How do you block/allow domains with revolving/rotating or distributed/geo-dependent DNS?

Question

Our system needs to allow outgoing HTTP/S connections to our Amazon S3 services. In the past, I was able to create a "DNS Group" object that kept track of the 700+ IP addresses associated with "s3.amazonaws.com" but now after recent firmware updates the DNS Group object is reduced to just one. 
 I asked Sophos Support about this behavior, and they responded that the DNS Group object was never designed to track all IPs for a domain name with revolving/rotating or distributed/geo-dependent DNS. 
 Besides entering all of S3's 300 IP blocks manually as network objects (and updating as they change) I was wondering if anyone uses a solution to remedy this behavior? 
 How do you block/allow a domain name that has revolving or distributed DNS? 
 Cheers!

BAlfson · Answer

First, you asked the following: 
 It hasn't occurred to me to try Web Filtering for the outgoing traffic of the servers, but even still I need to ask the same question: will it allow me to connect to a domain name that has a distributed or revolving DNS resolution while having the catch-all DENY ANY that Network Protection has? 
 Yes, see #2 in Rulz . 
 The behavior of DNS Groups hasn't changed, so it must be a change that Amazon made. Perhaps they can give you another FQDN that has an A-record for all of the IPs you might use. It looks like Amazon assigns IPs spread randomly over a /11 subnet. 
 It looks like the IP for s3-1-w.amazonaws.com changes every 5 seconds (elastic load balancing?). There never was a time when that would have worked with UTM firewall rules, so Web Protection is the only solution if you generally want to DENY ANY in a firewall rule but allow traffic to this, specific FQDN. 
 Cheers - Bob