< Back to rules search
EC2 instance resolved a suspicious AWS metadata DNS query
Detect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).
Inspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.
Triage and response
- Determine which instance is associated with the DNS request.
- Determine whether the domain name which was requested (
dns.question.name) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.
19 May 2022 - Updated rule query.