Elastic Security Detection Rules

AWS Route 53 Private Hosted Zone Associated With a VPC

Last updated 22 days ago on 2026-01-16
Created 5 years ago on 2021-07-19

About

Identifies when an AWS Route 53 private hosted zone is associated with a new Virtual Private Cloud (VPC). Private hosted zones restrict DNS resolution to specific VPCs, and associating additional VPCs expands the scope of what networks can resolve internal DNS records. Adversaries with sufficient permissions may associate unauthorized VPCs to intercept, observe, or reroute internal traffic, establish persistence, or expand their visibility within an AWS environment.
Tags
Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS Route 53Use Case: Asset VisibilityTactic: PersistenceTactic: Resource DevelopmentLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

Account Manipulation (T1098)(external, opens in a new tab or window)

Resource Development (TA0042)(external, opens in a new tab or window)

Acquire Infrastructure (T1583)(external, opens in a new tab or window)

False Positive Examples
Private hosted zones may be legitimately associated with VPCs by network or infrastructure administrators. Verify whether the user identity, user agent, and source IP address align with expected administrative behavior. Known and authorized associations may be exempted to reduce noise.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
filebeat-*logs-aws.cloudtrail-*
Related Integrations

aws(external, opens in a new tab or window)

Query
text code block:
event.dataset: aws.cloudtrail 
    and event.provider: route53.amazonaws.com 
    and event.action: AssociateVPCWithHostedZone 
    and event.outcome: success

Install detection rules in Elastic Security

Detect AWS Route 53 Private Hosted Zone Associated With a VPC in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).