AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 2

You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the instances. What should be enabled to complete this task?

Answer options

• A. CloudWatch Logs at the VPC level
• B. Packet sniffing at the instance level
• C. VPC flow logs at the subnet level
• D. Packet sniffing at the VPC level

Correct answer: A

Explanation

Enabling CloudWatch Logs at the VPC level is the correct choice because it provides detailed logging of network traffic, allowing for monitoring at the protocol layer. The other options, such as packet sniffing and VPC flow logs, do not specifically provide layer 7 logging of ACCEPT/REJECT traffic in the same way that CloudWatch does.