Transferring a domain to another AWS account is possible by a system or a network administrator, but it's not a common action. If known behavior is causing false positives, it can be exempted from the rule. Impact Unauthorized move of a Domain to a different account could cause disruption in service or takeover by an attacker. Mitigation Review the transfer log and examine the user identity, user agent, and/or hostname. Unfamiliar activity around domain transfer should be further investigated and the actions committed reverted. Mitre Tactic: TA0006 / TA0003 Mitre Technique: T1098

Transferring a domain to another AWS account is possible by a system or a network administrator, but it's not common action. Disabling the lock to transfer a domain could be a preliminary action by an attack to move a domain out of an account. Impact Removing the Transfer Lock Disabled policy can allow an attacker to move the domain the another account or registrar thus taking over the domain. Mitigation Review the log and examine the user identity, user agent, and/or hostname that removed the transfer lock. Check if there was also a domain transfer action right after the disabling of transfer lock. Validate that the this was an authorized action and if not revert changes and investigate further. Mitre Tactic: TA0006 / TA0003 Mitre Technique: T1098

Associating a private hosted zone with a VPC is a legitimate action that makes Route53 in charge of answering the DNS queries in that VPC for the hosted zone given domains. Unsanctioned association can indicate malicious activity. Impact An attacker can use this method to associate different VPCs to the hosted zone giving them access to the hosted domains. It could also help facilitate data exfiltration through DNS tunneling or DNS based C2 communication. Mitigation Review the log and examine the user identity, user agent, and/or hostname that made the change. Validate that the this was an authorized action and if not revert changes and investigate further. Mitre Tactic: TA0003 Mitre Technique: T1098

Route53 is AWS DNS service. Query logging logs all DNS queries made by resources within your Amazon Virtual Private Cloud (VPC). Impact Disabling resolver queries can indicate an attacker trying to conceal C2. Communication or any DNS requests he made to unauthorized or attacker controlled domains. Stopping DNS logging also hinders any malicious activity investigation. Mitigation Investigate why logging was disabled and by who. If unauthorized, investigate further the user who made the changes and which queries had been previously made (if enabled, they should have been kept in Coralogix system). Investigate who disabled the logging and why, re-enable if needed. Further investigate the user action if malicious activity is suspected. Mitre Tactic: TA0005 Mitre Technique: T1562 Mitre sub-technique: 008