How can the Application team’s requirements be met?
Turn on VPC Flow Logs, send the logs to Amazon S3, and use Amazon Athena to query the logs.
Install an Amazon Inspector agent on each EC2 instance, send the logs to Amazon S3, and use Amazon EMR to query the logs.
Create an AWS Config rule for each network ACL and security group configuration, send the logs to Amazon S3, and use Amazon Athena to query the logs.
Turn on AWS CloudTrail, send the trails to Amazon S3, and use AWS Lambda to query the trails.
Explanations:
VPC Flow Logs capture network traffic data at the elastic network interface (ENI) level. Sending the logs to Amazon S3 and using Amazon Athena to query them allows the application team to check whether network ACLs and security groups are functioning correctly based on actual traffic.
Amazon Inspector is a security assessment service that analyzes EC2 instances for vulnerabilities and configurations but does not track network ACL or security group behavior. It is not designed for monitoring network traffic.
AWS Config rules are used for tracking resource configurations and compliance, not for capturing and querying network traffic. It would not provide the granular network-level insights required for this scenario.
AWS CloudTrail captures API activity logs, not network traffic data. It tracks actions taken by users, roles, or services, but does not provide visibility into the actual network behavior of EC2 instances.