AWS Route 53 domain transfer lock disabled for an account
Description
AlphaSOC detected that an AWS Route 53 domain transfer lock was disabled for an account. This security feature prevents unauthorized transfers of domain ownership through Amazon's Domain Name System (DNS) web service. Disabling it could indicate an attempt to hijack the domain, potentially as part of a larger attack.
Impact
Disabling the domain transfer lock exposes the domain to potential unauthorized transfers. Adversaries could use this to facilitate unauthorized domain transfers, allowing them to redirect traffic or pose as legitimate services, resulting in loss of domain control, website redirection, and email hijacking. Threat actors could also leverege the transferred domain for malware distribution or to intercept sensitive information intended for the legitimate domain owner.
Severity
Severity | Condition |
---|---|
Informational | Route 53 domain transfer lock disabled |
Investigation and Remediation
Examine AWS CloudTrail logs for the specific API calls that disabled the lock. Verify that this action was authorized, and if it wasn't, immediately re-enable the transfer lock. Review recent changes to the domain's DNS settings and registration information.