Neglected assets

Route53 Record Pointing to Invalid Resource

Risk Level

Hazardous (3)

Compliance Frameworks


Orca has detected that certain DNS resource record sets under the hosted zone are aliased to resources which may not exist, are present in a different account, or are invalid Alias-Record values. DNS records which resolve to invalid resources may lead to subdomain takeover; a malicious party may create a new resource under their control at that address, and serve their content under your domain.
  • Recommended Mitigation

    Make sure alias records are pointing to valid resources. Remediate this by editing the resource record under the {AwsRoute53ResourceRecordSet.HostedZone} hosted zone, or removing the entry altogether.