A company operates multiple AWS accounts and VPCs within a single AWS Region and needs to log all network traffic for Amazon EC2 instances and Amazon RDS databases. The logs will be used to monitor and identify traffic flows during security incidents, with metadata including vpc-id, subnet-id, and tcp-flags. The logs must be retained for 12 months but will be accessed infrequently after the first 90 days. Which solution meets these requirements at the LOWEST cost?