AWS Config vs CloudTrail vs CloudWatch – Monitoring & Compliance Compared

AWS Config vs CloudTrail vs CloudWatch — Overview

These three services are frequently confused because they all relate to “monitoring.” However, each serves a distinct purpose: CloudWatch monitors performance metrics and logs, CloudTrail audits API activity (who did what), and Config tracks resource configuration compliance (is it configured correctly). This is a common SAP-C02 and SCS-C03 question.

Config vs CloudTrail vs CloudWatch — What Each Monitors
Amazon CloudWatch
“How is it performing?”
Metrics: CPU, memory, disk, network, custom
Logs: Application logs, VPC Flow Logs
Alarms: Threshold → SNS/Auto Scaling
Dashboards: Real-time visualization
Synthetics: Canary endpoint checks
Performance & operational health
AWS CloudTrail
“Who did what, when?”
API logging: Every AWS API call recorded
Who: IAM identity (user/role/service)
What: Action (RunInstances, PutObject)
When: Timestamp + source IP
Lake: SQL queries on audit events
Audit trail & accountability
AWS Config
“Is it configured correctly?”
Configuration recording: Track state of all resources
Rules: Evaluate compliance (is EBS encrypted?)
Remediation: Auto-fix non-compliant resources
History: How was a resource configured at any point?
Conformance Packs: Collection of rules as template
Configuration compliance
Together: CloudWatch tells you something is wrong (alarm) → CloudTrail tells you who changed it (audit) → Config tells you what changed from compliant state (drift)

Detailed Comparison

Aspect CloudWatch CloudTrail Config
Question answered Is my application healthy? Who made this change? Is this resource compliant?
Data type Metrics, logs, traces API events (management + data events) Resource configuration state
Real-time? Yes (1-sec metrics, real-time logs) Near real-time (~5 min delay typically) Near real-time (triggered on change)
Alerting Alarms (threshold, anomaly, composite) Via EventBridge on specific API calls Non-compliant notification via SNS/EventBridge
History Metric data (up to 15 months), logs (configurable retention) 90 days (console) or unlimited (S3/Lake) Full resource configuration timeline
Scope Performance of AWS resources + applications All AWS API calls across all services Configuration of supported AWS resources
Remediation Alarm → Auto Scaling, SNS, Lambda No built-in (use EventBridge → Lambda) Built-in auto-remediation (SSM Automation)
Compliance Not compliance-focused Audit compliance (prove who did what) Configuration compliance (CIS, PCI, custom rules)

When to Use Which

Scenario Service
“Alert me when CPU exceeds 80% for 5 minutes” CloudWatch (metric alarm)
“Who deleted the S3 bucket at 3 AM?” CloudTrail (API event log)
“Are all EBS volumes encrypted?” Config (rule: encrypted-volumes)
“What was the Security Group configuration last Tuesday?” Config (configuration timeline)
“Send me application error logs” CloudWatch Logs
“Which IAM user created this EC2 instance?” CloudTrail
“Auto-fix any S3 bucket that becomes public” Config (rule + auto-remediation)
“Alert when someone calls DeleteTrail API” CloudTrail → EventBridge (rule on specific API)
“Dashboard showing request latency across microservices” CloudWatch (dashboard + X-Ray)

How They Work Together

A common scenario illustrating all three:

  1. CloudWatch alarm fires: RDS CPU at 95% for 10 minutes
  2. Investigation via CloudTrail: Who modified the RDS instance? → Shows IAM user changed instance type from db.r5.xlarge to db.t3.micro 2 hours ago
  3. Config shows: The RDS instance is now non-compliant with the “minimum-rds-instance-size” Config rule → Configuration timeline shows exact before/after
  4. Resolution: Config auto-remediation triggers SSM Automation to resize back to compliant instance type

CloudWatch Deep Dive

  • Metrics: Standard (5-min, free) + Detailed (1-min, paid) + Custom (put your own). Up to 1-second resolution with high-resolution metrics.
  • Logs: Log Groups → Log Streams. Metric filters extract metrics from log data. Logs Insights for SQL-like queries.
  • Alarms: Metric alarms (threshold), composite alarms (combine multiple), anomaly detection (ML-based).
  • Synthetics: Canary scripts that test endpoints on a schedule (availability monitoring).
  • Application Signals: APM — auto-discovery of services, SLO tracking, correlated metrics/traces/logs.

CloudTrail Deep Dive

  • Management events: Control plane operations (CreateBucket, RunInstances, AttachRolePolicy). Enabled by default.
  • Data events: Data plane operations (GetObject, PutObject, InvokeFunction). Must be explicitly enabled (high volume).
  • Insights events: Detect unusual API activity patterns (spike in API calls, error rate anomalies).
  • Organization Trail: Single trail covers all accounts in the organization → centralized to Log Archive S3 bucket.
  • CloudTrail Lake: SQL-based querying of trail events (up to 7 years retention in Lake).

AWS Config Deep Dive

  • Configuration Recorder: Records the configuration of supported resources whenever changes occur.
  • Config Rules: Managed rules (180+) or custom Lambda rules. Evaluate on change or on schedule.
  • Auto-Remediation: Link a rule to an SSM Automation document → auto-fix non-compliant resources.
  • Conformance Packs: Collection of rules deployed as a unit (e.g., “PCI-DSS pack” with 30 rules).
  • Aggregator: Aggregate compliance data from multiple accounts/regions into single dashboard.
  • Advanced Queries: SQL-like queries across all recorded resource configurations.

