Today I published on the AWS Security Blog with Matt Gurr, Ariam Michael, and Geoff Sweet from the AWS CIRT team: Threat tactic spotlight: Subdomain takeover.
The short version: AWS CIRT has been watching threat actors actively scan for CNAME records pointing to deleted S3 buckets, Elastic Beanstalk environments, and CloudFront distributions. When the resource is gone but the DNS record stays, an attacker can recreate the resource in their own account and serve content through your domain. Your users trust the URL. You don’t control what’s at it.
The part I think is worth calling out explicitly: the obvious detection approach is wrong.
Most teams check whether a CNAME resolves to a valid endpoint. The problem is that if an attacker has already claimed the resource, DNS resolution succeeds. It just resolves to their infrastructure, not yours. You’d see a clean result and have no idea anything was wrong.
The right test is whether the resource exists in your account inventory, not whether something responds at that DNS name. We built the detection solution on AWS Config inventory checks for exactly this reason. If it’s not in your Config inventory, it’s not yours, regardless of what DNS says.
The other key point is operational: delete the DNS record first, wait for the TTL to expire, then delete the resource. The order matters. If you delete the resource before the TTL expires, there’s a window where cached DNS entries are still directing traffic while the resource name is up for grabs.
The full post covers the threat model, a deployable detection solution (open-source, on GitHub), and response guidance. Worth a read if you’re managing Route 53 hosted zones at any real scale.