Difference between AWS CloudWatch, CloudTrail and Config

Arjun, a budding cloud engineer, had just built his first production-grade application on AWS.

Everything looked perfect… until it wasn’t.

❌ His app crashed.
❌ A security group was modified.
❌ Compliance rules were silently broken.

And he had no idea what happened.

“I wish AWS had a way to tell me what’s going on under the hood,” he said.

That’s when his mentor told him about the three pillars of observability in AWS:

CloudWatch
CloudTrail
AWS Config

At first, they sounded similar. But once Arjun understood what each service really does, everything clicked.

📊 1. Amazon CloudWatch – “What is happening right now?”

CloudWatch is the performance monitoring tool for your AWS resources and apps.

It helps you answer:

Is my EC2 instance running hot?
How many requests is my ELB getting?
Are my Lambda functions failing?
What do my logs say?

🔧 Core Capabilities:

Metrics (CPU, memory, network, etc.)
Alarms (alert you when thresholds are crossed)
Dashboards (visualize performance)
Logs (store and search app logs)
Events (trigger actions like Lambda or SNS)

🧠 Think of CloudWatch as your real-time performance and health monitor.

🕵️‍♂️ 2. AWS CloudTrail – “Who did what?”

Arjun’s next problem was figuring out who changed a security group that opened up SSH to the entire internet.

The answer? CloudTrail.

🔍 What it does:

Records every API call made in your AWS account.
Tracks:
- Who made the request (user/role/service)
- When it was made
- Where it came from (IP address)
- What was changed

CloudTrail gave Arjun an audit trail. It showed exactly who removed the firewall rule and when.

🧠 Use CloudTrail when you want a full history of every action taken in your AWS account.

✅ 3. AWS Config – “Is everything still compliant?”

Arjun then discovered that someone removed the SSL certificate from his Load Balancer — silently.

This wasn’t a performance issue or an API call he was watching.

This was a config drift — and AWS Config helped him detect it.

✅ What AWS Config does:

Continuously records configuration changes to AWS resources.
Compares them against predefined compliance rules.
Flags non-compliant resources.
Stores config history in S3 for auditing.
Can trigger auto-remediation using Lambda or SSM Documents.

For example:

“Every S3 bucket must be encrypted.”
“No security group should allow unrestricted SSH.”

If someone breaks the rule, Config marks the resource non-compliant — and can even fix it automatically.

🧠 Use AWS Config to enforce compliance, detect drift, and view resource history over time.

🎯 CloudWatch vs CloudTrail vs AWS Config – One Chart to Rule Them All

Feature / Tool	CloudWatch 📊	CloudTrail 🕵️‍♂️	AWS Config ✅
Purpose	Monitor performance + logs	Track API activity (audit trail)	Track config changes + compliance
Records	Metrics, logs, alarms	API calls	Resource configurations
Real-time?	Yes	Near real-time	Continuous
Who changed it?	❌ No	✅ Yes	✅ Yes (via CloudTrail link)
Compliance checks	❌ No	❌ No	✅ Yes
Auto-remediation	❌ No	❌ No	✅ Yes (SSM or Lambda)
Stores data in S3?	Optional (logs)	✅ Yes	✅ Yes
Example Use Case	High CPU on EC2	Who opened SSH port?	Is SSL attached to ALB?

🏁 Final Takeaway from Arjun

“Now I get it,” Arjun smiled.
“CloudWatch tells me what’s happening,
CloudTrail tells me who did what,
and Config tells me what changed — and whether it breaks the rules.”

He finally had visibility, accountability, and control — the trifecta every AWS engineer needs.

✅ TL;DR for AWS SAA Aspirants

CloudWatch = Performance + Monitoring
CloudTrail = API History + Auditing
AWS Config = Compliance + Config History + Remediation

Master this trio and you’re not just passing the exam — you’re becoming a cloud professional who truly understands AWS operations.