False positive Route53 record is a dangling IP which can lead to a subdomain takeover attack

[kanton10062006]

Issue search

• I have searched the existing issues and this bug has not been reported yet

Which component is affected?

Prowler CLI/SDK

Cloud Provider (if applicable)

AWS

Steps to Reproduce

1. Create an EC2 instance in a public subnet in us-west-1 while having Route53 hosted zone in us-east-1
2. Assign an Elastic IP address to this instance
3. Run prowler

Expected behavior

Prowler checks if the assigned IP address is in the pool of Elastic IPS across all available regions

Actual Result with Screenshots or Logs

While we have this IP address in the ElasticIP pool associated with EC2:

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

1. EC2
2. Route53

OS used

Amazon Linux 2023

Prowler version

5.14.2

Python version

3.11

Pip version

24.0

Context

My thoughts, it's because Route53 is a global AWS service and its region is us-east-1, where the finding originally appeared. ElasticIP associated with EC2 is placed in a different AWS region - us-west-1

[danibarranqueroo]

Hi @kanton10062006! Thank you for reporting this issue.
We've confirmed this is a valid edge case. The issue occurs when running Prowler with a single region specified (e.g., --region us-east-1). In this case, the check only collects Elastic IPs from that region, while Route53 (a global service) can reference Elastic IPs from any region, leading to false positives.
Note: If you run Prowler without specifying a region (scanning all enabled regions), the check works correctly and there are no false positives.
We're evaluating whether we can improve this check to work correctly even when Prowler is executed with a single region specified. We'll keep you updated on any progress.