Inserting something in your network between the router and the modem seems ideal. This could be achieved with a raspberry pi. It only has a single ethernet interface, but you could get a USB nic so that you have an incoming and outgoing interface.
These should be bridged so that the pi does not need to participate as a router. Anything coming into the pi on one interface will go out the other. You may need a third USB nic to act as a management port that you can connect to the inside of your network.
One approach is to have netcat running on AWS, then run tcpdump filtering out any http headers from port 80, and sending them to AWS.
tcpdump -s 0 -U -n -w - -i br0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | nc AWS_IP -p 10000
This is saying
-s 0 Get the whole packet
-U Send output immediately, don't buffer
-n No name conversion with dns etc
-w - write to standard output
-i br0 Listen for packets on the br0 interface (assumes the ethernet ports are bridged)
The filter then pulls out any http headers. The output from this is piped into netcat, which sends it to the AWS IP address to port 10000
And on AWS
nc -l -p 10000 > http.pcap
This sets up a listener on port 10000 and outputs anything that arrives on this port to a file called http.pcap
.
This file can then be opened using something like wireshark.
To secure this traffic, look into tunnelling the data over ssh.