Your company’s security policies require that EC2 instances in the VPCs should send customized logs to CloudWatch Logs through private connections without being exposed to the internet.
The EC2 instances are currently located in private subnets, and they can connect to the internet through NAT gateways in public subnets.
Which of the following actions would you take to meet the security requirements?

Answer options:

A.Create a CloudWatch Log Group and associate it with one VPC private subnet. Send the logs from EC2 instances to the CloudWatch Log Group through the AWS private backbone.
B.Create a VPC Endpoint for CloudWatch Logs (com.amazonaws.Region.logs). The EC2 logs are sent to CloudWatch Logs through a private connection.
C.Add a route in the NAT gateway route table to serve the traffic from private subnets to the CloudWatch Logs service (com.amazonaws.Region.logs).
D.Establish an AWS private link connection between VPC private subnets and CloudWatch Logs service. Attach a security group to CloudWatch Logs to allow inbound traffic from the EC2 security groups.

Answer: B
Option A is incorrect because CloudWatch Log Groups cannot be associated with a VPC subnet.
Option B is CORRECT because users can create a VPC endpoint for the CloudWatch Logs service to establish a private connection. You can establish a private connection between the VPC and CloudWatch Logs via an interface VPC endpoint to meet the security requirements.
Option C is incorrect because a NAT gateway is used to route traffic to the internet from a private subnet. It cannot provide a connection route within the AWS network for different services to connect.
Option D is incorrect because you cannot attach any security groups to CloudWatch Logs. VPC endpoints use VPC endpoint policies to control access.
Reference: 
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch-logs-and-interface-VPC.html.