Unable to detect the required value within an array of JSON values when using RQL of Prisma Cloud Policy 'AWS Route53 Hosted Zone having dangling DNS record with subdomain takeover risk associated with AWS S3 Bucket'

• Prisma Cloud Policy 'AWS Route53 Hosted Zone having dangling DNS record with subdomain takeover risk associated with AWS S3 Bucket' is used to identify AWS Route53 Hosted Zones having a CNAME entry pointing to a non-existing S3 bucket that will have a risk of these dangling domain entries being taken over by an attacker by creating a similar S3 bucket in any AWS account which the attacker owns / controls
• While this Policy RQL outputs the results in the form of Route 53 Hosted Zones, it does not provide the output in the form of dangling domain entries

• Prisma Cloud Enterprise Edition (SaaS)

• We perform RQL on an API level and not on a Metadata level
• This Policy has a False Negative issue where in a DNS record configured with multiple entries of CNAME is having both existing and non-existent S3 buckets
• This is a corner edge case where the Policy RQL has limitation alerting such DNS records
• It requires nested array RQL grammar support, if there are 2 or more DNS record entry pointing to deleted S3 bucket within ‘CNAME’ type.

• There is an existing Feature Enhancement Request to allow this to work with Account Condition and multi-joint RQL, with no ETA at this time

• To obtain precise results for join RQLs, include the cloud.account condition in the RQL query

config from cloud.resource where cloud.account='AWS Test Account' and api.name = 'aws-route53-list-hosted-zones' AND json.rule = hostedZone.config.privateZone is false and resourceRecordSet[?any( type equals CNAME and resourceRecords[*].value contains s3-website )] exists as X; config from cloud.resource where api.name = 'aws-s3api-get-bucket-acl' as Y; filter 'not ($.X.resourceRecordSet[*].name intersects $.Y.bucketName)'; show X;

• Execute the Policy RQL with cloud.account condition in the Investigate page and access the Resource Config JSON
• If a large number of DNS records are found, you can use the Toggle Search by using the keyword "s3" and ensure that the record type is set to "CNAME" as shown below

• Cross Account Join for RQL : RQL Operators
• For more details on the Feature Request and its ETA, kindly reach out to your Accounts / Customer Success team