AWS EC2 VPC - How could one find the destination and data of high unexpected traffic from an EC2 instance?

Question

For an EC2 instance (Linux) it was encountered huge unexpected network traffic, in and out. From 500 MB/5min to 6GB/5min for 6+ hours continuously. We do not have VPC flow logs enabled. It is suspected a security breach, an unwanted transferring of data. We would be interested in knowing where and what data was transferred. Questions:

1. Since this happened in the past and we did not have VPC flow logs enabled, is there a way for AWS to determine where the data was transferred (IP, hostname)?
2. In the case it happens in the future, I guess the solution is to have enabled AWS VPC Flowlogs on the EC2 instance interface https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-default and check for dstaddr and pkt-dstaddr for outgoing traffic. May you confirm?
3. I guess to find what data (which files) was transmitted it is not possible for AWS to tell but which local (on EC2) solution would you advise? I am thinking to have a Cloudwatch monitor to alert us when throughput reaches a set threshold and then I can run a packet capture tool (tcpdump) to capture traffic on that interface (locally or on S3 - depending on the size).
4. Except AWS Flow Logs which implies additional costs, which local (on EC2, Linux)data traffic tool for monitoring would you recommend to run 24/7 and save logs? Thank you.

Answer 1

AWS Shield is always running on all AWS accounts. If you have a Business or Enterprise support plan you could escalate to the AWS Shield Response Team (SRT) and they could assist you. AWS Support