ACM.124: Organising a site identify for our batch job authentication stream
It is a continuation of my sequence on Automating Cybersecurity Metrics.
In my final put up, I analyzed the Oktapus assaults in 2022 and we thought of some mechanisms for stopping an analogous assault on our personal system that we’re constructing.
It looks as if we’re going to want a web site to facilitate the authentication workflow I’ve been describing, and that usually begins with a site identify. Since I discussed within the final put up that we wish customers to have the ability to simply keep in mind the URL for our batch job administration work stream we’ll need to create one thing easy and memorable.
I’m fascinated with utilizing the next area — which is a subdomain of 2ndsightlab.com (my prime degree area).
Registering a top-level area identify
In an effort to use that area I first have to register the highest degree area identify (2ndsightlab.com) which I’ve already finished. The area I listed above is a subdomain. I can create many subdomains for 2ndsightlab.com. Probably the most widespread subdomains is www (in my case www.2ndsightlab.com) although nowadays most individuals drop the www and go straight to the top-level area (TLD) with out the www.
If you wish to register a site identify you are able to do that at AWS:
You would additionally register a site by means of a 3rd social gathering area identify registrar like Google Domains:
Why would you need to use one area identify registrar over one other?
One of many advantages of utilizing AWS for every part is you could get all of your help in a single place. The advantage of registering a site at a third-party area identify registrar is that Amazon isn’t in command of your total stack prime to backside. The opposite purpose you would possibly use one registrar over one other is price — although cheaper registrars won’t present the help you want in case your area is one way or the other transferred by means of unauthorized means.
As well as, some registrars will supply TLDs that others don’t. For instance, one registrar presents domains that finish in .biz or .dev and one other presents .cloud, .weblog, or .information.
Selecting a prime degree area (TLD)
Beware that selecting an odd TLD would possibly get your area blocked by some safety techniques. I wrote about the usage of odd TLDs by malware right here:
Since most legit domains don’t finish in these odd extensions some DNS directors will reject requests to resolve them, thereby eliminating some potential malware. Should you select one in all these odd domains it could appear cool however requests to go to your website online is likely to be blocked.
There are loads of different advertising and mental property concerns I’m not going to get into right here. Earlier than you select a site identify, you would possibly need to seek the advice of with an IP lawyer and advertising individual or perform a little research on-line no less than so that you don’t decide a site identify you remorse later.
Utilizing a site identify on AWS that’s registered someplace else
If you have already got a site identify registered someplace you should use it on AWS. You simply have to configure the area identify correctly on the DNS registrar. Seek the advice of the documentation for the place the place you registered your area identify to determine how to do this. Usually you’ll login and supply the “identify servers” that may inform the Web the right way to get to the server or system that hosts your website online, software, or web page.
Right here’s how you’ll configure Google Domains to make use of AWS DNS Servers:
The next directions clarify the right way to create a hosted zone in Route 53.
When you create this hosted zone you should use that info to configure the DNS servers over at Google Domains (or no matter area identify registrar you’re utilizing).
Shifting or transferring a site identify
You might or might not need to transfer a site you registered someplace else over to AWS. These directions clarify the right way to arrange DNS for an current area identify with minimal service interruptions.
Word that you would skip the steps to truly transfer the area to AWS, however if you wish to switch the area over to handle all of it in as soon as place you may. Word that if you happen to transfer your area in the course of your annual renewal cycle you’ll pay overlapping charges. Moreover, you’ll need to test the fee for the actual area you’re transferring over and ensure AWS helps the TLD.
Once you switch a site you’ll must unlock at it at your registrar to be able to enable the switch and comply with the directions each at your current registrar and on AWS to facilitate the switch. There could also be some downtime relying on how your registrar handles the switch.
Shifting a site between AWS accounts
You may also switch domains between AWS accounts. Maybe you created domains through the years and also you need to consolidate them right into a single account for less complicated administration. These directions will assist.
The significance of securing your area identify
Too many individuals don’t perceive the significance of securing and defending their domains. Generally folks join internet hosting suppliers who register the area identify for the client. The client might not perceive they don’t have entry to or management over their very own area identify. Ensure you register your individual area identify and you recognize who can switch it or change the configuration settings.
Listed below are among the causes you need to watch out with area identify registrations and configurations:
- If somebody can get ahold of your area identify they’ll arrange a Google Workspace in your area:
- Conversely, somebody might take away the required TXT data for providers you’ve gotten approved by way of your DNS configuration providers might fail.
- If somebody can change the place e mail is directed in your area they could have entry to reset passwords and take over cloud accounts.
- One other DNS associated assault I mentioned at RSA 2020 is known as subdomain takeover. You’ll need to be sure that your subdomains level to correct sources.
- You additionally don’t need folks organising unauthorized subdomains to or authorizing undesirable providers by getting access to your DNS configuration.
Now you perceive why I all the time ask clients throughout a cloud safety evaluation who has entry to the DNS configuration for his or her domains. On one Google Cloud Platform (GCP) Safety Evaluation, the brand new CISO and workers concerned within the evaluation had no concept the place the area was registered or who had entry to it. In fact they instantly communicated with the executives on the firm and addressed that drawback after I requested them about it.
Locking down DNS configurations on AWS
You’ll be able to lock down DNS configurations on AWS by proscribing entry to Route 53 utilizing IAM and organizational insurance policies. Nonetheless, it’s possible you’ll want sure folks to have the ability to configure some facets of DNS, however not be capable to delete and de-register your domains.
One technique could be to place all of your domains in a single account that’s accessible by restricted people who find themselves answerable for area identify configurations. You would possibly even require that customers use a separate login when dealing with domains and shutting monitor these logins.
Then, create NS data in separate accounts to deal with subdomains and internet hosting. I’ve used that technique for penetration testing sources and subdomains related to cloud safety lessons. We’ll take a look at the right way to automate that in an upcoming put up, however first we’ll think about governance for DNS data.
Observe for updates.
Teri Radichel
Should you favored this story please clap and comply with:
******************************************************************
Medium: Teri Radichel or E mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers by way of LinkedIn: Teri Radichel or IANS Analysis
******************************************************************
© 2nd Sight Lab 2022
All of the posts on this sequence:
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, shows, and podcasts