AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS Subdomain NS Records are Vulnerable
More Info:
Ensure Subdomain NS Records are not Vulnerable
Risk Level
High
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the vulnerability of AWS Subdomain NS Records in AWS Route53 using the AWS console, follow these steps:
- Log in to the AWS Management Console.
- Open the Route53 service.
- In the navigation pane, select “Hosted zones”.
- Choose the hosted zone that contains the vulnerable subdomain NS records.
- Select the checkbox next to the vulnerable subdomain NS record(s) that you want to remediate.
- Click on the “Delete record set” button at the top of the page.
- Confirm the deletion by clicking on the “Delete” button in the pop-up window.
- Repeat steps 5-7 for all the vulnerable subdomain NS records.
- Once the vulnerable subdomain NS records are deleted, click on the “Create record set” button at the top of the page.
- In the “Name” field, enter the name of the subdomain for which you want to create NS records.
- Select “NS - Name Server” from the “Type” dropdown menu.
- In the “Value” field, enter the name servers (NS records) provided by your DNS hosting provider.
- Click on the “Create” button to create the new NS records.
- Repeat steps 10-13 for each subdomain that requires NS records.
- Once all the necessary NS records are created, verify that the subdomain NS records are no longer vulnerable by performing a vulnerability scan or using a DNS tool.
By following these steps, you will be able to remediate the vulnerability of AWS Subdomain NS Records in AWS Route53 using the AWS console.
To remediate the vulnerable NS records in AWS Route53 using AWS CLI, follow these steps:
-
Install and configure the AWS CLI on your local machine if you haven’t already. Ensure that you have appropriate permissions to manage Route53 resources.
-
Verify the domain ownership in the AWS Route53 console. This step is crucial to ensure that you have the necessary permissions to make changes to the DNS records.
-
Open the AWS CLI on your local machine and run the following command to list all hosted zones in your AWS account:
aws route53 list-hosted-zonesIdentify the hosted zone that contains the vulnerable NS records you want to remediate. Note down the
Idof the hosted zone. -
Run the following command to retrieve the existing NS records for the hosted zone:
aws route53 list-resource-record-sets --hosted-zone-id <hosted-zone-id>Replace
<hosted-zone-id>with the actualIdof the hosted zone obtained in the previous step. -
Review the output and identify the NS records that need to be removed or updated. Note down the
Nameof each vulnerable NS record. -
Run the following command to delete each vulnerable NS record:
aws route53 change-resource-record-sets --hosted-zone-id <hosted-zone-id> --change-batch '{ "Changes": [ { "Action": "DELETE", "ResourceRecordSet": { "Name": "<vulnerable-ns-record-name>", "Type": "NS", "TTL": 300, "ResourceRecords": [ { "Value": "<vulnerable-ns-record-value>" } ] } } ] }'Replace
<hosted-zone-id>with the actualIdof the hosted zone,<vulnerable-ns-record-name>with the name of the vulnerable NS record, and<vulnerable-ns-record-value>with the value of the vulnerable NS record.Repeat this command for each vulnerable NS record identified in step 5.
-
After deleting the vulnerable NS records, you can optionally add or update the NS records with the correct values. Run the following command to add or update an NS record:
aws route53 change-resource-record-sets --hosted-zone-id <hosted-zone-id> --change-batch '{ "Changes": [ { "Action": "UPSERT", "ResourceRecordSet": { "Name": "<ns-record-name>", "Type": "NS", "TTL": 300, "ResourceRecords": [ { "Value": "<ns-record-value>" } ] } } ] }'Replace
<hosted-zone-id>with the actualIdof the hosted zone,<ns-record-name>with the name of the NS record, and<ns-record-value>with the value of the NS record.Repeat this command for each NS record you want to add or update.
-
Verify the changes by running the command in step 4 again. Ensure that the vulnerable NS records are no longer present, and the correct NS records are added or updated.
By following these steps, you can remediate the vulnerable NS records in AWS Route53 using the AWS CLI.
To remediate the vulnerability of vulnerable NS records in AWS Route53 using Python, follow these steps:
-
Install the required libraries:
- Install the AWS SDK for Python (Boto3) using the command:
pip install boto3
- Install the AWS SDK for Python (Boto3) using the command:
-
Set up AWS credentials:
- Configure AWS CLI using the command:
aws configure - Enter your AWS Access Key ID and Secret Access Key.
- Set the default region name and output format.
- Configure AWS CLI using the command:
-
Write a Python script to remediate the vulnerability:
import boto3 def remediate_vulnerable_ns_records(): # Create a Route53 client route53_client = boto3.client('route53') # List all hosted zones response = route53_client.list_hosted_zones() # Iterate through each hosted zone for hosted_zone in response['HostedZones']: hosted_zone_id = hosted_zone['Id'] hosted_zone_name = hosted_zone['Name'] # Get the NS records for the hosted zone ns_records = route53_client.list_resource_record_sets( HostedZoneId=hosted_zone_id, StartRecordType='NS', MaxItems='1' ) # Check if NS records are vulnerable if ns_records['ResourceRecordSets'][0]['Name'] == hosted_zone_name and len(ns_records['ResourceRecordSets']) > 1: vulnerable_ns_record_set = ns_records['ResourceRecordSets'][0] # Delete the vulnerable NS record set route53_client.change_resource_record_sets( HostedZoneId=hosted_zone_id, ChangeBatch={ 'Changes': [ { 'Action': 'DELETE', 'ResourceRecordSet': vulnerable_ns_record_set } ] } ) print(f"Vulnerable NS record set deleted for hosted zone: {hosted_zone_name}") # Run the function to remediate the vulnerability remediate_vulnerable_ns_records() -
Save the script to a file, for example,
remediate_ns_records.py. -
Execute the Python script:
- Open a terminal or command prompt.
- Navigate to the directory where the script is saved.
- Run the command:
python remediate_ns_records.py
The script will connect to AWS Route53, identify the vulnerable NS records, and delete them. It will print a message for each hosted zone where the vulnerability is remediated.
Note: Make sure you have appropriate permissions to access and modify Route53 resources in your AWS account.