Neglected assets

Route53 Record Pointing to Invalid Resource

Risk Level

Hazardous (3)

Compliance Frameworks
  • ,
  • NIST 800-53


Orca has detected that certain DNS resource record sets under the hosted zone are aliased to resources which may not exist, are present in a different account, or are invalid Alias-Record values. DNS records which resolve to invalid resources may lead to subdomain takeover; a malicious party may create a new resource under their control at that address, and serve their content under your domain.
  • Recommend icon

    Recommended Mitigation

    Make sure alias records are pointing to valid resources. Remediate this by editing the resource record under the {AwsRoute53ResourceRecordSet.HostedZone} hosted zone, or removing the entry altogether.