AWS Route53 private hosted zone associated with a VPC

Last updated 5 months ago on 2025-01-15

Created 4 years ago on 2021-07-19

About

Identifies when a Route53 private hosted zone has been associated with VPC.

Tags

Domain: CloudData Source: AWSData Source: Amazon Web ServicesData Source: AWS Route53Use Case: Asset VisibilityTactic: PersistenceLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Account Manipulation (T1098)(opens in a new tab or window)

False Positive Examples

A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-aws.cloudtrail-*
Related Integrations: aws(opens in a new tab or window)
Query

event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and
event.outcome:success

Install detection rules in Elastic Security

Detect AWS Route53 private hosted zone associated with a VPC in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).