We’re in the age of cloud computing where resources like virtual servers and storage space are often provisioned programmatically through deployment scripts as needed. While spinning up such assets is an almost instant process, removing them when they’re no longer needed is not as straightforward. Simply deleting cloud assets without making sure you have deleted all your organization’s records that might point to them, whether in your domain’s DNS zone or in your codebase, can open serious security holes for attackers to exploit.

Imagine the following scenario: You want to run a special holiday campaign for your customers, and you decide to create a microsite for it to host all the promotional materials, the sign-up forms, and so on. Your developers get to work, they design the site, and they provision a new virtual server on AWS — or any cloud computing service — to host it along with a storage bucket to store the site’s data.

The cloud service provider will allocate a publicly reachable IP address to your EC2 instance from its pool of reusable IP addresses and will assign a hostname for your storage bucket under their domain — bucket-name.s3.region-code.amazonaws.com — so you can access it through the API.

Users need to reach your site and search engine, and robots need to index it, so the next step is to create a subdomain for it on your main domain name and point it to the IP address so the web server can be reachable from your subdomain. Then you create a subdomain for the S3 bucket and a DNS CNAME record to point it to the bucket’s AWS hostname. Let’s say you also have a mobile application that sends data to this campaign website, so the hostnames also make it into the application’s code. You have other internal apps and tools that need to integrate with the site for reasons like statistics tracking or database backup.

What you’ve now created are a multitude of records in different locations that point to what are essentially temporary cloud resources. If you ever delete those cloud assets because they’ve served their purpose, but you fail to also delete the records your developers and infrastructure engineers created for them, you’ve generated a lot of risk.

Attackers can use your subdomains for phishing sites, malware delivery

An attacker can obtain the same IP address from Amazon because it’s now free and they have your subdomain pointing to it so they can create a phishing site or a malware serving site. They can register an S3 bucket with the same name because they found a reference in your app’s code and now your app is sending sensitive data to a storage bucket they own.