AWS Route 53 Domain Transferred to Another Account

Last updated 15 days ago on 2025-12-10

Created 5 years ago on 2021-05-10

About

Identifies when an AWS Route 53 domain is transferred to another AWS account. Transferring a domain changes administrative control of the DNS namespace, enabling the receiving account to modify DNS records, route traffic, request certificates, and potentially hijack operational workloads. Adversaries who gain access to privileged IAM users or long-lived credentials may leverage domain transfers to establish persistence, redirect traffic, conduct phishing, or stage infrastructure for broader attacks. This rule detects successful domain transfer requests.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS Route 53Use Case: Asset VisibilityTactic: PersistenceTactic: Resource DevelopmentLanguage: kuery

Severity

high

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

↳ Account Manipulation (T1098)(external, opens in a new tab or window)

Resource Development (TA0042)(external, opens in a new tab or window)

↳ Compromise Infrastructure (T1584)(external, opens in a new tab or window)

False Positive Examples

Internal account restructuring, mergers and acquisitions, or legitimate ownership transfers between business units may involve transferring DNS domains to other AWS accounts. Confirm the transfer is approved and documented in change management processes before taking action. Transfers performed by unfamiliar identities, originating from atypical locations, or outside expected maintenance windows should be investigated.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.dataset: aws.cloudtrail 
    and event.provider: route53domains.amazonaws.com 
    and event.action: TransferDomainToAnotherAwsAccount 
    and event.outcome: success

Install detection rules in Elastic Security

Detect AWS Route 53 Domain Transferred to Another Account in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).