Route53 Query Logging Controller - Itaú — MULTI architecture diagram

About This Architecture

Route53 Query Logging Controller automates DNS query logging across multiple AWS accounts using EKS, cross-account IAM roles, and ServiceAccount Pod Identity. The control plane in Account 1 runs a KRO controller that manages ResolverQueryLogConfig custom resources, which trigger cross-account AssumeRole chains to Client Accounts A and B, enabling centralized CloudWatch Logs collection from Route53 Resolver. This pattern eliminates manual DNS logging setup, enforces consistent logging policies via CRDs, and scales to dozens of spoke accounts without credential sprawl. Fork this diagram on Diagrams.so to customize account IDs, VPC CIDRs, or log group naming for your organization. The design demonstrates least-privilege cross-account access using Pod Identity and trust relationships, making it ideal for enterprises standardizing DNS observability across business units.

People also ask

How do you automate Route53 DNS query logging across multiple AWS accounts without managing static credentials?

This diagram shows a Route53 Query Logging Controller running in an EKS control plane that uses Pod Identity and cross-account IAM AssumeRole chains to automatically configure Route53 Resolver Query Log Configs in spoke accounts. Each client account's workload VPC sends DNS queries to CloudWatch Log Groups via trusted IAM roles, eliminating credential management and scaling to dozens of accounts.

Route53 Query Logging Controller - Itaú

MultiadvancedAWSRoute53EKSmulti-accountIAMDNS logging
Domain: Cloud MultiAudience: AWS multi-account architects and platform engineers managing Route53 DNS logging at scale
0 views0 favoritesPublic

Created by

June 8, 2026

Updated

June 17, 2026 at 10:44 AM

Type

network

Need a custom architecture diagram?

Describe your architecture in plain English and get a production-ready Draw.io diagram in seconds. Works for AWS, Azure, GCP, Kubernetes, and more.

Generate with AI