A company has a serverless application using AWS Lambda functions that process sensitive data. The security team wants to detect potential data exfiltration via DNS queries from the Lambda functions. Which service should be enabled to monitor DNS requests?
DNS Firewall logs and filters DNS queries.
Why this answer
Amazon Route 53 Resolver DNS Firewall is the correct choice because it provides DNS-layer filtering for outbound DNS queries from VPCs, including those made by Lambda functions. It can log and block DNS requests to known malicious domains, enabling detection of data exfiltration attempts that use DNS tunneling or command-and-control (C2) communication. This service integrates with VPC flow logs and CloudWatch to monitor DNS query patterns specifically.
How to eliminate wrong answers
Option B (AWS WAF) is wrong because it operates at the application layer (HTTP/HTTPS) to protect web applications from common exploits, not at the DNS layer, and cannot inspect or log DNS queries. Option C (Amazon CloudWatch Logs) is wrong because it is a log storage and monitoring service, not a DNS-specific monitoring tool; it can store logs from other services but does not natively capture or analyze DNS queries from Lambda. Option D (AWS GuardDuty) is wrong because while it uses threat intelligence to detect malicious activity, it relies on DNS logs from Route 53 Resolver DNS Firewall or VPC DNS logs as a data source; it does not directly monitor or log DNS queries itself.