What should the SysOps administrator do to meet this requirement in the MOST operationally efficient way?
Use AWS CloudTrail Insights events to identify the top five internet destinations.
Use Amazon CloudFront standard logs (access logs) to identify the top five internet destinations.
Use CloudWatch Logs Insights to identify the top five internet destinations.
Change the flow log to publish logs to Amazon S3. Use Amazon Athena to query the log files in Amazon S3.
Explanations:
CloudTrail Insights events track API activities, not network traffic. Therefore, they cannot identify internet destinations for the EC2 instances accessing the internet via the NAT gateway.
Amazon CloudFront logs track web traffic for CloudFront distributions, not general internet destinations. This would not capture the traffic of EC2 instances using a NAT gateway.
CloudWatch Logs Insights allows for querying VPC Flow Logs directly to analyze the traffic and identify the top internet destinations that EC2 instances in the private subnet are accessing.
While publishing logs to S3 and using Athena is a valid method for querying VPC flow logs, it introduces unnecessary complexity and is less operationally efficient compared to directly using CloudWatch Logs Insights.