AWS Route 53 Private Hosted Zone Associated With a VPC

  1[metadata]
  2creation_date = "2021/07/19"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/10"
  6
  7[rule]
  8author = ["Austin Songer", "Elastic"]
  9description = """
 10Identifies when an AWS Route 53 private hosted zone is associated with a new Virtual Private Cloud (VPC). Private hosted
 11zones restrict DNS resolution to specific VPCs, and associating additional VPCs expands the scope of what networks can
 12resolve internal DNS records. Adversaries with sufficient permissions may associate unauthorized VPCs to intercept,
 13observe, or reroute internal traffic, establish persistence, or expand their visibility within an AWS environment.
 14"""
 15false_positives = [
 16    """
 17    Private hosted zones may be legitimately associated with VPCs by network or infrastructure administrators. Verify
 18    whether the user identity, user agent, and source IP address align with expected administrative behavior. Known and
 19    authorized associations may be exempted to reduce noise.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS Route 53 Private Hosted Zone Associated With a VPC"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating AWS Route 53 Private Hosted Zone Associated With a VPC
 33
 34Route 53 private hosted zones provide internal DNS capabilities accessible only to the VPCs explicitly associated with
 35them. Associating a new VPC expands DNS visibility and access. If an adversary gains sufficient IAM permissions, they may
 36attach unauthorized VPCs to privileged hosted zones to perform internal reconnaissance, intercept service discovery,
 37redirect traffic, or gain persistence by manipulating internal name resolution.
 38
 39This rule detects successful `AssociateVPCWithHostedZone` events where a hosted zone's visibility scope is modified.
 40
 41### Possible investigation steps
 42
 43- **Identify the Actor**
 44  - Review `aws.cloudtrail.user_identity.arn` and `access_key_id` to determine who initiated the association. Validate whether this identity is expected to manage Route 53 or VPC networking.
 45
 46- **Review Request Details**
 47  - Examine `aws.cloudtrail.request_parameters` to confirm which hosted zone and VPC were associated. Determine if the hosted zone contains sensitive internal service records, privileged DNS, or identity service endpoints.
 48
 49- **Validate the VPC**
 50  - Identify whether the associated VPC belongs to an authorized environment (e.g., known production, staging, or internal networks). Check for unusual VPC creation events, cross-account VPC behavior, or recently observed anomalous resource provisioning.
 51
 52- **Assess Source Context**
 53  - Inspect `source.ip` and `user_agent.original` for geographic anomalies, automation patterns, or suspicious tooling.
 54  - Look for correlations with unusual IAM activity, privilege escalations, or policy modifications.
 55
 56- **Correlate With Broader Activity**
 57  - Search for additional changes involving the same identity, including:
 58    - Route 53 hosted zone modifications
 59    - VPC peering creation
 60    - Network ACL or security group changes
 61    - IAM privilege modifications
 62  - Identify whether this association is part of a larger sequence suggesting lateral movement or internal reconnaissance.
 63
 64- **Engage Relevant Teams**
 65  - If initiated by a user, confirm intent with networking or cloud infrastructure teams. Validate whether the association aligns with deployment, migration, or environment expansion activities.
 66
 67### False positive analysis
 68
 69- **Routine Infrastructure Updates**
 70  - Associations may occur during normal environment expansions (new VPC for microservices, deployments, region expansion).
 71
 72- **Automated Tooling**
 73  - Infrastructure-as-code pipelines (Terraform, CloudFormation, CDK) may regularly modify hosted zone associations.
 74  - If confirmed legitimate, consider excluding specific automation IAM roles.
 75
 76- **Migration or Restructuring Events**
 77  - Large-scale cloud migrations or VPC re-architecture work may trigger frequent legitimate associations.
 78
 79### Response and remediation
 80
 81- **Revoke Unauthorized Access**
 82  - If the association is unauthorized, review and restrict IAM permissions for the actor.
 83  - Remove the VPC association if it is not intended.
 84
 85- **Investigate Potential Impact**
 86  - Review internal DNS query logs and VPC flow logs for any misuse, suspicious lookups, or unauthorized cross-VPC traffic.
 87
 88- **Strengthen IAM Controls**
 89  - Limit `route53:AssociateVPCWithHostedZone` to specific administrative roles.
 90  - Require MFA for accounts with Route 53 and VPC modification permissions.
 91
 92- **Monitor for Related Activity**
 93  - Add monitoring for other hosted zone modifications, new VPC creation, and cross-account network configurations.
 94
 95- **Communicate and Document**
 96  - Notify cloud networking and security operations of unauthorized changes.
 97  - Document findings and update policy controls or automation baselines.
 98
 99### Additional information
100- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
101- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
102- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
103"""
104references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"]
105risk_score = 47
106rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19"
107severity = "medium"
108tags = [
109    "Domain: Cloud",
110    "Data Source: AWS",
111    "Data Source: Amazon Web Services",
112    "Data Source: AWS Route 53",
113    "Use Case: Asset Visibility",
114    "Tactic: Persistence",
115    "Tactic: Resource Development",
116    "Resources: Investigation Guide",
117]
118timestamp_override = "event.ingested"
119type = "query"
120
121query = '''
122event.dataset: aws.cloudtrail 
123    and event.provider: route53.amazonaws.com 
124    and event.action: AssociateVPCWithHostedZone 
125    and event.outcome: success
126'''
127
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131[[rule.threat.technique]]
132id = "T1098"
133name = "Account Manipulation"
134reference = "https://attack.mitre.org/techniques/T1098/"
135
136
137[rule.threat.tactic]
138id = "TA0003"
139name = "Persistence"
140reference = "https://attack.mitre.org/tactics/TA0003/"
141[[rule.threat]]
142framework = "MITRE ATT&CK"
143[[rule.threat.technique]]
144id = "T1583"
145name = "Acquire Infrastructure"
146reference = "https://attack.mitre.org/techniques/T1583/"
147[[rule.threat.technique.subtechnique]]
148id = "T1583.001"
149name = "Domains"
150reference = "https://attack.mitre.org/techniques/T1583/001/"
151
152
153
154[rule.threat.tactic]
155id = "TA0042"
156name = "Resource Development"
157reference = "https://attack.mitre.org/tactics/TA0042/"
158
159[rule.investigation_fields]
160field_names = [
161    "@timestamp",
162    "user.name",
163    "user_agent.original",
164    "source.ip",
165    "aws.cloudtrail.user_identity.arn",
166    "aws.cloudtrail.user_identity.type",
167    "aws.cloudtrail.user_identity.access_key_id",
168    "event.action",
169    "event.outcome",
170    "cloud.account.id",
171    "cloud.region",
172    "aws.cloudtrail.request_parameters",
173    "aws.cloudtrail.response_elements",
174]