AWS Route 53 Private Hosted Zone Associated With a VPC

  1[metadata]
  2creation_date = "2021/07/19"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/16"
  6
  7[rule]
  8author = ["Austin Songer", "Elastic"]
  9description = """
 10Identifies when an AWS Route 53 private hosted zone is associated with a new Virtual Private Cloud (VPC). Private hosted
 11zones restrict DNS resolution to specific VPCs, and associating additional VPCs expands the scope of what networks can
 12resolve internal DNS records. Adversaries with sufficient permissions may associate unauthorized VPCs to intercept,
 13observe, or reroute internal traffic, establish persistence, or expand their visibility within an AWS environment.
 14"""
 15false_positives = [
 16    """
 17    Private hosted zones may be legitimately associated with VPCs by network or infrastructure administrators. Verify
 18    whether the user identity, user agent, and source IP address align with expected administrative behavior. Known and
 19    authorized associations may be exempted to reduce noise.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS Route 53 Private Hosted Zone Associated With a VPC"
 27note = """## Triage and analysis
 28
 29### Investigating AWS Route 53 Private Hosted Zone Associated With a VPC
 30
 31Route 53 private hosted zones provide internal DNS capabilities accessible only to the VPCs explicitly associated with
 32them. Associating a new VPC expands DNS visibility and access. If an adversary gains sufficient IAM permissions, they may
 33attach unauthorized VPCs to privileged hosted zones to perform internal reconnaissance, intercept service discovery,
 34redirect traffic, or gain persistence by manipulating internal name resolution.
 35
 36This rule detects successful `AssociateVPCWithHostedZone` events where a hosted zone's visibility scope is modified.
 37
 38### Possible investigation steps
 39
 40- **Identify the Actor**
 41  - Review `aws.cloudtrail.user_identity.arn` and `access_key_id` to determine who initiated the association. Validate whether this identity is expected to manage Route 53 or VPC networking.
 42
 43- **Review Request Details**
 44  - Examine `aws.cloudtrail.request_parameters` to confirm which hosted zone and VPC were associated. Determine if the hosted zone contains sensitive internal service records, privileged DNS, or identity service endpoints.
 45
 46- **Validate the VPC**
 47  - Identify whether the associated VPC belongs to an authorized environment (e.g., known production, staging, or internal networks). Check for unusual VPC creation events, cross-account VPC behavior, or recently observed anomalous resource provisioning.
 48
 49- **Assess Source Context**
 50  - Inspect `source.ip` and `user_agent.original` for geographic anomalies, automation patterns, or suspicious tooling.
 51  - Look for correlations with unusual IAM activity, privilege escalations, or policy modifications.
 52
 53- **Correlate With Broader Activity**
 54  - Search for additional changes involving the same identity, including:
 55    - Route 53 hosted zone modifications
 56    - VPC peering creation
 57    - Network ACL or security group changes
 58    - IAM privilege modifications
 59  - Identify whether this association is part of a larger sequence suggesting lateral movement or internal reconnaissance.
 60
 61- **Engage Relevant Teams**
 62  - If initiated by a user, confirm intent with networking or cloud infrastructure teams. Validate whether the association aligns with deployment, migration, or environment expansion activities.
 63
 64### False positive analysis
 65
 66- **Routine Infrastructure Updates**
 67  - Associations may occur during normal environment expansions (new VPC for microservices, deployments, region expansion).
 68
 69- **Automated Tooling**
 70  - Infrastructure-as-code pipelines (Terraform, CloudFormation, CDK) may regularly modify hosted zone associations.
 71  - If confirmed legitimate, consider excluding specific automation IAM roles.
 72
 73- **Migration or Restructuring Events**
 74  - Large-scale cloud migrations or VPC re-architecture work may trigger frequent legitimate associations.
 75
 76### Response and remediation
 77
 78- **Revoke Unauthorized Access**
 79  - If the association is unauthorized, review and restrict IAM permissions for the actor.
 80  - Remove the VPC association if it is not intended.
 81
 82- **Investigate Potential Impact**
 83  - Review internal DNS query logs and VPC flow logs for any misuse, suspicious lookups, or unauthorized cross-VPC traffic.
 84
 85- **Strengthen IAM Controls**
 86  - Limit `route53:AssociateVPCWithHostedZone` to specific administrative roles.
 87  - Require MFA for accounts with Route 53 and VPC modification permissions.
 88
 89- **Monitor for Related Activity**
 90  - Add monitoring for other hosted zone modifications, new VPC creation, and cross-account network configurations.
 91
 92- **Communicate and Document**
 93  - Notify cloud networking and security operations of unauthorized changes.
 94  - Document findings and update policy controls or automation baselines.
 95
 96### Additional information
 97- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
 98- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
 99- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
100"""
101references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"]
102risk_score = 47
103rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19"
104severity = "medium"
105tags = [
106    "Domain: Cloud",
107    "Data Source: AWS",
108    "Data Source: Amazon Web Services",
109    "Data Source: AWS Route 53",
110    "Use Case: Asset Visibility",
111    "Tactic: Persistence",
112    "Tactic: Resource Development",
113    "Resources: Investigation Guide",
114]
115timestamp_override = "event.ingested"
116type = "query"
117
118query = '''
119event.dataset: aws.cloudtrail 
120    and event.provider: route53.amazonaws.com 
121    and event.action: AssociateVPCWithHostedZone 
122    and event.outcome: success
123'''
124
125
126[[rule.threat]]
127framework = "MITRE ATT&CK"
128[[rule.threat.technique]]
129id = "T1098"
130name = "Account Manipulation"
131reference = "https://attack.mitre.org/techniques/T1098/"
132
133
134[rule.threat.tactic]
135id = "TA0003"
136name = "Persistence"
137reference = "https://attack.mitre.org/tactics/TA0003/"
138[[rule.threat]]
139framework = "MITRE ATT&CK"
140[[rule.threat.technique]]
141id = "T1583"
142name = "Acquire Infrastructure"
143reference = "https://attack.mitre.org/techniques/T1583/"
144[[rule.threat.technique.subtechnique]]
145id = "T1583.001"
146name = "Domains"
147reference = "https://attack.mitre.org/techniques/T1583/001/"
148
149
150
151[rule.threat.tactic]
152id = "TA0042"
153name = "Resource Development"
154reference = "https://attack.mitre.org/tactics/TA0042/"
155
156[rule.investigation_fields]
157field_names = [
158    "@timestamp",
159    "user.name",
160    "user_agent.original",
161    "source.ip",
162    "aws.cloudtrail.user_identity.arn",
163    "aws.cloudtrail.user_identity.type",
164    "aws.cloudtrail.user_identity.access_key_id",
165    "event.action",
166    "event.outcome",
167    "cloud.account.id",
168    "cloud.region",
169    "aws.cloudtrail.request_parameters",
170    "aws.cloudtrail.response_elements",
171]