Which of the following approaches achieve this requirement?
(Choose two.)
Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.
Configure the host-based agent on each EC2 instance within the VPC. Perform inspection within the host-based agent.
Enable VPC Flow Logs for all subnets in the VPC. Perform inspection from the Flow Log data within Amazon CloudWatch Logs.
Configure Elastic Load Balancing (ELB) access logs. Perform inspection from the log data within the ELB access log files.
Configure the CloudWatch Logs agent on each EC2 instance within the VPC. Perform inspection from the log data within CloudWatch Logs.
Explanations:
A proxy solution can inspect IP packet data by analyzing the traffic passing through it, allowing for malicious content detection. Routing all outbound traffic through the proxy on EC2 allows centralized inspection.
A host-based agent on each EC2 instance can inspect the packet data for malicious content directly on the instance level, providing a detailed and localized inspection approach.
VPC Flow Logs capture metadata about traffic flows but do not provide the content of the IP packets themselves, so they cannot be used for deep content inspection of malicious or invalid data.
ELB access logs record HTTP(S) request details but do not provide the full packet data, and they are more focused on connection information than inspecting IP packets for malicious content.
The CloudWatch Logs agent collects log data from EC2 instances but does not directly perform packet-level inspection. It’s used for logging and not for content inspection of IP packets.
I map out that the answer is:
Configure a proxy solution on Amazon EC2 and route all outbound VPC traffic through it. Perform inspection within proxy software on the EC2 instance.