AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 268

A company wants to analyze TCP traffic to the internet. The traffic originates from Amazon EC2 instances in the company's VPC. The EC2 instances initiate connections through a NAT gateway. The required information includes source and destination IP addresses, ports, and the first 8 bytes of payload of TCP segments. The company needs to collect, store, and analyze all the required data points.

Which solution will meet these requirements?

Answer options

• A. Set up the EC2 instances as VPC traffic mirror sources. Deploy software on the traffic mirror target to forward the data to Amazon CloudWatch Logs. Analyze the data by using CloudWatch Logs Insights.
• B. Set up the NAT gateway as a VPC traffic mirror source. Deploy software on the traffic mirror target to forward the data to an Amazon OpenSearch Service cluster. Analyze the data by using OpenSearch Dashboards.
• C. Turn on VPC Flow Logs on the EC2 instances. Specify the default format and a log destination of Amazon CloudWatch Logs. Analyze the flow log data by using CloudWatch Logs Insights.
• D. Turn on VPC Flow Logs on the EC2 instances. Specify a custom format and a log destination of Amazon S3. Analyze the flow log data by using Amazon Athena.

Correct answer: A

Explanation

VPC Traffic Mirroring is required because the scenario demands capturing the actual packet payload (the first 8 bytes of the TCP segment), which VPC Flow Logs cannot capture regardless of whether default or custom formats are used. Additionally, NAT gateways do not support being configured directly as VPC traffic mirror sources, meaning the EC2 instances themselves must be defined as the mirror sources. Therefore, setting up the EC2 instances as traffic mirror sources and analyzing the forwarded payload data in Amazon CloudWatch Logs is the only viable solution.