Detect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).
Inspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.
dns.question.name) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.