Automation protect against subdomain takeover on AWS

Aug 05, 2021 1 min read

AWS_Subdomain_Takeover_Detector

This automation protect against subdomain takeover on AWS env which also send alerts on slack.

Purpose

The purpose of this automation is to detect misconfigured Route53 entries which are vulnerable to subdomain takeover.

Deployment Options

AWS Lambda, Rundeck or any cron

Prerequisites

IAM role with a permission of route53("ListHostedZones", "ListResourceRecordSets", "ListDomains").

Configuration Steps

Configure IAM role with permission mention above in prerequisites.
Deploy it on any of the cron Lambda/rundeck.
In slack_alert() please put the incoming webhook url of slack channel.

Scans Amazon Route53 to identify:

Check alias records for CloudFront distributions with missing S3 origin, ElasticBeanstalk vulnerable aliaa record and S3 vulnerable Alias record.
Check CNAME records for CloudFront distributions with missing S3 origin, S3 vulnerable CNAME and ElasticBeanstalk vulnerable CNAME.
Check for NS subdomain takeover.

GitHub

https://github.com/Puneet8800/AWS_Subdomain_Takeover_Detector

Automation Tool AWS

John was the first writer to have joined pythonawesome.com. He has since then inculcated very effective writing and reviewing culture at pythonawesome which rivals have found impossible to imitate.