Wednesday, October 1, 2025

CloudWatch vs CloudTrail vs Config | Overview.

CloudWatch vs CloudTrail vs Config - Overview.

Scope:

  • Intro,
  • Quick Comparison Table,
  • How They Work Together,
  • Amazon CloudWatch for Monitoring & Observability (deep dive),
  • AWS CloudTrail for Auditing & Security Forensics (deep dive),
  • AWS Config for Resource Compliance & Governance,
  • How CloudWatch, CloudTrail & Config Work Together,
  • Sample Workflow,
  • Side-by-Side Comparison (deep dive),
  • Rule of Thumb.

Intro:

  • AWS offers these three services to provide full visibility into twtech cloud environment.
  • But these three services each focus on a different layer of activity. 
    • CloudWatch: Focuses on what is happening in terms of health and performance.
    • CloudWatch monitors application logs and infrastructure metrics (like CPU or RAM) and triggers alarms when thresholds are crossed.
    • CloudTrail: Focuses on who did what. 
    • CloudTrail is an audit trail that logs every API call made in your account, capturing who made the request, from where, and when.
    • Config: Focuses on how things are configured
    • Config tracks the history of twtech resource settings and evaluates them against compliance rules to ensure they stay within twtech desired state. 
Quick Comparison Table 
Feature 
CloudWatchCloudTrailConfig
Primary GoalPerformance & HealthAuditing & GovernanceCompliance & Security
Key DataMetrics & Application LogsAPI Activity & User EventsResource History & Rules
Common UseSetting alarms for high CPUSeeing who deleted a databaseChecking if S3 buckets are public
PerspectiveInternal (Inside the resource)External (API/Account level)Structural (Configuration state)
How They Work Together
  • These services are often used in tandem for a complete security posture. 
  • Tandem means, frequently used together, in combination, or concurrently to achieve a more robust or functional result
  • For example, if a security breach occurs: 
    1. CloudTrail tells twtech which user account was used to change a security group.
    2. Config shows twtech exactly what the security group rules were before and after that change.
    3. CloudWatch identifies if there was a sudden spike in network traffic following the change. 
NB:
    • twtech can manage these further by using the AWS Management Console to set up a unified CloudWatch Dashboard or review AWS Config Rules for your environment.
Link to official documentation
https://docs.aws.amazon.com/config/latest/developerguide/log-api-calls.html

NB:

    • CloudWatch, CloudTrail, and Config are three AWS services.
    • They all deal with Monitoring/Observability,  Auditing/Ferensics, and Compliance/Governance (Governance-Risk-compliance), Rspectively.

1. Amazon CloudWatch for Monitoring & Observability

  • Purpose: Real-time monitoring / Observability of performance, health, and operational metrics.
  • Focus: How is my system performing right now?
  • Data Types:
    • Metrics (CPU, memory, disk, API latency, custom app metrics)
    • Logs (application/system logs, VPC Flow Logs, Lambda logs)
    • Alarms & Dashboards (trigger actions, visualizations)
  • Key Features:
    • Alarms (threshold-based alerts SNS, Lambda, Auto Scaling)
    • Logs (CloudWatch Logs Insights for querying)
    • Metrics (native AWS + custom metrics)
    • Events (CloudWatch Events/EventBridge automation)
  • Integrations:
    • Auto Scaling (scale EC2/ECS on metrics)
    • EventBridge (real-time automation)
    • AWS Lambda (log/metric processing)
  • Use Case:
    • Detect high CPU usage trigger auto scaling
    • Monitor Lambda errors
    • Central logging from multiple services

2. AWS CloudTrail for Auditing & Security Forensics (deep dive)

    • Purpose: Record of API calls and account activity for compliance, auditing, / investigation.
    • Focus: Who did what, when, and from where?
    • Data Types:
      • API calls (management events: CreateBucket, StopInstance)
      • Data events (S3 object-level, Lambda invoke-level)
      • Insights events (detect anomalies, unusual API activity)
  • Key Features:
  • Immutable audit log of all AWS API activity
  • Delivered to S3 (long-term storage)
  • Integration with CloudWatch Logs for real-time alerting
  • CloudTrail Lake for querying historical activity
  • Integrations:
  • Security Hub & GuardDuty (threat detection)
  • Athena (query CloudTrail logs)
  • CloudWatch Events/EventBridge (real-time automation)
  • Use Case:
  • Who deleted my S3 bucket?
  • Investigating root account login
  • Compliance (PCI, HIPAA, SOC 2)

3. AWS Config for Resource Compliance & Governance

    • Purpose: Tracks resource inventory, configuration history, and compliance evaluation.
    • Focus: What does the environment look like, and is it compliant?
    • Data Types:
    • Configuration items (resource snapshots)
    • Compliance state (evaluated against Config Rules)
  • Key Features:
  • Continuous resource monitoring
  • Config Rules (AWS-managed or custom Lambda rules)
  • Remediations (auto-fix non-compliance)
  • Compliance dashboard
  • Integrations:
  • Security Hub (compliance aggregation)
  • SNS/EventBridge (notify/remediate)
  •  SSM (AWS Systems Manager) Automation (remediation)
  • Use Case:
  • Ensure all S3 buckets are encrypted
  • Detect non-compliant IAM policies
  • Maintain inventory for audit

 How CloudWatch, CloudTrail & Config Work Together

    • CloudWatch Detect operational issues (CPU spike, service errors).
    • CloudTrail Answer “who/what/when” (API-level history of actions taken).
    • Config Answer “is it compliant/secure (tracks resource state & evaluates against rules).

Sample Workflow:

    1. twtech-junior-Developer disables S3 bucket encryption (problem-created).
    2. CloudTrail logs the API call (PutBucketEncryption disabled).
    3. Config detects non-compliant S3 bucket marks rule as NON_COMPLIANT.
    4. CloudWatch alarm may trigger if related metrics (e.g., access denied errors) spike.
    5. EventBridge/Lambda → automatically re-enable encryption.

 Side-by-Side Comparison (deep dive)

Feature

CloudWatch ⏱️

CloudTrail 📜

Config 🛡

Primary Use

Monitoring & metrics

Auditing API calls

Compliance & governance

Data Type

Metrics, logs, events

API events (mgmt & data)

Resource configs & compliance

Granularity

Performance metrics

API-level actions

Resource-level state

Storage

CloudWatch Logs, dashboards

S3 (logs), CloudTrail Lake

S3 (config snapshots)

Automation

Alarms actions

Events Lambda/SNS

Rules remediation

Best For

Ops teams (monitoring)

Security/Audit teams

Compliance/GRC(Governance Risk compliance) teams

 

twtech-Rule of Thumb:

    • Use CloudWatch How is it performing? ( Monitoring & Observability)
    • Use CloudTrail  Who did what? ( Auditing & Security Forensics)
    • Use Config  Is it compliant? ( Resource Compliance & Governance)



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...