Prevent Route53 Domain Expiration: Lesson Learned from Hotstar

Prevent Route53 Domain Expiration: Lesson Learned from Hotstar

Disney+ Hotstar's outage and AWS services,CSPM

I. Introduction

II. Amazon Route53 Domain Expiration Protection

III. AWS Trusted Advisor

IV. How Amazon Route53 and AWS Trusted Advisor could have helped Hotstar

V. Trend Micro Conformity

VI. How Trend Micro Conformity could have helped prevent Hotstar's domain expiration

VII. Setting up domain renewal alerts in Trend Micro Conformity

VIII. Conclusion

Introduction

On the day of a much-awaited cricket match, Hotstar’s streaming service went down, leaving fans disappointed. It was later revealed that Hotstar's domain had expired. This mistake is not unique to Hotstar, as many big companies have made the same blunder. This article discusses how to prevent domain expiration and avoid the consequences of such errors.

I was surprised at how Hotstar failed in domain renewal, considering the extensive security measures they have in place. The following are some pointers from the blog:

  • Hotstar's infrastructure is highly scalable and built with the ideology of "build for failure."

  • The security team was recently created and has focused on areas such as ingress rules, DNS misconfigurations, and secret management.

  • Hotstar follows a shared responsibility model between the security team and service owners, with engineers responsible for the infrastructure they own and access.

  • The security team employs a "Control Line and Mop-Up Strategy" to clean up old misconfigurations and vulnerabilities.

  • They also use "HotSpotting and Knocking Down" to pinpoint focus areas for evangelization sessions and recognize security champions.

  • Automation and metrics are heavily relied upon to measure the success of their strategy.

Despite all these security measures, it seems that the domain renewal issue slipped through the cracks. This highlights the need for continuous vigilance and improvement in security, as well as the importance of a comprehensive security strategy that covers all aspects of the organization.

Technology Stack

Security/Strategy

Hotstar's Infrastructure

Highly Scalable

DevOps team created tools and platforms

CI/CD Pipeline, Orchestration, Deployment Portals, Service Availability or Health Dashboards

Kubernetes Clusters

Double-digit clusters

Security Posture

Solid security posture needed

Attack Surface

Fairly broad attack surface

Key Focus

High security posture during the cricket season

Internal Resources

Controls on ingress rules for services and resource-based policies for AWS Resources

DNS Misconfigurations

Avoiding DNS misconfigurations

Violation of Principle of Least Privilege

Reviewing various systems that were used to provision access to ensure access was retained as needed

Secret Management

Handling secrets sensitively

Accountability and Auditing

Assets should have their owners tagged with access policy defined with auditing capability

Security Philosophy

Balancing security and business needs and creating the least friction possible

Responsibility Model

Shared responsibility model between Security Team and Service Owners

Strategy

Control Line and Mop-Up Strategy and HotSpotting and Knocking Down

Automation

Automation was heavily used to bring the security strategy into action and to measure the success of the security posture

(edited because of table typo:-)

Hotstar's streaming service went down on the day of an important cricket match due to their domain expiring. This could have been avoided if they had enabled Amazon Route53 Domain Expiration Protection or used AWS Trusted Advisor. Both of these tools help to prevent accidental domain expiration and reduce the risk of unexpected downtime.

Amazon Route53 Domain Expiration Protection

Amazon Route53 Domain Expiration Protection allows customers to set an automatic renewal period for their domains, and AWS will attempt to renew the domain registration before the expiration date.

many such rule detects Route53 domains that will expire in 30 days or less. An expired Amazon Route53 domain can cause website or application downtime or failure. An expired domain could be taken over by a malicious individual or deleted by the domain registrar.

AWS Trusted Advisor

AWS Trusted Advisor provides guidance and best practices for optimizing AWS infrastructure, including identifying potential issues before they become major problems.

How Amazon Route53 and AWS Trusted Advisor could have helped Hotstar

The combination of Amazon Route53 and AWS Trusted Advisor could have helped Hotstar avoid the blunder of domain expiration in pointers by providing proactive monitoring and management of their domain registration and DNS system.

  1. Route53 could have been used as the domain registrar to manage the domain registration and renewal process. With Route53, Hotstar could have set up auto-renewal for their domain, which would have ensured that the domain was renewed before it expired.

  2. AWS Trusted Advisor could have alerted Hotstar to the impending expiration of their domain. Trusted Advisor provides a comprehensive set of checks and recommendations for optimizing AWS resources, including domains. It could have notified Hotstar of the upcoming expiration and recommended actions to take to avoid any disruptions to their service.

  3. Route53 also offers DNS health checks that monitor the health and performance of the DNS system. This would have helped Hotstar identify any issues with their domain before they became a problem.

Trend Micro Cloud One Conformity

Trend Micro Cloud One Conformity is a cloud security posture management tool that ensures compliance and security best practices are being followed in cloud environments.

How Trend Micro Conformity could have helped prevent Hotstar's domain expiration ?

While it may not have directly prevented the domain expiration, it could have alerted the Hotstar team to the upcoming expiration and helped ensure that the necessary steps were taken to renew the domain.

Setting up domain renewal alerts in Trend Micro Conformity

To set up domain renewal alerts in Trend Micro Conformity, add your AWS account to Conformity, navigate to the "Rules" tab, select "AWS Security Best Practices," and set up the rule with the appropriate notification channel and threshold for days remaining before expiration. Once the rule is active, Conformity will check the expiration date of your domains regularly and send an alert when the number of days remaining before the expiration threshold is met.

Conclusion

In conclusion, using tools like Amazon Route53 Domain Expiration Protection, AWS Trusted Advisor, and Trend Micro Cloud One Conformity can help prevent domain expiration and reduce the risk of unexpected downtime. It is important for companies to use these tools and services to ensure the smooth operation of their websites and applications.

1.Amazon Route53 https://aws.amazon.com/route53/

2.AWS Trusted Advisor:https://aws.amazon.com/premiumsupport/trustedadvisor/

3.Cloud Security Posture Management Trend Micro Conformity