private hosted zones may be legitimately associated with vpcs by network or infrastructure administrators. verify whether the user identity, user agent, and source ip address align with expected administrative behavior. known and authorized associations may be exempted to reduce noise.

t1098
T1583
aws
elastic

Techniques

T1098
T1583

Sample rules

AWS Route 53 Private Hosted Zone Associated With a VPC

source: elastic
technicques:
- T1098
- T1583

Description

Identifies when an AWS Route 53 private hosted zone is associated with a new Virtual Private Cloud (VPC). Private hosted zones restrict DNS resolution to specific VPCs, and associating additional VPCs expands the scope of what networks can resolve internal DNS records. Adversaries with sufficient permissions may associate unauthorized VPCs to intercept, observe, or reroute internal traffic, establish persistence, or expand their visibility within an AWS environment.

Detection logic

event.dataset: aws.cloudtrail 
    and event.provider: route53.amazonaws.com 
    and event.action: AssociateVPCWithHostedZone 
    and event.outcome: success