AWS Config vs CloudTrail vs CloudWatch — Overview
These three services are frequently confused because they all relate to “monitoring.” However, each serves a distinct purpose: CloudWatch monitors performance metrics and logs, CloudTrail audits API activity (who did what), and Config tracks resource configuration compliance (is it configured correctly). This is a common SAP-C02 and SCS-C03 question.
Detailed Comparison
| Aspect | CloudWatch | CloudTrail | Config |
|---|---|---|---|
| Question answered | Is my application healthy? | Who made this change? | Is this resource compliant? |
| Data type | Metrics, logs, traces | API events (management + data events) | Resource configuration state |
| Real-time? | Yes (1-sec metrics, real-time logs) | Near real-time (~5 min delay typically) | Near real-time (triggered on change) |
| Alerting | Alarms (threshold, anomaly, composite) | Via EventBridge on specific API calls | Non-compliant notification via SNS/EventBridge |
| History | Metric data (up to 15 months), logs (configurable retention) | 90 days (console) or unlimited (S3/Lake) | Full resource configuration timeline |
| Scope | Performance of AWS resources + applications | All AWS API calls across all services | Configuration of supported AWS resources |
| Remediation | Alarm → Auto Scaling, SNS, Lambda | No built-in (use EventBridge → Lambda) | Built-in auto-remediation (SSM Automation) |
| Compliance | Not compliance-focused | Audit compliance (prove who did what) | Configuration compliance (CIS, PCI, custom rules) |
When to Use Which
| Scenario | Service |
|---|---|
| “Alert me when CPU exceeds 80% for 5 minutes” | CloudWatch (metric alarm) |
| “Who deleted the S3 bucket at 3 AM?” | CloudTrail (API event log) |
| “Are all EBS volumes encrypted?” | Config (rule: encrypted-volumes) |
| “What was the Security Group configuration last Tuesday?” | Config (configuration timeline) |
| “Send me application error logs” | CloudWatch Logs |
| “Which IAM user created this EC2 instance?” | CloudTrail |
| “Auto-fix any S3 bucket that becomes public” | Config (rule + auto-remediation) |
| “Alert when someone calls DeleteTrail API” | CloudTrail → EventBridge (rule on specific API) |
| “Dashboard showing request latency across microservices” | CloudWatch (dashboard + X-Ray) |
How They Work Together
A common scenario illustrating all three:
- CloudWatch alarm fires: RDS CPU at 95% for 10 minutes
- Investigation via CloudTrail: Who modified the RDS instance? → Shows IAM user changed instance type from db.r5.xlarge to db.t3.micro 2 hours ago
- Config shows: The RDS instance is now non-compliant with the “minimum-rds-instance-size” Config rule → Configuration timeline shows exact before/after
- Resolution: Config auto-remediation triggers SSM Automation to resize back to compliant instance type
CloudWatch Deep Dive
- Metrics: Standard (5-min, free) + Detailed (1-min, paid) + Custom (put your own). Up to 1-second resolution with high-resolution metrics.
- Logs: Log Groups → Log Streams. Metric filters extract metrics from log data. Logs Insights for SQL-like queries.
- Alarms: Metric alarms (threshold), composite alarms (combine multiple), anomaly detection (ML-based).
- Synthetics: Canary scripts that test endpoints on a schedule (availability monitoring).
- Application Signals: APM — auto-discovery of services, SLO tracking, correlated metrics/traces/logs.
CloudTrail Deep Dive
- Management events: Control plane operations (CreateBucket, RunInstances, AttachRolePolicy). Enabled by default.
- Data events: Data plane operations (GetObject, PutObject, InvokeFunction). Must be explicitly enabled (high volume).
- Insights events: Detect unusual API activity patterns (spike in API calls, error rate anomalies).
- Organization Trail: Single trail covers all accounts in the organization → centralized to Log Archive S3 bucket.
- CloudTrail Lake: SQL-based querying of trail events (up to 7 years retention in Lake).
AWS Config Deep Dive
- Configuration Recorder: Records the configuration of supported resources whenever changes occur.
- Config Rules: Managed rules (180+) or custom Lambda rules. Evaluate on change or on schedule.
- Auto-Remediation: Link a rule to an SSM Automation document → auto-fix non-compliant resources.
- Conformance Packs: Collection of rules deployed as a unit (e.g., “PCI-DSS pack” with 30 rules).
- Aggregator: Aggregate compliance data from multiple accounts/regions into single dashboard.
- Advanced Queries: SQL-like queries across all recorded resource configurations.
Exam Tips
| Exam | Key Points |
|---|---|
| SAP-C02 | “Monitor performance” → CloudWatch. “Audit who changed” → CloudTrail. “Ensure compliance” → Config. “Track configuration history” → Config. “Detect unusual API patterns” → CloudTrail Insights. |
| SCS-C03 | Organization Trail (immutable, centralized), Config rules for security compliance (encryption, public access), CloudTrail Lake for security investigations, Config auto-remediation for security drift, CloudWatch for operational security alerts. |
AWS Certification Exam Practice Questions
Question 1:
A security team needs to answer: “Which IAM user terminated the production EC2 instance last night at 11 PM?” Which service provides this information?
