Split Tunneling with SSL-VPN to Access AWS Services (Dynamic IP Issue)

English is not my first language, and I wrote this post with the help of ChatGPT. If any part of this message sounds strange or unclear, please feel free to point it out

Our goal:

• Users connect to Fortinet SSL-VPN.

• We want to enable split tunneling, so that only traffic destined for AWS goes through the VPN.

• All other traffic should go through the user's local internet connection.

Challenge:
Since AWS services use dynamic IP addresses, it’s difficult to keep the split tunnel routing accurate and up to date. Even when we try to add known AWS IP ranges manually, they change often, which breaks connectivity.

We also tried DNS-based split tunneling — defining domains (like *.amazonaws.com) instead of IPs — but this approach hasn’t worked reliably either, possibly due to how Fortinet handles DNS resolution and route injection.

Has anyone dealt with similar issues? What's the best way to implement split tunneling to AWS services when IPs are constantly changing? Is there a reliable method using FQDNs or other mechanisms?

Any insights or proven approaches would be really appreciated.