Not sure if I need a firewall, forward proxy, or some gross hybrid...

Hoping you folks might be able to point me to the right things to Google.

Our project has developed a very "business lead" (to put it politely) requirement to monitor and allow/block outgoing connections to other parts of the business. We live in a dedicated AWS account and have reasonable autonomy over our networking setup (NACLs, route tables, etc), but less freedom with what AWS services we can use, and deploying things from Marketplace.

The basic requirements are as follows:

• Default blocking for certain CIDRs.
• Exceptions for certain IP/Host and port combos within those CIDRs.
• Authentication and authorisation to use said exceptions (i.e. user tracking).
• Detailed logging on connections; source, dest, request and response sizes, ports, protocols, whatever we can get out hands on.
• All of the above for all (?) kinds of TCP connections (HTTPS, Postgres, Oracle DB, MongoDB, as examples).

The security aspect of this is fairly minimal as it's mainly for usage tracking and making sure our users sign their life away before they access their services from our platform. As such, I was hoping to have something that could be rolled out fairly simply; a couple of EC2 instances, yum install foo, and some routing rules, but it looks like the feature set we want requires something more robust, like OPNsense or similar.

Am I missing an obvious solution here, a forward proxy of some sort, any "light" firewalls that don't require a whole separate AMI?

Thanks in advance!