- CloudWatch Logs
- AWS CloudTrail
- AWS Config
- VPC Flow Logs
Show Answer
Answer: B — CloudTrail records ALL AWS API calls including TerminateInstances. The event shows: who (IAM identity), what (ec2:TerminateInstances), when (timestamp), where (source IP), and which resource (instance ID). This is the audit trail for accountability.
Question 2:
A compliance requirement states: “All RDS instances must have encryption enabled. Any unencrypted RDS instance must be automatically flagged and the team notified.” Which service implements this?
- CloudWatch alarm on RDS metrics
- CloudTrail monitoring CreateDBInstance events
- AWS Config rule (rds-storage-encrypted) with SNS notification on non-compliance
- GuardDuty RDS Protection
Show Answer
Answer: C — AWS Config rule “rds-storage-encrypted” continuously evaluates all RDS instances and marks unencrypted ones as NON_COMPLIANT. Config can trigger SNS notification on compliance state changes. It can also auto-remediate. CloudWatch monitors performance (not configuration). CloudTrail records the creation event but doesn’t evaluate compliance.
Question 3:
An architect needs to view how a Security Group was configured 3 weeks ago, before someone changed it and broke the application. Which service provides this historical configuration view?
- CloudTrail (shows the API call that changed it)
- AWS Config (shows the actual configuration at any point in time)
- CloudWatch (shows metrics from 3 weeks ago)
- VPC Flow Logs (shows network traffic history)
Show Answer
Answer: B — Config maintains a configuration timeline for each recorded resource. You can view the EXACT configuration of the Security Group at any point in time (what rules it had 3 weeks ago). CloudTrail would show WHO changed it and WHAT API was called, but not the full before/after configuration snapshot. Config gives you both the timeline and the diff.
Question 4:
A company wants to detect when someone disables CloudTrail logging in any account (a potential indicator of compromise). What is the FASTEST way to detect and alert on this?
- AWS Config rule checking CloudTrail status hourly
- EventBridge rule matching the CloudTrail StopLogging API event → SNS alert
- CloudWatch metric on CloudTrail event count dropping to zero
- GuardDuty Stealth finding for CloudTrail disabled
Show Answer
Answer: B — EventBridge receives CloudTrail management events in near real-time. A rule matching {“source”: [“aws.cloudtrail”], “detail”: {“eventName”: [“StopLogging”, “DeleteTrail”]}} triggers instantly and sends an SNS alert. This is faster than Config (evaluates on schedule/change) and more specific than GuardDuty (which may detect this but with broader context and potential delay).
Question 5:
A company needs a unified view of resource compliance across 100 accounts and 4 regions. They want to see compliance percentages for CIS benchmarks, PCI-DSS, and custom rules in a single dashboard. Which approach is MOST efficient?
- AWS Config Aggregator in a central account collecting from all accounts/regions
- Security Hub with compliance standards enabled across all accounts
- Custom dashboard querying CloudWatch metrics from each account
- CloudTrail Lake with compliance-focused SQL queries
Show Answer
Answer: B — Security Hub provides built-in compliance standards (CIS, PCI-DSS, NIST, AWS Foundational Best Practices) with automated scoring. It aggregates across all accounts (delegated admin) and all regions (cross-region aggregation). It provides compliance percentages, tracks trends, and shows specific non-compliant resources. Config Aggregator works for Config rules but doesn’t have pre-built compliance frameworks or the unified scoring dashboard.
Related Architecture Patterns
- Security Services Architecture
- Multi-Account Architecture
- CI/CD Pipeline
- All Architecture Patterns – Hub
Related Posts
- AWS Security Services Architecture – GuardDuty, Security Hub, Inspector
- Multi-Account Architecture – Control Tower & Governance
- Zero Trust Security Architecture
- Event-Driven Architecture (EventBridge patterns)
References
- AWS Config Developer Guide
- Monitor and Remediate Non-Compliant Resources — AWS Blog
- CloudTrail Concepts — AWS Docs
- CloudWatch Anomaly Detection for Security — AWS Blog
Frequently Asked Questions
Can CloudTrail replace CloudWatch Logs?
No — they serve different purposes. CloudTrail logs AWS API calls (control plane: who created/deleted/modified resources). CloudWatch Logs stores application logs, VPC Flow Logs, and custom log data (data plane: what happened inside your application). You need both for complete observability.
AWS Config vs CloudTrail — both track changes, what’s the difference?
CloudTrail answers “WHO made the API call and WHEN” (event-focused). Config answers “WHAT is the resource’s configuration NOW and BEFORE” (state-focused). CloudTrail gives you the action; Config gives you the resulting state. Config also evaluates compliance against rules — CloudTrail doesn’t.
Do I need all three services?
For production workloads: yes. CloudWatch for operational health and alerting. CloudTrail for security audit and accountability. Config for compliance and configuration drift detection. Most organizations enable all three as baseline. They’re complementary, not alternatives.