AWS Route53 private hosted zone associated with a VPC

Identifies when a Route53 private hosted zone has been associated with VPC.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/07/19"
 3integration = ["aws"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Austin Songer"]
 9description = "Identifies when a Route53 private hosted zone has been associated with VPC."
10false_positives = [
11    """
12    A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user
13    identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing
14    false positives, it can be exempted from the rule.
15    """,
16]
17from = "now-60m"
18index = ["filebeat-*", "logs-aws.cloudtrail-*"]
19interval = "10m"
20language = "kuery"
21license = "Elastic License v2"
22name = "AWS Route53 private hosted zone associated with a VPC"
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating AWS Route53 private hosted zone associated with a VPC
29
30AWS Route53 private hosted zones allow for DNS management within a Virtual Private Cloud (VPC), ensuring internal resources are accessible only within the VPC. Adversaries might exploit this by associating unauthorized VPCs to intercept or reroute traffic. The detection rule identifies successful associations of VPCs with hosted zones, signaling potential misuse or unauthorized access attempts.
31
32### Possible investigation steps
33
34- Review the CloudTrail logs for the event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com to gather details about the AssociateVPCWithHostedZone action, including the time of the event and the identity of the user or role that performed the action.
35- Verify the event.outcome:success to confirm that the association was successful and identify the specific VPC and hosted zone involved in the association.
36- Check the AWS IAM policies and permissions of the user or role that initiated the association to ensure they have the appropriate level of access and determine if the action aligns with their expected responsibilities.
37- Investigate the associated VPC to determine if it is authorized and expected to be linked with the private hosted zone. Look for any unusual or unauthorized VPCs that may indicate potential misuse.
38- Review recent changes or activities in the AWS account to identify any other suspicious actions or patterns that could suggest a broader security incident or compromise.
39
40### False positive analysis
41
42- Routine infrastructure changes may trigger this rule when legitimate VPCs are associated with private hosted zones during regular operations. To manage this, maintain an updated list of authorized VPCs and compare them against the detected associations.
43- Automated deployment tools or scripts that frequently associate VPCs with hosted zones can cause false positives. Identify these tools and create exceptions for their known activities to reduce noise.
44- Development and testing environments often involve frequent changes and associations of VPCs with hosted zones. Consider excluding these environments from the rule or setting up a separate monitoring policy with adjusted thresholds.
45- Scheduled maintenance or updates might involve temporary associations of VPCs with hosted zones. Document these schedules and incorporate them into the monitoring system to prevent false alerts during these periods.
46
47### Response and remediation
48
49- Immediately isolate the VPC associated with the unauthorized Route53 private hosted zone to prevent further unauthorized access or data exfiltration.
50- Review CloudTrail logs to identify the source and method of the unauthorized VPC association, focusing on the user or role that performed the action.
51- Revoke any unauthorized access or permissions identified during the log review, particularly those related to the IAM roles or users involved in the incident.
52- Conduct a security review of the affected VPC and associated resources to ensure no other configurations have been tampered with or compromised.
53- Notify the security operations team and relevant stakeholders about the incident for further investigation and potential escalation.
54- Implement additional monitoring and alerting for similar events in the future, ensuring that any unauthorized associations are detected promptly.
55- Review and update IAM policies and security group rules to enforce the principle of least privilege, reducing the risk of similar incidents occurring.
56
57## Setup
58
59The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
60references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"]
61risk_score = 21
62rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19"
63severity = "low"
64tags = [
65    "Domain: Cloud",
66    "Data Source: AWS",
67    "Data Source: Amazon Web Services",
68    "Data Source: AWS Route53",
69    "Use Case: Asset Visibility",
70    "Tactic: Persistence",
71    "Resources: Investigation Guide",
72]
73timestamp_override = "event.ingested"
74type = "query"
75
76query = '''
77event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and
78event.outcome:success
79'''
80
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1098"
86name = "Account Manipulation"
87reference = "https://attack.mitre.org/techniques/T1098/"
88
89
90[rule.threat.tactic]
91id = "TA0003"
92name = "Persistence"
93reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating AWS Route53 private hosted zone associated with a VPC

AWS Route53 private hosted zones allow for DNS management within a Virtual Private Cloud (VPC), ensuring internal resources are accessible only within the VPC. Adversaries might exploit this by associating unauthorized VPCs to intercept or reroute traffic. The detection rule identifies successful associations of VPCs with hosted zones, signaling potential misuse or unauthorized access attempts.

Possible investigation steps

  • Review the CloudTrail logs for the event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com to gather details about the AssociateVPCWithHostedZone action, including the time of the event and the identity of the user or role that performed the action.
  • Verify the event.outcome:success to confirm that the association was successful and identify the specific VPC and hosted zone involved in the association.
  • Check the AWS IAM policies and permissions of the user or role that initiated the association to ensure they have the appropriate level of access and determine if the action aligns with their expected responsibilities.
  • Investigate the associated VPC to determine if it is authorized and expected to be linked with the private hosted zone. Look for any unusual or unauthorized VPCs that may indicate potential misuse.
  • Review recent changes or activities in the AWS account to identify any other suspicious actions or patterns that could suggest a broader security incident or compromise.

False positive analysis

  • Routine infrastructure changes may trigger this rule when legitimate VPCs are associated with private hosted zones during regular operations. To manage this, maintain an updated list of authorized VPCs and compare them against the detected associations.
  • Automated deployment tools or scripts that frequently associate VPCs with hosted zones can cause false positives. Identify these tools and create exceptions for their known activities to reduce noise.
  • Development and testing environments often involve frequent changes and associations of VPCs with hosted zones. Consider excluding these environments from the rule or setting up a separate monitoring policy with adjusted thresholds.
  • Scheduled maintenance or updates might involve temporary associations of VPCs with hosted zones. Document these schedules and incorporate them into the monitoring system to prevent false alerts during these periods.

Response and remediation

  • Immediately isolate the VPC associated with the unauthorized Route53 private hosted zone to prevent further unauthorized access or data exfiltration.
  • Review CloudTrail logs to identify the source and method of the unauthorized VPC association, focusing on the user or role that performed the action.
  • Revoke any unauthorized access or permissions identified during the log review, particularly those related to the IAM roles or users involved in the incident.
  • Conduct a security review of the affected VPC and associated resources to ensure no other configurations have been tampered with or compromised.
  • Notify the security operations team and relevant stakeholders about the incident for further investigation and potential escalation.
  • Implement additional monitoring and alerting for similar events in the future, ensuring that any unauthorized associations are detected promptly.
  • Review and update IAM policies and security group rules to enforce the principle of least privilege, reducing the risk of similar incidents occurring.

Setup

The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top