a private hosted zone may be asssociated with a vpc by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. if known behavior is causing false positives, it can be exempted from the rule.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml>elastic
technicques: T1098

Techniques

Identifies when a Route53 private hosted zone has been associated with VPC.

event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and
event.outcome:success