Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint

A domain with a CNAME record that directs its traffic to an S3 Bucket website endpoint is exposed to domain takeover - if no matching S3 Bucket exists.

Risk Level: Critical
Cloud Entity: Route53RecordSetGroup
CloudGuard Rule ID: D9.AWS.DNS.06
Category: Networking & Content Delivery

GSL LOGIC

Route53RecordSetGroup where recordSets contain [ records contain [ assetMetadata.type='S3Bucket'] ] should have recordSets contain [ records contain-all [ assetMetadata.type='S3Bucket' and assetMetadata.exists=true] ]

REMEDIATION

From Portal

  1. Go to 'Route 53'
  2. In the menu choose 'Hosted zones' and select the relevant domain name
  3. Delete the CNAME record name that routes its traffic to a non-exists S3 Bucket website endpoint
    *Alternative: Create a new S3 Bucket with a name identical to your domain/subdomain
    Note: AWS Route 53 expects the S3 bucket name to be identical to the subdomain

From TF
To delete the vulnerable CNAME record, remove the relevant Terraform resource:

resource "aws_route53_record" "route53_record_example" {
	..
	type = "CNAME"
	..
}

From Command Line
To list all hosted zone records sets, use:

aws route53 list-resource-record-sets --hosted-zone-id HOSTED-ZONE-ID

To delete a record set, use:

aws route53 change-resource-record-sets --hosted-zone-id HOSTED-ZONE-ID --change-batch CHANGE-BATCH-STRUCTURE

References

  1. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/rrsets-working-with.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/route53/list-resource-record-sets.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/route53/change-resource-record-sets.html

Route53RecordSetGroup

The Route53RecordSetGroup is a complex type that contains an optional comment, the name and ID of the hosted zone that you want to make changes in, and values for the resource record sets that you want to create. You can't use AWS CloudFormation to update or delete records.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS Default Ruleset