Skip to content

domain-protect/terraform-aws-domain-protect

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 

Repository files navigation

OWASP Domain Protect

Version Python 3.x License OWASP Maturity OpenSSF Scorecard OpenSSF Best Practices

Published as a public Terraform registry module

Prevent subdomain takeover ...

... with serverless cloud infrastructure

OWASP Global AppSec Dublin - talk and demo

Talk and demo on YouTube

Features

  • scan Amazon Route53 across an AWS Organization for domain records vulnerable to takeover
  • scan Cloudflare for vulnerable DNS records
  • take over vulnerable subdomains yourself before attackers and bug bounty researchers
  • automatically create known issues in Bugcrowd or HackerOne
  • vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP
  • manual scans of cloud accounts with no installation

Installation

Here is a basic example with slack integration

module "domain_protect" {
  source  = "domain-protect/domain-protect/aws"
  # It is recommended to pin every module to a specific version
  # version = "x.x.x"

  ip_address               = true
  org_primary_account      = "123456789012"
  environment              = "prd"
  security_audit_role_name = "domain-protect-audit"
  takeover                 = false
  slack_channels           = ["security-alerts"]
  slack_webhook_urls       = ["https://hooks.slack.com/services/XXXXXXX/YYYYYYYYYYY"]
}

Migration

See migration for a guide to migrating from the original Domain Protect repository to the Terraform Module

Collaboration

๐Ÿ“ข We welcome contributions! Please see the OWASP Domain Protect website for more details.

Documentation

๐Ÿ“„ Detailed documentation is on our Docs site

Limitations

This tool cannot guarantee 100% protection against subdomain takeovers.

Requirements

Name Version
terraform > 1
archive > 2.2.0
aws > 5.12.0
null > 3.1.0
random > 3.1.0

Providers

No providers.

Modules

Name Source Version
accounts_event ./modules/cloudwatch n/a
accounts_event_ips ./modules/cloudwatch n/a
accounts_role ./modules/iam n/a
accounts_role_ips ./modules/iam n/a
cloudflare_event ./modules/cloudwatch n/a
cloudwatch_event ./modules/cloudwatch n/a
dynamodb ./modules/dynamodb n/a
dynamodb_ips ./modules/dynamodb-ips n/a
kms ./modules/kms n/a
lambda ./modules/lambda n/a
lambda_accounts ./modules/lambda-accounts n/a
lambda_accounts_ips ./modules/lambda-accounts n/a
lambda_cloudflare ./modules/lambda-cloudflare n/a
lambda_resources ./modules/lambda-resources n/a
lambda_role ./modules/iam n/a
lambda_role_ips ./modules/iam n/a
lambda_scan ./modules/lambda-scan n/a
lambda_scan_ips ./modules/lambda-scan-ips n/a
lambda_slack ./modules/lambda-slack n/a
lambda_takeover ./modules/lambda-takeover n/a
lamdba_stats ./modules/lambda-stats n/a
resources_event ./modules/cloudwatch n/a
resources_role ./modules/iam n/a
sns ./modules/sns n/a
sns_dead_letter_queue ./modules/sns n/a
step_function ./modules/step-function n/a
step_function_ips ./modules/step-function n/a
step_function_role ./modules/iam n/a
takeover_role ./modules/iam n/a

Resources

No resources.

