Neglected assets

Route53 CNAME Record Pointing to Invalid Resource

Risk Level

Informational (4)



Orca has detected that certain DNS resource record sets under the hosted zone are pointing to resources which may not exist, are present in a different account, or are invalid CNAME values. DNS records which resolve to invalid resources may lead to subdomain takeover; a malicious party may create a new resource under their control at that address, and serve their content under your domain.
  • Recommended Mitigation

    Make sure CNAME records are pointing to valid resources. Remediate this by editing the resource record under the {AwsRoute53ResourceRecordSet.HostedZone} hosted zone, or removing the entry altogether.