We recently helped a customer identify some potential CloudFront/S3 takeover risks. You can find the details of the risk described in the article, "Simple Route53/Cloudfront/s3 subdomain takeover".
Here are the 3 relevant questions/queries added to the library. You may want to try these questions/queries in your environment and set up alerts accordingly.
![image (4)](https://cdn.prod.website-files.com/6285b9c0f95b5ea1e88356db/6304f6aa44e828e9da54675d_image%2520(4).png)
The questions are already added in-app. Simply type "cloudfront origin" in the search bar to run them.
![image (5)](https://cdn.prod.website-files.com/6285b9c0f95b5ea1e88356db/62fd1c0f59811b3317c4a0d9_image%2520(5).png)
You can then create an alert for each one. We are adding them to the alert rule packs, too.
To be clear, when you run the questions/queries highlighted, the best result is no results.
![image (6)](https://cdn.prod.website-files.com/6285b9c0f95b5ea1e88356db/62fd1c0f59811b183ec4a0db_image%2520(6).png)