Elastic Security Detection Rules

AWS Route 53 Domain Transfer Lock Disabled

Last updated 15 days ago on 2025-12-10
Created 5 years ago on 2021-05-10

About

Identifies when the transfer lock on an AWS Route 53 domain is disabled. The transfer lock protects domains from being moved to another registrar or AWS account without authorization. Disabling this lock removes an important safeguard against domain hijacking. Adversaries who gain access to domain-management permissions may disable the lock as a precursor to unauthorized domain transfer, takeover, or service disruption.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS Route 53Use Case: Asset VisibilityTactic: PersistenceTactic: Resource DevelopmentLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

Resource Development (TA0042)(external, opens in a new tab or window)

Compromise Infrastructure (T1584)(external, opens in a new tab or window)

False Positive Examples
A domain transfer lock may be intentionally disabled by an authorized administrator to prepare for a planned domain migration or registrar change. Confirm that the action aligns with an approved change request. You may exempt known administrative accounts involved in routine domain operations to reduce noise.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: aws.cloudtrail 
    and event.provider: route53domains.amazonaws.com 
    and event.action: DisableDomainTransferLock 
    and event.outcome: success

Install detection rules in Elastic Security

Detect AWS Route 53 Domain Transfer Lock Disabled in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).