Skip to main content

AWS Route 53 hosted zone associated with a VPC

ID:aws_route53_associated_vpc
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0003:T1098

Description

AlphaSOC detected the association of an AWS Route 53 hosted zone with a Virtual Private Cloud (VPC). This action allows a Domain Name Service (DNS) records to be set up to return addresses from the VPC and change how domain names are resolved within the VPC. While often legitimate, this action can be misused by threat actors to manipulate DNS settings and redirect traffic. Actions initiated by AWS services are exempt from the detection to avoid false positives.

Impact

The association of a Route 53 hosted zone with a VPC can potentially compromise the security and integrity of the AWS environment. If misused, it could lead to DNS hijacking, allowing attackers to redirect traffic, intercept sensitive information, or gain persistent access to the network. This manipulation can bypass security controls and make it difficult to detect ongoing malicious activities.

Severity

SeverityCondition
Low
Unexpected action, user agent or ASN

Investigation and Remediation

Verify the legitimacy of the Route 53 hosted zone creation by reviewing changes in management logs. Examine the DNS records within the hosted zone for any suspicious entries. If unauthorized, immediately remove the hosted zone and associated DNS records. Review VPC flow logs and CloudTrail for any related suspicious activities.