Rules Contributing to Suspicious AWS Route 53 Activity Alert
The following rules are used to identify suspicious activity within AWS Route 53 logs. Any one or more of these will trigger Suspicious AWS Route 53 Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
AWS Route53 private hosted zone associated with a VPC |
Identifies when a Route53 private hosted zone has been associated with VPC. More details
Rule IDQuery{'selection1': {'eventSource': 'route53.amazonaws.com'}, 'selection2': {'eventName': 'AssociateVPCWithHostedZone'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS Route 53 Domain Transfer Lock Disabled |
Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. More details
Rule IDQuery{'selection1': {'eventSource': 'route53.amazonaws.com'}, 'selection2': {'eventName': 'DisableDomainTransferLock'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AWS Route 53 Domain Transferred to Another Account |
Identifies when a request has been made to transfer a Route 53 domain to another AWS account. More details
Rule IDQuery{'selection1': {'eventSource': 'route53.amazonaws.com'}, 'selection2': {'eventName': 'TransferDomainToAnotherAwsAccount'}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber AWS configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|