The team corrected the URL in the script, added monitoring for unresolved CloudFront domains, and set up S3 access logs to detect if anyone tried to create that exact distribution later (potential domain squatting risk).
A security analyst, Alex, noticed an alert: an internal server was making DNS queries to dnrweqffuwjtx.cloudfront.net . The domain wasn’t in any asset inventory. dnrweqffuwjtx cloudfront
Alex ran dig dnrweqffuwjtx.cloudfront.net . Result: NXDOMAIN — the distribution didn’t exist. Suspicious: why would a server query a dead CDN endpoint? The team corrected the URL in the script,
Alex searched logs and saw the query originated from a legacy Node.js script that had hardcoded a CloudFront URL — but the real one was dnrweqffuwj**s**tx.cloudfront.net . A single character off. The script kept retrying, generating noise. added monitoring for unresolved CloudFront domains