AWS Route 53 domain transfer to an external account
Description
AlphaSOC detected an AWS Route 53 domain transfer to an external account. This action involves moving control of a domain from one AWS account to another, potentially outside of the organization's control. Such transfers can be part of legitimate operations, but they can also indicate unauthorized access or an attempt to hijack domain resources.
Impact
Unauthorized domain transfers can severely compromise an organization's security infrastructure. The transferred domain could be used for phishing campaigns, malware distribution, or intercepting sensitive communications. It can also disrupt business operations and lead to a loss of control over critical infrastructure components associated with the domain.
Severity
Severity | Condition |
---|---|
Informational | Domain transfer to an external account using Route 53 |
Medium | Domain transfer to an unknown external account using Route 53 |
Investigation and Remediation
Review AWS CloudTrail logs to verify the legitimacy of the action, identify the user who initiated the transfer, and review recent account activity. If unauthorized, contact AWS Support to attempt to reverse the transfer. Change any associated account credentials and API keys. Check DNS records and SSL certificates associated with the domain. Conduct a broader security assessment to identify additional compromised resources or accounts.
Known False Positives
- Transfer of domains to a newly created AWS account