Which combination of steps should the security engineer recommend?
(Choose two.)
Edit the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.
Change the destination to Amazon CloudWatch Logs.
Include the pkt-srcaddr and pkt-dstaddr fields in the log format.
Include the subnet-id and instance-id fields in the log format.
Explanations:
VPC Flow Logs cannot be edited once created. You must delete and recreate them to change any settings, including the log format.
Deleting and recreating the VPC Flow Logs allows for changing the log format to a custom format that can include the necessary fields, like original source and destination IP addresses.
Changing the destination to Amazon CloudWatch Logs does not affect the fields included in the log format. This option does not fulfill the requirement of logging original source and destination IP addresses.
Including thepkt-srcaddrandpkt-dstaddrfields in the custom log format ensures that the logs capture the original source and destination IP addresses, complying with the company’s security policy.
While includingsubnet-idandinstance-idcan provide useful information, they do not fulfill the requirement to log the original source and destination IP addresses. Therefore, this option is not relevant to the specific requirement.
I assess that the answer is:
Delete and recreate the existing VPC Flow Logs. Change the log format of the VPC Flow Logs from the Amazon default format to a custom format.