDNSZoneRecord {
    <#
    .SYNOPSIS
    Function will return DNS records for given DNS zone hosted in AWS.

    .DESCRIPTION
    Function will return DNS records for given DNS zone hosted in AWS.

    .PARAMETER domainZoneID
    Zone ID.

    .PARAMETER credential
    Credentials for user that has read permission on given DNZ zone.

    .EXAMPLE
    Get-AWSDNSZoneRecord -domainZoneID Z019043928439
    #>

    [CmdletBinding()]
    param (
        [Parameter(Mandatory = $true)]
        [string] $domainZoneID
        ,
        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential] $credential
    )

    try {
        Import-Module AWS.Tools.Common -ea stop
        Import-Module AWS.Tools.Route53 -ea stop
    } catch {
        throw "Important module is missing (AWS.Tools.Common or AWS.Tools.Route53). To download this modules use:`n`n
    Install-Module -Name AWS.Tools.Installer -Force
    Install-AWSToolsModule AWS.Tools.Common,AWS.Tools.Route53 -CleanUp"
    }

    $accessKey = $credential.UserName
    $secretKey = $credential.GetNetworkCredential().password

    Set-AWSCredential -AccessKey $accessKey -SecretKey $secretKey

    # because results are returned by 100 items, you have to iterate (there is maxItem parameter but is limited to 300)
    # https://forums.aws.amazon.com/message.jspa?messageID=463427
    $nextIdentifier = $null
    $nextType = $null
    $nextName = $null

    [System.Collections.ArrayList] $result = @()

    do {
        $recordSet = Get-R53ResourceRecordSet -HostedZoneId "/hostedzone/$domainZoneID" -StartRecordIdentifier $nextIdentifier -StartRecordName $nextName -StartRecordType $nextType

        $recordSet.ResourceRecordSets | select @{n = "name"; e = { $name = $_.name; if ([string]::IsNullOrEmpty($name)) { "@" } else { $name } } }, type , @{n = "value"; e = { $_.ResourceRecords.value } } | % {
            $name = $_.name
            $type = $_.type
            if ($_.value.getType().name -ne "String") {
                # for each value create separate object
                $_.value | % {
                    [void] $result.add(
                        [PSCustomObject]@{
                            name  = $name
                            type  = $type
                            value = $_
                        }
                    )
                }
            } else {
                # value is string, there is no need to expand it
                [void] $result.add(
                    [PSCustomObject]@{
                        name  = $name
                        type  = $type
                        value = $_.value
                    }
                )
            }
        }

        # set up for the next call
        if ($recordSet.IsTruncated) {
            $nextIdentifier = $recordSet.NextRecordIdentifier
            $nextType = $recordSet.NextRecordType
            $nextName = $recordSet.NextRecordName
        }
    } while ($recordSet.IsTruncated)

    return $result
}

Get-AWSDNSZoneRecord -domainZoneID 'Z01whatever'

Similar approach can be used to retrieve any information from AWS.