CloudWatch vs. CloudTrail vs. Config

Get a comparison between the CloudWatch, CloudTrail, and Config services and how each of them contributes to auditing and compliance management.

We'll cover the following

Comparing CloudWatch, CloudTrail & Config
Example: Monitoring and auditing of EC2

Press + to interact

We’ll review how each of them contributes to the auditing and compliance management of AWS resources.

Comparing CloudWatch, CloudTrail & Config

Here’s a general breakdown of what each of these services does:

AWS CloudWatch:
- CloudWatch primarily monitors the performance and status of any AWS services and resources.
- CloudWatch also provides different dashboards for performance monitoring for different AWS resources on the AWS Management Console.
- CloudWatch monitors performance by collecting and tracking resource metrics of the resources.
- We can use alarms with CloudWatch to detect certain events and trigger the appropriate actions and notifications in response.
- CloudWatch Logs can collect and monitor log files for different AWS resources or even other resources by installing the CloudWatch Logs agent on them.
- CloudWatch can also aggregate logs, which we can use for analysis.
- The scope of the CloudWatch service is region-specific.
AWS CloudTrail:
- CloudTrail Event History primarily monitors and records any activity in the form of API calls made by anyone within our AWS account.
- CloudTrail Event History is immutable and, hence, excellent for auditing purposes.
- We can set up CloudTrail trails to monitor specific resources.
- CloudTrail primarily focuses on AWS API calls made within an AWS account.
- CloudTrail is a global service.
AWS Config:
- Config primarily monitors and records any configuration changes in resources.
- We can set up Config rules to evaluate if resources are compliant.
- Config also provides a timeline of any configuration changes and compliance of resources.
- The scope of the Config service is region-specific.

The following diagram illustrates a comparison chart for the CloudWatch, CloudTrail, and Config services:

Press + to interact

Match The Answer

Select an option from the left-hand side

Ensure an e-commerce website hosted on an AWS EC2 instance runs smoothly, particularly during high-traffic events like sales or holidays.

AWS Config

There’s an unexpected change in the website’s storage configuration, and we need to find out who made this change and when.

AWS CloudWatch

We must ensure that all AWS resources comply with specific security standards, such as having encryption enabled on all databases and proper access controls on S3 buckets.

AWS CloudTrail

We’ve deployed a video streaming service on AWS, and we need to continuously monitor its performance to ensure a smooth user experience.

Example: Monitoring and auditing of EC2

Even though the CloudWatch, CloudTrail, and Config services perform different actions, they can also complement each other. CloudWatch focuses on performance monitoring, CloudTrail on user activity and API usage, and Config on configuration management and compliance. Together, they provide a complete birds-eye view of our EC2 instance’s operation, security, and compliance posture.

Let’s explore an example scenario of how each of these services can monitor and audit an EC2 instance with a website deployed on it. Here’s a breakdown of how CloudWatch, CloudTrail & Config services can monitor the EC2 instance:

CloudWatch:
- It can track metrics for CPU utilization, network bandwidth, disk throughput, and others that help understand the resource usage and performance characteristics of our server hosting the website.
- We can visualize any error codes as a percentage over time.
- Set up CloudWatch alarms to get notified when certain thresholds are breached, for example, low available disk space. This is critical for proactively managing the health and performance of our application on the EC2 instance.
CloudTrail:
- Track and log who stopped or started the EC2 instance, changed security group rules, or modified instance settings.
Config:
- It allows us to review historical configurations and understand how they have changed over time.
- We can use AWS Config to ensure that the EC2 instance complies with our organization’s policies and best practices. For example, it can verify that only authorized AMIs are used or that security groups are correctly configured and don’t provide unrestricted access.

In summary, AWS CloudWatch, CloudTrail, and Config offer a comprehensive suite for monitoring, auditing, and ensuring compliance in AWS environments. While CloudWatch excels in real-time performance monitoring, CloudTrail provides detailed user activity logs, and Config tracks and manages resource configurations, together ensuring a robust and secure AWS infrastructure.

Get hands-on with 1300+ tech skills courses.

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena