Skip to main content

AWS Route 53 domain transfer lock disabled for an account

ID:aws_route53_transfer_lock_disabled
Data type:AWS CloudTrail
Severity:
Informational
MITRE ATT&CK:TA0004:T1098

Description

AlphaSOC detected that an AWS Route 53 domain transfer lock was disabled for an account. This security feature prevents unauthorized transfers of domain ownership through Amazon's Domain Name System (DNS) web service. Disabling it could indicate an attempt to hijack the domain, potentially as part of a larger attack.

Impact

Disabling the domain transfer lock exposes the domain to potential unauthorized transfers. Adversaries could use this to facilitate unauthorized domain transfers, allowing them to redirect traffic or pose as legitimate services, resulting in loss of domain control, website redirection, and email hijacking. Threat actors could also leverege the transferred domain for malware distribution or to intercept sensitive information intended for the legitimate domain owner.

Severity

SeverityCondition
Informational
Route 53 domain transfer lock disabled

Investigation and Remediation

Examine AWS CloudTrail logs for the specific API calls that disabled the lock. Verify that this action was authorized, and if it wasn't, immediately re-enable the transfer lock. Review recent changes to the domain's DNS settings and registration information.