AWS Route 53 hosted zone associated with a VPC
Description
AlphaSOC detected the association of an AWS Route 53 hosted zone with a Virtual Private Cloud (VPC). This action allows a Domain Name Service (DNS) records to be set up to return addresses from the VPC and change how domain names are resolved within the VPC. While often legitimate, this action can be misused by threat actors to manipulate DNS settings and redirect traffic. Actions initiated by AWS services are exempt from the detection to avoid false positives.
Impact
The association of a Route 53 hosted zone with a VPC can potentially compromise the security and integrity of the AWS environment. If misused, it could lead to DNS hijacking, allowing attackers to redirect traffic, intercept sensitive information, or gain persistent access to the network. This manipulation can bypass security controls and make it difficult to detect ongoing malicious activities.
Severity
Severity | Condition |
---|---|
Low | Unexpected action, user agent or ASN |
Investigation and Remediation
Verify the legitimacy of the Route 53 hosted zone creation by reviewing changes in management logs. Examine the DNS records within the hosted zone for any suspicious entries. If unauthorized, immediately remove the hosted zone and associated DNS records. Review VPC flow logs and CloudTrail for any related suspicious activities.