AWS CloudWatch vs CloudTrail vs Config

~ Last updated on : ~ Kiro Agent
Table of Contents hide
AWS CloudWatch vs CloudTrail vs Config
CloudWatch vs CloudTrail vs Config Comparison
Amazon CloudWatch
AWS CloudTrail
AWS Config
How They Work Together
When to Choose Which
AWS Certification Exam Practice Questions
Related Posts

AWS CloudWatch vs CloudTrail vs Config

  • AWS provides three core monitoring and governance services that are often confused but serve distinct purposes.
  • CloudWatch monitors performance and operational health, CloudTrail records API activity (who did what), and Config tracks resource configuration changes and compliance.
  • All three work together for a complete observability and governance strategy.

CloudWatch vs CloudTrail vs Config Comparison

Feature CloudWatch CloudTrail Config
Purpose Performance monitoring & observability API audit trail & activity logging Resource configuration tracking & compliance
Answers “How is it performing?” “Who did what and when?” “What changed and is it compliant?”
Data Type Metrics, logs, traces, events API call records (events) Resource configuration snapshots
Scope Resources, applications, services AWS account API activity AWS resource inventory & state
Retention Metrics: 15 months; Logs: configurable (forever) 90 days (console) or S3 (indefinite) Indefinite (configuration history)
Alerting Yes (Alarms on metrics and logs) Via EventBridge or CloudWatch Logs Yes (Config Rules – non-compliant triggers SNS)
Automation Auto Scaling, EC2 actions, Lambda EventBridge rules trigger actions Auto-remediation via SSM Automation
Cross-account Cross-account dashboards, metric sharing Organization trail Aggregator (multi-account, multi-region)
Pricing Per metric, log ingestion, dashboard Free (management events, 1 copy); data events paid Per rule evaluation + per configuration item recorded
Example CPU > 80% for 5 minutes → alarm User X deleted S3 bucket at 3:42pm Security group changed to allow 0.0.0.0/0 → non-compliant

Amazon CloudWatch

  • Monitoring and observability service for AWS resources and applications.
  • Metrics – collect and track standard (free) and custom metrics; 1-second resolution available.
  • Alarms – trigger actions (Auto Scaling, SNS, EC2 stop/terminate/reboot) when metrics cross thresholds.
  • Logs – centralized log collection with Logs Insights for SQL-like querying.
  • Dashboards – create visualizations across accounts and regions.
  • CloudWatch Agent – collect OS-level metrics (memory, disk) and application logs from EC2.
  • Anomaly Detection – ML-based bands to detect unusual metric behavior.
  • Composite Alarms – combine multiple alarms with AND/OR logic to reduce noise.
  • Synthetics – canary scripts to monitor endpoints and APIs proactively.
  • Application Signals – automatic application monitoring with SLOs (GA 2024).
  • Internet Monitor – monitor internet connectivity to your application.
  • Database Insights – unified database monitoring across RDS, Aurora, and self-managed databases.

AWS CloudTrail

  • Records all API calls made in your AWS account – who, what, when, from where.
  • Management events – control plane operations (CreateBucket, RunInstances, etc.) – free, 1 copy per region.
  • Data events – data plane operations (S3 GetObject, Lambda Invoke, DynamoDB GetItem) – paid.
  • Insights events – detect unusual API activity patterns (e.g., spike in API calls).
  • Trail delivery – send events to S3 (long-term storage) and/or CloudWatch Logs (real-time alerting).
  • Organization trail – single trail for all accounts in AWS Organizations.
  • CloudTrail Lake – managed data lake for querying events with SQL (replaces Athena queries on S3).
  • Event history – 90-day free lookup in the console (management events only).
  • Integrity validation – digest files prove logs haven’t been tampered with.
  • Network activity events (2024) – track VPC endpoint API calls for data perimeter monitoring.

AWS Config

  • Tracks resource configuration changes and evaluates compliance over time.
  • Configuration recorder – captures current state of resources as configuration items.
  • Configuration history – timeline of how a resource’s configuration changed.
  • Config Rules – evaluate resources against desired configurations (400+ AWS managed rules + custom Lambda rules).
  • Conformance Packs – collection of Config Rules and remediation actions packaged as a single entity.
  • Auto-remediation – automatically fix non-compliant resources via SSM Automation documents.
  • Aggregator – centralized view across multiple accounts and regions.
  • Advanced Query – SQL queries on current configuration state of all resources.
  • Proactive compliance (2024) – evaluate CloudFormation templates BEFORE deployment.
  • Service-linked rules – Config Rules managed by other AWS services (Security Hub, Control Tower).
  • Resource timeline – view config changes, compliance changes, and CloudTrail events together.

How They Work Together

  • Security incident investigation: Config shows WHAT changed → CloudTrail shows WHO changed it → CloudWatch shows the IMPACT on performance.
  • Compliance automation: Config Rule detects non-compliant resource → triggers SNS → Auto-remediation fixes it → CloudTrail logs the remediation → CloudWatch tracks the metric.
  • Proactive monitoring: CloudWatch alarm fires on high error rate → CloudTrail reveals recent deployment → Config shows configuration change that caused it.

When to Choose Which

  • Use CloudWatch – Monitor CPU/memory/disk, set alarms for thresholds, centralize application logs, create dashboards, track SLOs.
  • Use CloudTrail – Audit API calls, investigate security incidents, meet compliance requirements for activity logging, detect unusual API patterns.
  • Use Config – Track resource configuration drift, enforce compliance rules, audit resource history, auto-remediate non-compliant resources.
  • Use all three together – Complete governance: monitoring (CloudWatch) + auditing (CloudTrail) + compliance (Config).

AWS Certification Exam Practice Questions

  1. A security team needs to determine who deleted an S3 bucket last Tuesday and from which IP address. Which service provides this information?
    1. CloudWatch Logs
    2. CloudTrail
    3. AWS Config
    4. VPC Flow Logs
  2. A company needs to ensure all Security Groups in their account never allow SSH (port 22) from 0.0.0.0/0. If a non-compliant Security Group is detected, it should be automatically remediated. Which service provides this?
    1. CloudWatch Alarm with Lambda
    2. CloudTrail with EventBridge rule
    3. AWS Config Rule with auto-remediation
    4. GuardDuty
  3. An operations team wants to receive an alert when EC2 CPU utilization exceeds 90% for more than 5 minutes and automatically add instances to the fleet. Which service and feature enables this?
    1. CloudTrail with SNS
    2. Config Rule with remediation
    3. CloudWatch Alarm with Auto Scaling action
    4. EventBridge with Step Functions
  4. A compliance auditor needs to see the complete configuration history of an RDS instance over the past 6 months, including every change to its configuration. Which service provides this timeline view?
    1. CloudTrail event history
    2. CloudWatch Logs
    3. AWS Config (configuration timeline)
    4. RDS event notifications
  5. An organization wants to detect when an unusually high number of API calls are made to IAM (potential credential compromise). Which service and feature is purpose-built for this?
    1. CloudWatch Anomaly Detection
    2. Config Rule
    3. CloudTrail Insights
    4. GuardDuty

Related Posts

References

Amazon CloudWatch User Guide

AWS CloudTrail User Guide

AWS Config Developer Guide

Posted in AWS

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.