VPC Flow Logs can't see DNS exfiltration. Here's what can — and what can't — with a working demo, real log output, and honest notes on AWS-native tooling.
