fix(sdk): cover CNAME → dangling S3 in route53 takeover check

[HugoPBrito]

Context

While auditing a customer environment, the existing route53_dangling_ip_subdomain_takeover check did not flag a classic subdomain-takeover scenario:

1. Create an S3 bucket with static website hosting.
2. Point a Route 53 CNAME at the bucket's website endpoint.
3. Delete the bucket.
4. The dangling CNAME remains — anyone (any AWS account) can re-register the bucket name and serve content under the original domain.

The previous logic only inspected non-alias A records pointing at AWS-owned IPs that were no longer assigned (released EIPs / ENI public IPs). The CNAME → deleted S3 bucket vector was uncovered.

Description

Extend route53_dangling_ip_subdomain_takeover so the same check also flags dangling S3 website CNAMEs:

• For every non-alias CNAME record, parse the target. If it matches an S3 website endpoint (<bucket>.s3-website-<region>.amazonaws.com or the newer <bucket>.s3-website.<region>.amazonaws.com), extract the bucket name.
• If the bucket is not present in the audited account's s3_client.buckets, raise a FAIL (potential takeover). Otherwise, PASS.
• Existing A → IP logic is unchanged.
• Metadata (CheckTitle, Description, Risk, Recommendation) is rewritten to describe both vectors and the S3 website endpoint reference is added to AdditionalURLs.
• The CheckID is not renamed (compliance mappings remain stable).

The check now imports s3_client, so the AWS scan must already evaluate s3 for the new path to fire (it does — s3 is in the default service set).

Steps to review

1. Review prowler/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover.py — confirm the regex (^<bucket>.s3-website[.-]<region>.amazonaws.com.?$) covers both endpoint formats and that the existing A record branch is untouched.
2. Review the updated metadata JSON (title/description/risk/recommendation) for accuracy.
3. Run the test suite for the check:

   poetry run pytest tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/ -v

   Twelve tests pass (eight pre-existing + four new):
   • test_hosted_zone_cname_to_existing_s3_website_bucket → PASS
   • test_hosted_zone_cname_to_dangling_s3_website_bucket → FAIL
   • test_hosted_zone_cname_to_dangling_s3_website_bucket_dot_format → FAIL (newer dot-style endpoint)
   • test_hosted_zone_cname_to_non_s3_target_is_ignored → 0 findings
4. Optional manual reproduction:

   aws s3 mb s3://<unique-bucket>
   aws s3 website s3://<unique-bucket> --index-document index.html
   aws route53 change-resource-record-sets --hosted-zone-id <ZID> --change-batch '{"Changes":[{"Action":"CREATE","ResourceRecordSet":{"Name":"www.example.com.","Type":"CNAME","TTL":60,"ResourceRecords":[{"Value":"<unique-bucket>.s3-website-us-east-1.amazonaws.com"}]}}]}'
   aws s3 rb s3://<unique-bucket> --force
   poetry run python prowler-cli.py aws --check route53_dangling_ip_subdomain_takeover

   The CNAME should be reported as FAIL.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Are there new checks included in this PR? No — existing check route53_dangling_ip_subdomain_takeover is extended.
  • If so, do we need to update permissions for the provider? No new permissions needed. The check already requires route53:ListHostedZones, route53:ListResourceRecordSets, ec2:DescribeAddresses, ec2:DescribeNetworkInterfaces. The new S3 path consumes s3_client.buckets, which is populated by the existing s3:ListAllMyBuckets permission already used by the S3 service.
• Review if the code is being covered by tests.
• Review if code is being documented following https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No — existing check is extended.
  • If so, do we need to update permissions for the provider? No new permissions needed (see above).

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 6.61%. Comparing base (1de01bc) to head (7302759).
⚠️ Report is 3 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (1de01bc) and HEAD (7302759). Click for more details.

HEAD has 3 uploads less than BASE

Flag	BASE (1de01bc)	HEAD (7302759)
prowler-py3.12-azure	1	0
prowler-py3.10-azure	1	0
prowler-py3.11-azure	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10920       +/-   ##
===========================================
- Coverage   86.17%    6.61%   -79.56%     
===========================================
  Files         223      849      +626     
  Lines        5744    24579    +18835     
===========================================
- Hits         4950     1627     -3323     
- Misses        794    22952    +22158     

Flag	Coverage Δ
prowler-py3.10-aws	6.61% <100.00%> (?)
prowler-py3.10-azure	?
prowler-py3.11-aws	6.61% <100.00%> (?)
prowler-py3.11-azure	?
prowler-py3.12-aws	6.61% <100.00%> (?)
prowler-py3.12-azure	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	6.61% <100.00%> (-79.56%)	⬇️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:ec265de
Last scan: 2026-04-29 10:13:18 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[prowler-bot]

💚 All backports created successfully

Status	Branch	Result
✅	v5.25

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details