Route 53 DNS record pointing to external or nonexistent S3 bucket

route53
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

This control identifies misconfigured Amazon Route 53 DNS records that point to external or nonexistent S3 buckets. Such misconfigurations can introduce significant security risks, including unauthorized access or domain hijacking. If a DNS record points to an S3 bucket domain that no longer exists, an attacker can register the bucket name and intercept or manipulate traffic intended for the original destination. This could lead to data breaches, phishing attacks, or distribution of unauthorized content, impacting both security and compliance.

Remediation

If the DNS record is a resource record, look at its value field. If the DNS record is an alias target, look at its dns_name field.

  • If the offending S3 bucket exists and belongs to an AWS account that you own but is not integrated to Datadog, follow the Datadog AWS integration documentation to onboard the account to Datadog. Ensure that resource collection and Cloud Security are correctly configured.
  • If the offending S3 bucket exists and belongs to a trusted third-party AWS account, mute the finding and leave a comment documenting the justification.
  • If the offending S3 bucket does not exist, refer to the Editing records section of the Amazon Route 53 Developer Guide for instructions on how to delete or modify the offending record.