Your IT Security department has mandated that all the traffic flowing in and out of EC2 instances needs to be monitored. The EC2 instances in question are launched in a VPC. Which services would you use to achieve this?

Answer options:

A.Trusted Advisor
B.VPC Flow Logs
C.Use CloudWatch metrics
D.Use CloudTrail

Correct Answer – B
AWS Documentation mentions the following.
VPC Flow Log is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you`ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
For more information on VPC Flow Logs, please visit the following URL-
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
Note:
The question asks to monitor all traffic flowing in and out of EC2 instances. Now you have to launch the EC2 instance inside the VPC. As there is no other option available to monitor IP traffic navigation, we use VPC Flow Logs. 
Now coming to the question - why not CloudTrail? 
Before venturing into it, let`s look into the types of log categories we have in AWS.
1. AWS Infrastructure Logs - AWS CloudTrail, Amazon VPC Flow Logs
2. AWS Service Logs - Amazon S3, AWS Elastic Load Balancing, Amazon CloudFront, AWS Lambda, AWS Elastic Beanstalk, etc.,
3. Host-Based Logs - Messages, Security, NGINX/Apache/IIS, Windows Event Logs, Windows Performance Counters, etc.,
AWS CloudTrail: it is used to record AWS API calls for your account like,
- who made the API call?
- when was the API call made?
- what was the API call?
- which resources were acted upon in the API call?
- where were the API calls made from and made to?
NOTE:
AWS has launched a new feature called VPC Traffic Mirroring, which is used to capture and inspect network traffic at scale.To know more about this feature, please check the link below.
https://aws.amazon.com/blogs/aws/new-vpc-traffic-mirroring/