Prevent Route53 Domain Expiration: Lesson Learned from Hotstar
Disney+ Hotstar's outage and AWS services,CSPM
Table of contents
- Introduction
- Amazon Route53 Domain Expiration Protection
- AWS Trusted Advisor
- How Amazon Route53 and AWS Trusted Advisor could have helped Hotstar
- Trend Micro Cloud One Conformity
- How Trend Micro Conformity could have helped prevent Hotstar's domain expiration ?
- Setting up domain renewal alerts in Trend Micro Conformity
- Conclusion
- Reference Link:
I. Introduction
II. Amazon Route53 Domain Expiration Protection
III. AWS Trusted Advisor
IV. How Amazon Route53 and AWS Trusted Advisor could have helped Hotstar
V. Trend Micro Conformity
VI. How Trend Micro Conformity could have helped prevent Hotstar's domain expiration
VII. Setting up domain renewal alerts in Trend Micro Conformity
VIII. Conclusion
PermalinkIntroduction
On the day of a much-awaited cricket match, Hotstar’s streaming service went down, leaving fans disappointed. It was later revealed that Hotstar's domain had expired. This mistake is not unique to Hotstar, as many big companies have made the same blunder. This article discusses how to prevent domain expiration and avoid the consequences of such errors.
I was surprised at how Hotstar failed in domain renewal, considering the extensive security measures they have in place. The following are some pointers from the blog:
Hotstar's infrastructure is highly scalable and built with the ideology of "build for failure."
The security team was recently created and has focused on areas such as ingress rules, DNS misconfigurations, and secret management.
Hotstar follows a shared responsibility model between the security team and service owners, with engineers responsible for the infrastructure they own and access.
The security team employs a "Control Line and Mop-Up Strategy" to clean up old misconfigurations and vulnerabilities.
They also use "HotSpotting and Knocking Down" to pinpoint focus areas for evangelization sessions and recognize security champions.
Automation and metrics are heavily relied upon to measure the success of their strategy.
Despite all these security measures, it seems that the domain renewal issue slipped through the cracks. This highlights the need for continuous vigilance and improvement in security, as well as the importance of a comprehensive security strategy that covers all aspects of the organization.
Technology Stack | Security/Strategy |
Hotstar's Infrastructure | Highly Scalable |
DevOps team created tools and platforms | CI/CD Pipeline, Orchestration, Deployment Portals, Service Availability or Health Dashboards |
Kubernetes Clusters | Double-digit clusters |
Security Posture | Solid security posture needed |
Attack Surface | Fairly broad attack surface |
Key Focus | High security posture during the cricket season |
Internal Resources | Controls on ingress rules for services and resource-based policies for AWS Resources |
DNS Misconfigurations | Avoiding DNS misconfigurations |
Violation of Principle of Least Privilege | Reviewing various systems that were used to provision access to ensure access was retained as needed |
Secret Management | Handling secrets sensitively |
Accountability and Auditing | Assets should have their owners tagged with access policy defined with auditing capability |
Security Philosophy | Balancing security and business needs and creating the least friction possible |
Responsibility Model | Shared responsibility model between Security Team and Service Owners |
Strategy | Control Line and Mop-Up Strategy and HotSpotting and Knocking Down |
Automation | Automation was heavily used to bring the security strategy into action and to measure the success of the security posture |
(edited because of table typo:-)
Hotstar's streaming service went down on the day of an important cricket match due to their domain expiring. This could have been avoided if they had enabled Amazon Route53 Domain Expiration Protection or used AWS Trusted Advisor. Both of these tools help to prevent accidental domain expiration and reduce the risk of unexpected downtime.
PermalinkAmazon Route53 Domain Expiration Protection
Amazon Route53 Domain Expiration Protection allows customers to set an automatic renewal period for their domains, and AWS will attempt to renew the domain registration before the expiration date.
many such rule detects Route53 domains that will expire in 30 days or less. An expired Amazon Route53 domain can cause website or application downtime or failure. An expired domain could be taken over by a malicious individual or deleted by the domain registrar.
PermalinkAWS Trusted Advisor
AWS Trusted Advisor provides guidance and best practices for optimizing AWS infrastructure, including identifying potential issues before they become major problems.
PermalinkHow Amazon Route53 and AWS Trusted Advisor could have helped Hotstar
The combination of Amazon Route53 and AWS Trusted Advisor could have helped Hotstar avoid the blunder of domain expiration in pointers by providing proactive monitoring and management of their domain registration and DNS system.
Route53 could have been used as the domain registrar to manage the domain registration and renewal process. With Route53, Hotstar could have set up auto-renewal for their domain, which would have ensured that the domain was renewed before it expired.
AWS Trusted Advisor could have alerted Hotstar to the impending expiration of their domain. Trusted Advisor provides a comprehensive set of checks and recommendations for optimizing AWS resources, including domains. It could have notified Hotstar of the upcoming expiration and recommended actions to take to avoid any disruptions to their service.
Route53 also offers DNS health checks that monitor the health and performance of the DNS system. This would have helped Hotstar identify any issues with their domain before they became a problem.
PermalinkTrend Micro Cloud One Conformity
Trend Micro Cloud One Conformity is a cloud security posture management tool that ensures compliance and security best practices are being followed in cloud environments.
PermalinkHow Trend Micro Conformity could have helped prevent Hotstar's domain expiration ?
While it may not have directly prevented the domain expiration, it could have alerted the Hotstar team to the upcoming expiration and helped ensure that the necessary steps were taken to renew the domain.
PermalinkSetting up domain renewal alerts in Trend Micro Conformity
To set up domain renewal alerts in Trend Micro Conformity, add your AWS account to Conformity, navigate to the "Rules" tab, select "AWS Security Best Practices," and set up the rule with the appropriate notification channel and threshold for days remaining before expiration. Once the rule is active, Conformity will check the expiration date of your domains regularly and send an alert when the number of days remaining before the expiration threshold is met.
PermalinkConclusion
In conclusion, using tools like Amazon Route53 Domain Expiration Protection, AWS Trusted Advisor, and Trend Micro Cloud One Conformity can help prevent domain expiration and reduce the risk of unexpected downtime. It is important for companies to use these tools and services to ensure the smooth operation of their websites and applications.
PermalinkReference Link:
1.Amazon Route53 https://aws.amazon.com/route53/
2.AWS Trusted Advisor:https://aws.amazon.com/premiumsupport/trustedadvisor/
3.Cloud Security Posture Management Trend Micro Conformity
-
Ensure your domain names are automatically renewed by AWS Route 53 service.
-
Ensure expired AWS Route 53 domains names are restored.
Route 53 Domain Expiry 30 Days
Ensure AWS Route 53 domain names are renewed before their expiration.
Route 53 Domain Expiry 45 Days
Ensure AWS Route 53 domain names are renewed before their expiration (45 days before expiration).
-
Ensure AWS Route 53 domain names are renewed before their expiration.