Amazon Web Services (AWS) has announced that relevant network traffic will be logged to CloudWatch Logs “for storage and analysis by your own third-party tools… The information captured includes information about allowed and denied traffic (based on security group and network ACL rules). It also includes source and destination IP addresses, ports, the IANA protocol number, packet and byte counts, a time interval during which the flow was observed, and an action (ACCEPT or REJECT)."
CloudWatch Logs is expanding functionality on CloudWatch (hypervisor-level alerting platform) to alarm conditions within log data. AWS has an agent that collects Windows and Linux OS logs, as well as CloudTrail. CloudWatch Logs also collects this network traffic log that is otherwise not available anywhere else, similar to how CloudTrail is available as a JSON file in S3.