I spent way too much time on something simple
One simple thing AWS could do to save people a lot of angst is to add a warning when creating a new hosted zone that the new name server records do not match or exist at what is in the parent area.
For example, if a customer deletes and re-adds the Route 53 hosted zone, the NS records change. This is probably a good thing to prevent the possibility of recreating the zone in a malicious account that matches existing NS records and allows an attacker to create a subdomain on a domain that they don’t own.
But no matter how it happens, CloudFormation, AWS CLI, or the console issues a warning that there is an incompatibility with the parent zone and/or domain and tells the client what needs to be updated.
Also add this warning in the AWS console so that if the customer is troubleshooting and logs in, they know exactly how to resolve it.
This also applies if a customer deletes and re-adds the hosted zone for the apex domain. In this case, the customer must update the NS records in which the domain is registered, whether on AWS or elsewhere.
It’s an easy thing to look up and add a warning in the console to fix and will probably save people tons of time and headaches based on my own experiences.
Follow for updates.
Teri Radichel | © 2nd sight laboratory 2023
The best way to support this blog is to subscribe to the broadcast list And type for the stories you love. If you are interested in IANS Decision Support Services so you can schedule security consulting calls with myself and other IANS faculty, please contact us on LinkedIn via the link below. THANKS!
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
Author: Cybersecurity for Executives in the Age of Cloud
Presentations: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Security Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Software Engineering, Master of Infosec
Company: Cloud Penetration Tests, Assessments, Training ~ 2nd Sight Lab
Like this story? Use the options below to help me write more!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Clap
❤️ Referrals
❤️ Medium: Teri Radichel
❤️ Email List: Teri Radichel
❤️ Twitter: @teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
❤️ Buy a Book: Teri Radichel on Amazon
❤️ Request a penetration test, assessment, or training
via LinkedIn: Teri Radichel
❤️ Schedule a consulting call with me through IANS Research
