What should the security engineer do next?
Place the network interface in promiscuous mode to capture the traffic.
Configure VPC Flow Logs to send traffic to the monitoring EC2 instance using a Network Load Balancer.
Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.
Use Amazon Inspector to detect network-level attacks and trigger an AWS Lambda function to send the suspicious packets to the EC2 instance.
Explanations:
Placing the network interface in promiscuous mode on an EC2 instance does not enable traffic inspection for packets passing through other instances or VPC. Promiscuous mode allows the instance to capture its own network traffic, but it will not capture traffic to and from other instances unless specifically routed through that instance.
VPC Flow Logs provide metadata about traffic but do not capture packet data, which is necessary for inspecting the whole packet for network-level attacks. Additionally, Flow Logs are designed for logging rather than real-time monitoring and inspection of packets.
Configuring VPC traffic mirroring allows the security engineer to copy network traffic from one or more EC2 instances and send it to the monitoring EC2 instance. This enables the installation of intrusion detection software to analyze the entire packet data for compliance with regulatory requirements.
Amazon Inspector is primarily used for assessing the security of applications running on EC2 instances by identifying vulnerabilities and compliance issues, but it does not perform packet inspection. It cannot be used to capture or analyze network traffic for real-time monitoring of network-level attacks.
I classify that the answer is:
Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.
As far as I’m aware, the answer is:
Configure VPC traffic mirroring to send traffic to the monitoring EC2 instance using a Network Load Balancer.