Your company has a set of EC2 Instances defined in a VPC.
They need to monitor the traffic flowing into the Instances.
They also need to monitor all the AWS API calls occurring on the EC2 Instances.
Which of the following services can help fulfill this requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - B.
The AWS Documentation mentions the following.
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
Flow log data is stored using Amazon CloudWatch Logs.
After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account.
Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
Options A and C are invalid since CloudWatch Logs cannot capture traffic or API calls.
Option D is invalid because AWS Config cannot capture traffic.
For more information on VPC Flow logs, one can visit the below URL.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.htmlFor more information on Cloudtrail, one can visit the below URL.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.htmlThe correct answer is B. AWS CloudTrail and VPC Flow Logs.
Explanation: To monitor the traffic flowing into the EC2 Instances, VPC Flow Logs can be used. VPC Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC. VPC Flow Logs can be used to monitor the traffic and troubleshoot connectivity issues.
To monitor the AWS API calls occurring on the EC2 Instances, AWS CloudTrail can be used. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With AWS CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
Therefore, the combination of VPC Flow Logs and AWS CloudTrail can help fulfill the requirement of monitoring the traffic flowing into the Instances and the AWS API calls occurring on the EC2 Instances.
Option A is incorrect because it only includes Amazon CloudWatch Logs which can only capture application logs and custom metrics, but cannot capture VPC flow logs.
Option C is incorrect because it only includes CloudWatch Logs which can only capture application logs and custom metrics, but cannot capture AWS API calls.
Option D is incorrect because AWS Config is used for resource inventory and configuration management, not for monitoring the traffic flowing into the Instances or AWS API calls occurring on the EC2 Instances.