A company has a group of Amazon EC2 instances in a private subnet that does not have a NAT gateway attached. A security engineer needs to capture logs from an application and collect the log files in Amazon CloudWatch Logs. Which steps should the security engineer take to securely meet the requirements? (Select TWO.)