Answer: Create a firewall policy to ensure that traffic is processed by stateless or stateful rules according to needs. Configure Network Firewall logging for alert logs and flow logs. Select a destination for logs separately for stateful and stateless engines.

To meet the company's requirements for recording complete metadata information, all network traffic flows, and any DROP or ALERT actions taken by the AWS Network Firewall, the network engineer must configure the firewall to log both alert logs and flow logs. This ensures that all necessary information is captured, including source/destination IP addresses, protocol type, and the actions taken by the firewall on the traffic it processes. Option B is the correct choice because it specifies creating a firewall policy that processes traffic according to needs (either stateless or stateful rules) and configuring Network Firewall logging for both alert logs and flow logs. Additionally, it mentions selecting a destination for logs separately for stateful and stateless engines, which allows for detailed and organized logging. Option A is incorrect because it only mentions selecting Amazon CloudWatch Logs as the destination for flow logs, without specifying the need for alert logs or the separate logging for stateful and stateless engines. Option C is incorrect because it assumes that all traffic must be processed by a stateful engine, which may not be necessary for all traffic types. Option D is incorrect because it suggests configuring VPC flow logs for the subnets, which does not meet the requirement for logging the actions (DROP or ALERT) taken by the firewall.

Author: LeetQuiz Editorial Team