I have come across a question on AWS that to track Originating IP or Client IP that has been processed by the EC2 instance or application.
I get confused because Originating IP or Client IP can be seen in VPC flow logs, cloud trail logs and ELB logs.
For example, here is one of the questions I have come across in one of the mock tests:
An application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. The Information Security team wants to track application requests by the originating IP and the EC2 instance that processes the request. Which of the following tools or services provides this information?
- AWS CloudTrail
- Elastic Load Balancing access logs
- VPC Flow Logs
An Application Load Balancer "retransmits" the request to the EC2 instance. Thus, it does not appear to come from the originator.
The Elastic Load Balancing access logs will contain the originator information.
From Capture Client IP Addresses in Your ELB Access Logs:
AWS CloudTrail keeps a record of API Calls made to AWS, so it will not contain traffic sent through a Load Balancer.
VPC Flow Logs show the source and destination of each packet within a VPC. Any packets between the Load Balancer and the EC2 instance would only show that traffic (ALB -> EC2). They would not show the traffic prior to the Load Balancer.