Exam Tips

Exam Key Points
SAP-C02 “Monitor performance” → CloudWatch. “Audit who changed” → CloudTrail. “Ensure compliance” → Config. “Track configuration history” → Config. “Detect unusual API patterns” → CloudTrail Insights.
SCS-C03 Organization Trail (immutable, centralized), Config rules for security compliance (encryption, public access), CloudTrail Lake for security investigations, Config auto-remediation for security drift, CloudWatch for operational security alerts.

AWS Certification Exam Practice Questions

Question 1:

A security team needs to answer: “Which IAM user terminated the production EC2 instance last night at 11 PM?” Which service provides this information?

  1. CloudWatch Logs
  2. AWS CloudTrail
  3. AWS Config
  4. VPC Flow Logs
Show Answer

Answer: B — CloudTrail records ALL AWS API calls including TerminateInstances. The event shows: who (IAM identity), what (ec2:TerminateInstances), when (timestamp), where (source IP), and which resource (instance ID). This is the audit trail for accountability.

Question 2:

A compliance requirement states: “All RDS instances must have encryption enabled. Any unencrypted RDS instance must be automatically flagged and the team notified.” Which service implements this?

  1. CloudWatch alarm on RDS metrics
  2. CloudTrail monitoring CreateDBInstance events
  3. AWS Config rule (rds-storage-encrypted) with SNS notification on non-compliance
  4. GuardDuty RDS Protection
Show Answer

Answer: C — AWS Config rule “rds-storage-encrypted” continuously evaluates all RDS instances and marks unencrypted ones as NON_COMPLIANT. Config can trigger SNS notification on compliance state changes. It can also auto-remediate. CloudWatch monitors performance (not configuration). CloudTrail records the creation event but doesn’t evaluate compliance.

Question 3:

An architect needs to view how a Security Group was configured 3 weeks ago, before someone changed it and broke the application. Which service provides this historical configuration view?

  1. CloudTrail (shows the API call that changed it)
  2. AWS Config (shows the actual configuration at any point in time)
  3. CloudWatch (shows metrics from 3 weeks ago)
  4. VPC Flow Logs (shows network traffic history)
Show Answer

Answer: B — Config maintains a configuration timeline for each recorded resource. You can view the EXACT configuration of the Security Group at any point in time (what rules it had 3 weeks ago). CloudTrail would show WHO changed it and WHAT API was called, but not the full before/after configuration snapshot. Config gives you both the timeline and the diff.

Question 4:

A company wants to detect when someone disables CloudTrail logging in any account (a potential indicator of compromise). What is the FASTEST way to detect and alert on this?

  1. AWS Config rule checking CloudTrail status hourly
  2. EventBridge rule matching the CloudTrail StopLogging API event → SNS alert
  3. CloudWatch metric on CloudTrail event count dropping to zero
  4. GuardDuty Stealth finding for CloudTrail disabled
Show Answer

Answer: B — EventBridge receives CloudTrail management events in near real-time. A rule matching {“source”: [“aws.cloudtrail”], “detail”: {“eventName”: [“StopLogging”, “DeleteTrail”]}} triggers instantly and sends an SNS alert. This is faster than Config (evaluates on schedule/change) and more specific than GuardDuty (which may detect this but with broader context and potential delay).

Question 5:

A company needs a unified view of resource compliance across 100 accounts and 4 regions. They want to see compliance percentages for CIS benchmarks, PCI-DSS, and custom rules in a single dashboard. Which approach is MOST efficient?

  1. AWS Config Aggregator in a central account collecting from all accounts/regions
  2. Security Hub with compliance standards enabled across all accounts
  3. Custom dashboard querying CloudWatch metrics from each account
  4. CloudTrail Lake with compliance-focused SQL queries
Show Answer

Answer: B — Security Hub provides built-in compliance standards (CIS, PCI-DSS, NIST, AWS Foundational Best Practices) with automated scoring. It aggregates across all accounts (delegated admin) and all regions (cross-region aggregation). It provides compliance percentages, tracks trends, and shows specific non-compliant resources. Config Aggregator works for Config rules but doesn’t have pre-built compliance frameworks or the unified scoring dashboard.

Related Architecture Patterns

Related Posts

References

Frequently Asked Questions

Can CloudTrail replace CloudWatch Logs?

No — they serve different purposes. CloudTrail logs AWS API calls (control plane: who created/deleted/modified resources). CloudWatch Logs stores application logs, VPC Flow Logs, and custom log data (data plane: what happened inside your application). You need both for complete observability.

AWS Config vs CloudTrail — both track changes, what’s the difference?

CloudTrail answers “WHO made the API call and WHEN” (event-focused). Config answers “WHAT is the resource’s configuration NOW and BEFORE” (state-focused). CloudTrail gives you the action; Config gives you the resulting state. Config also evaluates compliance against rules — CloudTrail doesn’t.

Do I need all three services?

For production workloads: yes. CloudWatch for operational health and alerting. CloudTrail for security audit and accountability. Config for compliance and configuration drift detection. Most organizations enable all three as baseline. They’re complementary, not alternatives.

Posted in AWS

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.