Inputs

Name Description Type Default Required
allowed_regions If SCPs block certain regions across all accounts, optionally replace with string formatted list of allowed regions string "['all']" no
bugcrowd Set to enabled for Bugcrowd integration string "disabled" no
bugcrowd_api_key Bugcrowd API token string "" no
bugcrowd_email Email address of Bugcrowd researcher service account string "" no
bugcrowd_state State in which issue is created, e.g. new, triaged, unresolved, resolved string "unresolved" no
cf_api_key Cloudflare API token string "" no
cloudflare Set to true to enable CloudFlare bool false no
cloudflare_lambdas list of names of Lambda files in the lambda-cloudflare/code folder list(any)
[
"cloudflare-scan"
]
no
environment Environment deploying to, defaults to terraform.workspace - optionally enter in tfvars file string "" no
external_id external ID for security audit role to be defined in tvars file. Leave empty if not configured string "" no
hackerone Set to enabled for HackerOne integration string "disabled" no
hackerone_api_token HackerOne API token string "" no
ip_address Set to true to enable A record checks using IP address scans bool false no
ip_scan_schedule schedule for IP address scanning used in A record checks string "24 hours" no
ip_time_limit maximum time in hours since IP last detected, before considering IP as no longer belonging to organisation string "48" no
lambdas list of names of Lambda files in the lambda/code folder list(any)
[
"current",
"update"
]
no
memory_size Memory allocation for scanning Lambda functions number 128 no
memory_size_ip Memory allocation for scan IP Lambda functions number 256 no
memory_size_slack Memory allocation for Slack Lambda functions number 128 no
org_primary_account The AWS account number of the organization primary account string n/a yes
permissions_boundary_arn permissions boundary ARN to attach to every IAM role string null no
platform Python platform used for install of Regex and other libraries string "manylinux2014_x86_64" no
production_environment Name of production environment - takeover is only turned on in this environment string "" no
production_workspace Deprecated, use production_environment. Will be removed in a future release string "prd" no
project abbreviation for the project, forms first part of resource names string "domain-protect" no
rcu DynamoDB Read Capacity Units for vulnerability database number 3 no
reports_schedule schedule for running reports, e.g. 24 hours. Irrespective of setting, you will be immediately notified of new vulnerabilities string "24 hours" no
runtime Lambda language runtime. Defaults to the python-version in repo and can be overridden. string "" no
scan_schedule schedule for running domain-protect scans, e.g. 24 hours string "24 hours" no
security_audit_role_name security audit role name which needs to be the same in all AWS accounts string "domain-protect-audit" no
slack_channels List of Slack Channels - enter in tfvars file list(string) [] no
slack_emoji Slack emoji string ":warning:" no
slack_fix_emoji Slack fix emoji string ":white_check_mark:" no
slack_new_emoji Slack emoji for new vulnerability string ":octagonal_sign:" no
slack_username Slack username appearing in the from field in the Slack message string "Domain Protect" no
slack_webhook_type Slack webhook type, can be legacy or app string "legacy" no
slack_webhook_urls List of Slack webhook URLs, in the same order as the slack_channels list - enter in tfvars file list(string) [] no
stats_schedule Cron schedule for the stats message string "cron(0 9 1 * ? *)" no
takeover Create supported resource types to prevent malicious subdomain takeover bool false no
update_lambdas list of Cloudflare Lambda functions updating vulnerability status list(any)
[
"update"
]
no
update_schedule schedule for running domain-protect update function, e.g. 24 hours string "24 hours" no
vpc_config Provide this to allow your function to access your VPC (if both 'subnet_ids' and 'security_group_ids' are empty then
vpc_config is considered to be empty or unset, see https://docs.aws.amazon.com/lambda/latest/dg/vpc.html for details).
object({
security_group_ids = list(string)
subnet_ids = list(string)
})
null no
wcu DynamoDB Write Capacity Units for vulnerability database number 2 no

Outputs

Name Description
accounts_event Outputs of module.accounts_event
accounts_event_ips Outputs of module.accounts_event_ips
accounts_role Outputs of module.accounts_role
accounts_role_ips Outputs of module.accounts_role_ips
cloudflare_event Outputs of module.cloudflare_event
cloudwatch_event Outputs of module.cloudwatch_event
dynamodb Outputs of module.dynamodb
dynamodb_ips Outputs of module.dynamodb_ips
kms Outputs of module.kms
lambda Outputs of module.lambda
lambda_accounts Outputs of module.lambda_accounts
lambda_accounts_ips Outputs of module.lambda_accounts_ips
lambda_cloudflare Outputs of module.lambda_cloudflare
lambda_resources Outputs of module.lambda_resources
lambda_role Outputs of module.lambda_role
lambda_role_ips Outputs of module.lambda_role_ips
lambda_scan Outputs of module.lambda_scan
lambda_scan_ips Outputs of module.lambda_scan_ips
lambda_slack Outputs of module.lambda_slack
lambda_takeover Outputs of module.lambda_takeover
lamdba_stats Outputs of module.lamdba_stats
resources_event Outputs of module.resources_event
resources_role Outputs of module.resources_role
sns Outputs of module.sns
sns_dead_letter_queue Outputs of module.sns_dead_letter_queue
step_function Outputs of module.step_function
step_function_ips Outputs of module.step_function_ips
step_function_role Outputs of module.step_function_role
takeover_role Outputs of module.takeover_role