Skip to main content

AWS Security Misconfigs

Dans cette section

Plus dans cette série

Top 5 AWS security misconfigurations and how to fix themAbra Confdabra: Insecure resource misconfigurations

Sub doMine: Dangling DNS

MisCred: Leaked credentialsCon-Identity: Identification and authentication failurewhoIAM: Lack of IAM controls

See Snyk Cloud in action

Réservez une démo en ligne

Sub doMine: Dangling DNS

The Sub doMine origin story

0 minutes de lecture

Public websites that are managed and hosted on a  public cloud provider (like AWS) can be prone to dangling DNS if the files and servers hosting the website can be replaced by an attacker’s server — resulting in a subdomain takeover. Sub doMine is the dangling DNS villain that commonly results in subdomain takeovers.

wordpress-sync/series-aws-security-sub-domine-small

Common causes

Sub doMine often rears its ugly head when an AWS user forgets to remove both the DNS entry and a linked resource at the same time. Another reason for this is, despite using infrastructure as code (IaC), some services don’t allow for immediate deletion, which results in entries being left behind or requires manual intervention to delete the forgotten resource.

Problems caused by dangling DNS

At its best, the compromised website of a reputed organization can be replaced with publicly embarrassing content, resulting in the loss of customer faith and damage to the public reputation of the organization. At its worst, it can result in a data breach if the resource being hosted has private content and the missing DNS entry itself is something that the hacker replaces. Another worst-case outcome would be if an attacker replaced the website with a nearly identical website that was used to siphon customer logins.

3 places in AWS where Sub doMine hides

  1. AWS Route53 is a highly available and scalable DNS web service from AWS. Amazon allows for domains to be registered and hosted using an AWS S3 bucket. If the hosted zone in the registered domain is missing, they can be migrated to the attacker’s AWS Account. The same is true if the routing policy is linked to a deleted AWS S3 bucket.

  2. AWS ElasticBeanstalk assigns CNAMEs (canonical name, a type of DNS record that shows that a domain name is the nickname or alias for another domain) to the environment it creates and manages. The same CNAME can be a custom registered website CNAME. If the CNAME itself is removed from the website hosting provider, the AWS ElasticBeanstalk can be linked to any hosting provider registering the same CNAME as the AWS ElasticBeanstalk.

  3. AWS Cloudfront is a CDN service from AWS which allows customers to host and render a website from anywhere in the world quickly. AWS Cloudfront can use an AWS S3 bucket as a website source, if the AWS S3 bucket is deleted and replaced with an attacker’s AWS S3 bucket with the same CNAME as the deleted AWS S3 bucket, then the attacker finds our Sub doMine villain.

3 ways to stop Sub doMine

Thankfully, AWS is an API-enabled public cloud provider which allows for most things in the public cloud to be automated if you know what you are looking to create, modify or delete. IaC is a good framework to use for creating infrastructure and resources in AWS using a pre-defined configuration file. Using IaC would ensure that all resources are deleted when using the delete action as long as the resources were created by the IaC tool to begin with.

Another thing that customers of AWS can do is maintain an inventory of all active DNS records that their organization should have. In addition, having a regular audit process to ensure that if any DNS are no longer required that their resources are deleted too.

Continuously monitor for when an AWS S3 bucket is accidentally exposed to the internet, or an S3 bucket with the static website hosting config enabled is deleted, so relevant remediation can be performed. Automated alerting should be a component of this continuous monitoring.

Prochain de la série

MisCred: Leaked credentials

Learn the common causes of leaked credentials and how to stop it from happening.

Poursuivre la lecture

Snyk est une plateforme de sécurité des développeurs. S’intégrant directement aux outils, workflows et pipelines de développement, Snyk facilite la détection, la priorisation et la correction des failles de sécurité dans le code, les dépendances, les conteneurs et l’infrastructure en tant que code (IaC). Soutenu par une intelligence applicative et sécuritaire de pointe, Snyk intègre l'expertise de la sécurité au sein des outils de chaque développeur.

Démarrez gratuitementRéservez une démo en ligne

Produit

Qu’est-ce que Snyk ?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Plateforme de sécurité des développeursSécurité des applicationsSécurité de la chaîne d’approvisionnement logicielleSécurité du code généré par l’IA DeepCode AITarifsOptions de déploiementIntégrationsPlugins pour les IDESécurité GitSécurité des pipelines de CI/CDSnyk CLISnyk LearnSnyk pour JavaScript

Ressources

DocumentationDocuments sur l’API SnykStatut de l’APIVulnérabilités divulguéesPortail de support et FAQBlogPrincipes fondamentaux de la sécuritéRessources pour les leaders de la sécuritéRessources pour les hackers éthiquesBase de données des vulnérabilitésSnyk OSS AdvisorTop 10 de SnykVidéosRessources clientSecurity LabsThe Secure Developer Podcast

Société

À proposClientsCarrièresÉvénementsSnyk pour le secteur publicSécurité et confianceMentions légalesConfidentialitéPour les résidents de Californie : Ne vendez pas mes informations à caractère personnelConditions d'utilisation du site webProcurement

Connexion

Réservez une démo en ligneContactez-nousSupportSignaler une nouvelle vulnérabilité

Sécurité

Sécurité des applicationsSécurité des conteneursSécurité de la chaîne d’approvisionnementSécurité JavascriptSécurité open sourceSécurité AWSSDLC sécuriséPosture de sécuritéCode sécuriséHacking éthiqueL’IA dans la cybersécuritéVérificateur de codePythonCybersécurité en entrepriseJavaScriptSnyk With GitHubComparaison Snyk/VeracodeSnyk vs CheckmarxSnyk vs Synopsys

© 2024 Snyk Limited
Enregistré en Angleterre et au Pays de Galles

logo-devseccon