Set up the route53 integration.
Detect when a requested domain has a suspicious TLD.
Inspect the Route 53 logs and determine if the TLD of the DNS question (
@dns.question.name) matches one of the top 5 TLDs on Spamhaus’s Most Abused Top Level Domains list.
dns.question.name) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.