AWS Certified Security – Specialty — Question 162

A company has a VPC with several Amazon EC2 instances behind a NAT gateway. The company's security policy states that all network traffic must be logged and must include the original source and destination IP addresses. The existing VPC Flow Logs do not include this information. A security engineer needs to recommend a solution.
Which combination of steps should the security engineer recommend? (Choose two.)

Answer options

• A. Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
• B. Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
• C. Change the destination to Amazon CloudWatch Logs.
• D. Include the pkt-srcaddr and pkt-dstaddr fields in the log format.
• E. Include the subnet-id and instance-id fields in the log format.

Correct answer: B, D

Explanation

The correct answer is B and D because deleting and recreating the VPC Flow Logs allows for a custom format that can include necessary fields, including pkt-srcaddr and pkt-dstaddr, which log original source and destination IPs. Option A is incorrect because simply editing the existing logs will not change the log format requirements. Options C and E do not address the need for the specific source and destination IP addresses in the logs.