AWS Certified Advanced Networking - Specialty (#75)

You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the instances. What should be enabled to complete this task?

CloudWatch Logs at the VPC level
Packet sniffing at the instance level
VPC flow logs at the subnet level
Packet sniffing at the VPC level