Ensure S3 Bucket exists for CNAME records routing traffic to an S3 Bucket website endpoint
A domain with a CNAME record that directs its traffic to an S3 Bucket website endpoint is exposed to domain takeover - if no matching S3 Bucket exists.
Risk Level: Critical
Cloud Entity: Route53RecordSetGroup
CloudGuard Rule ID: D9.AWS.DNS.06
Category: Networking & Content Delivery
GSL LOGIC
Route53RecordSetGroup where recordSets contain [ records contain [ assetMetadata.type='S3Bucket'] ] should have recordSets contain [ records contain-all [ assetMetadata.type='S3Bucket' and assetMetadata.exists=true] ]
REMEDIATION
From Portal
- Go to 'Route 53'
- In the menu choose 'Hosted zones' and select the relevant domain name
- Delete the CNAME record name that routes its traffic to a non-exists S3 Bucket website endpoint
*Alternative: Create a new S3 Bucket with a name identical to your domain/subdomain
Note: AWS Route 53 expects the S3 bucket name to be identical to the subdomain
From TF
To delete the vulnerable CNAME record, remove the relevant Terraform resource:
resource "aws_route53_record" "route53_record_example" {
..
type = "CNAME"
..
}
From Command Line
To list all hosted zone records sets, use:
aws route53 list-resource-record-sets --hosted-zone-id HOSTED-ZONE-ID
To delete a record set, use:
aws route53 change-resource-record-sets --hosted-zone-id HOSTED-ZONE-ID --change-batch CHANGE-BATCH-STRUCTURE
References
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/rrsets-working-with.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/route53/list-resource-record-sets.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/route53/change-resource-record-sets.html
Route53RecordSetGroup
The Route53RecordSetGroup is a complex type that contains an optional comment, the name and ID of the hosted zone that you want to make changes in, and values for the resource record sets that you want to create. You can't use AWS CloudFormation to update or delete records.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS Default Ruleset
Updated over 1 year ago