CloudTrail vs CloudWatch vs Config
Learn the differences between AWS CloudTrail, Amazon CloudWatch, and AWS Config — three services that are often confused on the exam.
Learning outcomes
By the end of this lesson, you will be able to:
- Explain what each service does in one sentence.
- Distinguish CloudWatch (performance), CloudTrail (audit), and Config (compliance).
- Identify which service to use for common exam scenarios.
The one-sentence summary
Before diving in, here is the simplest way to remember these three:
| Service | One-sentence answer |
|---|---|
| CloudWatch | "How is my system performing?" |
| CloudTrail | "Who did what and when?" |
| AWS Config | "Is my infrastructure configured correctly?" |
Tip
Exam trap: CloudTrail and CloudWatch sound similar but do very different things. CloudWatch monitors metrics and logs. CloudTrail records API calls. They are not interchangeable.
Amazon CloudWatch — performance monitoring
You already learned about CloudWatch in Lesson 1 of this module. Quick recap:
- Metrics — numeric signals over time (CPU, errors, latency)
- Logs — text records of events and messages
- Alarms — notifications when a metric crosses a threshold
CloudWatch answers: "Is my application healthy? Is CPU too high? Are errors spiking?"
What it records: Performance data — numbers, logs, and state changes over time.
AWS CloudTrail — API audit trail
CloudTrail is an audit log of API activity in your AWS account. Every action taken through the Console, CLI, SDK, or any AWS service generates an API call — and CloudTrail records it.
What CloudTrail records for each event:
- Who — the IAM identity (user, role, or service) that made the call
- What — the API action (e.g.,
DeleteBucket,RunInstances,CreateUser) - When — the timestamp
- Where — the source IP address
- Which resource — the resource affected
CloudTrail answers: "Who deleted that S3 bucket? Who launched that EC2 instance? Who changed that IAM policy?"
Note
CloudTrail Event History shows the last 90 days of management events for free. For longer retention or data events (e.g., S3 object-level activity), you create a Trail that delivers logs to S3.
AWS Config — configuration history and compliance
AWS Config tracks the configuration state of your AWS resources over time. It records how each resource is configured, how that configuration changes, and whether it complies with rules you define.
What AWS Config tracks:
- Resource configuration snapshots (what does this security group look like today?)
- Configuration change timeline (when did it change? what was it before?)
- Compliance against Config Rules (is S3 bucket encryption enabled? Are security groups too permissive?)
AWS Config answers: "Is my infrastructure configured correctly? When did this configuration change? Are we compliant with our security policies?"
Full comparison
| Feature | CloudWatch | CloudTrail | AWS Config |
|---|---|---|---|
| Purpose | Monitor performance | Audit API activity | Track resource configuration |
| Key question | "How is my system performing?" | "Who did what and when?" | "Is my infrastructure configured correctly?" |
| Records | Metrics, logs, alarms | API calls (who, what, when, from where) | Resource configuration state and changes |
| Use case | Alert on high CPU, debug errors | Investigate security incidents, audit changes | Enforce compliance rules, track config drift |
| Default retention | Logs: indefinite; Metrics: varies | Event History: 90 days free | Configuration history: stored in S3 |
Common exam scenarios
| Scenario | Correct service |
|---|---|
| "CPU utilization is too high" | CloudWatch (metric) |
| "Who deleted the S3 bucket?" | CloudTrail (API audit) |
| "Is encryption enabled on all S3 buckets?" | AWS Config (compliance rule) |
| "Lambda errors are spiking" | CloudWatch (metric + logs) |
| "Who changed the security group rules?" | CloudTrail (API audit) |
| "When did this resource configuration change?" | AWS Config (configuration timeline) |
| "Alert me when error rate exceeds 5%" | CloudWatch (alarm) |