AWS Certified SysOps Administrator – Associate (legacy) — Question 682

A company in a highly regulated industry has just migrated an Amazon EC2 based application to AWS. For compliance reasons, all network traffic data between the servers must be captured and retained.
Which solution will accomplish this with the LEAST amount of effort?

Answer options

• A. Set up AWS CloudTrail on the VPC. Configure Amazon CloudWatch Logs as the destination.
• B. Set up AWS CloudTrail on the VPC. Configure Amazon S3 as the destination.
• C. Set up flow logs at the elastic network interface level. Configure Amazon S3 as the destination.
• D. Set up flow logs at the VPC level. Configure Amazon S3 as the destination.

Correct answer: D

Explanation

Enabling VPC Flow Logs at the VPC level is the most efficient method because it automatically captures network traffic for all current and future network interfaces within the VPC, storing them in Amazon S3 for compliance retention. Configuring flow logs at the individual ENI level requires significantly more administrative effort to manage. AWS CloudTrail is designed to record API activity rather than actual network traffic, making options A and B incorrect.