AWS Route 53 public hosted zone created
Description
AlphaSOC detected the creation of a public hosted zone in AWS Route 53. This action allows the registration and management of public DNS records for a domain. While often legitimate, threat actors can exploit this to set up infrastructure for malicious activities such as phishing or data exfiltration. Route 53 public hosted zones created by AWS services are exempt from the detection to avoid false positives.
Impact
If misused, it enables adversaries to create seemingly legitimate subdomains that can lead to data breaches or serve as a launching pad for further attacks within the organization's infrastructure.
Severity
Severity | Condition |
---|---|
Informational | Route 53 public hosted zone created |
Low | Unexpected ASN, user agent or region |
Investigation and Remediation
Investigate the creation of the public hosted zone by reviewing AWS CloudTrail logs to identify the user or role responsible. Verify if this action was legitimate. If unauthorized, immediately remove the hosted zone and associated DNS records. Review Identity and Access Management (IAM) permissions to ensure only authorized personnel can create public hosted zones. Investigate any suspicious DNS records or subdomains created within the zone.