Solved

Route 53 domain update / deletion alarm

  • 13 September 2023
  • 1 reply
  • 322 views

Hello,

 

I would like to know if it is possible to track updates / deletion of a Registered Domain in Route 53 through Cloudtrail x Lacework.

As this ressource is critical, the alarm must be immediately raised.

 

Thank you for your assistance.

 

Lucas

Agent

Agentless (Workload Scanning)

Platform

Tuning Lacework/Customization

Cloud

AWS

icon

Best answer by fredpillet 13 September 2023, 15:55

View original

1 reply

Badge

Hi Lucas,

Update/Deletion of an AWS resource should be logged in Cloudtrail, so the LQL source is Cloudtrail:CloudTrailRawEvents.
Filter on the right elements in the Cloudtrail by looking at the description of the events with the CLI:
lacework query preview-source CloudTrailRawEvents.

 

Now, it looks to be that kind of action :
https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DeleteDomain.html

then, test your query in CLI (with the right filters):
 

--noninteractive      turn off interactive mode (disable spinners, prompts, etc.)
queryId: Example_DeleteDomain
queryText: |-
 {
     source {
         CloudTrailRawEvents
     }
     filter {
         EVENT_NAME =’DeleteDomain’
     }
     return distinct {
         INSERT_ID,
         INSERT_TIME,
         EVENT_TIME,
         EVENT
     }
 }

Reply