L5. VPC Flow Logs, Traffic Mirroring & DNS Query Logging
Video generating
Check back soon for the video lesson on VPC Flow Logs, Traffic Mirroring & DNS Query Logging
Know the difference between metadata-only network visibility (Flow Logs), full packet capture (Traffic Mirroring), and DNS-layer visibility (Resolver query logging) and when each is the right tool.
Flow Logs: Metadata, Not Payload
VPC Flow Logs capture IP traffic metadata at the VPC, subnet, or individual network interface (ENI) level. Each record includes the source and destination IP address and port, the protocol, the number of bytes transferred, and whether the traffic was ACCEPTed or REJECTed by a security group or network ACL. Flow logs can be published to CloudWatch Logs, S3, or Kinesis Data Firehose depending on how you want to store or process them downstream.The critical limitation to remember: Flow Logs never capture packet payload or contents. They tell you that traffic happened and its shape, not what was inside it.
Flow Logs are the go-to tool for detecting:
- Port scanning, visible as repeated REJECT entries against the same destination port from one or many source IPs.
- Unexpected REJECTed traffic, which can indicate a misconfigured security group or an active probing attempt.
- Unusual outbound (egress) volume, a common signal of data exfiltration from a compromised instance.
Traffic Mirroring: Full Packet Capture
When you need to see inside the packet, metadata is not enough. Traffic Mirroring copies the actual, full packet content from a source ENI to a target, such as another ENI or a Network Load Balancer, which typically feeds a third-party IDS/IPS appliance for deep packet inspection. This gives you the equivalent of an inline network tap, but implemented natively in the VPC, without physically rerouting traffic through hardware or installing agents on every instance.
Because Traffic Mirroring operates at the ENI level, you can scope it precisely: mirror only the instances you actually suspect are compromised, or only the subnet handling sensitive workloads, instead of paying the cost and complexity of mirroring every packet in the VPC. This selective scoping is a common exam theme when a scenario emphasizes minimizing overhead while still getting full visibility where it matters.
DNS-Layer Visibility
Route 53 Resolver query logging captures the DNS queries made from within a VPC. This is the AWS-native tool for spotting DNS tunneling, where an attacker encodes stolen data inside DNS queries to sneak it out past traditional network monitoring, as well as for detecting communication attempts with known-malicious domains. Because DNS traffic is rarely blocked outbound by security teams, it is a favorite exfiltration channel, which is exactly why this dedicated logging layer exists separately from Flow Logs.Choosing the Right Tool
| Tool | Captures | Best for |
|---|---|---|
| VPC Flow Logs | Traffic metadata only (IPs, ports, protocol, ACCEPT/REJECT, bytes) | Port scan detection, egress volume anomalies, connection auditing |
| Traffic Mirroring | Full packet contents | Deep packet inspection, IDS/IPS integration, malware signature matching |
| Route 53 Resolver query logging | DNS queries from inside the VPC | DNS tunneling detection, malicious domain contact |
- ✓VPC Flow Logs capture traffic metadata (IPs, ports, protocol, ACCEPT/REJECT, byte counts) at the VPC, subnet, or ENI level, and can be sent to CloudWatch Logs, S3, or Kinesis Data Firehose
- ✓Flow Logs never capture packet payload; deep packet inspection requires Traffic Mirroring instead
- ✓Traffic Mirroring copies full packets from a source ENI to a target ENI or Network Load Balancer for inspection by an IDS/IPS appliance
- ✓Route 53 Resolver query logging captures DNS queries inside a VPC, which is the primary AWS-native tool for detecting DNS tunneling and contact with known-malicious domains
- ✓Repeated REJECT entries in Flow Logs against the same port across many source IPs is a classic sign of port scanning
1. A security analyst wants to detect malware command-and-control traffic by inspecting the actual contents of packets leaving an EC2 instance. Which AWS feature should they use?
2. An analyst suspects a compromised instance is exfiltrating data by encoding it inside DNS queries to an external domain. Which log source is purpose-built to detect this?
3. Which of the following can be determined directly from a VPC Flow Log record?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.