Difference between AWS CloudWatch, CloudTrail and Config


Arjun, a budding cloud engineer, had just built his first production-grade application on AWS.
Everything looked perfect… until it wasn’t.
❌ His app crashed.
❌ A security group was modified.
❌ Compliance rules were silently broken.
And he had no idea what happened.
“I wish AWS had a way to tell me what’s going on under the hood,” he said.
That’s when his mentor told him about the three pillars of observability in AWS:
CloudWatch
CloudTrail
AWS Config
At first, they sounded similar. But once Arjun understood what each service really does, everything clicked.
📊 1. Amazon CloudWatch – “What is happening right now?”
CloudWatch is the performance monitoring tool for your AWS resources and apps.
It helps you answer:
Is my EC2 instance running hot?
How many requests is my ELB getting?
Are my Lambda functions failing?
What do my logs say?
🔧 Core Capabilities:
Metrics (CPU, memory, network, etc.)
Alarms (alert you when thresholds are crossed)
Dashboards (visualize performance)
Logs (store and search app logs)
Events (trigger actions like Lambda or SNS)
🧠 Think of CloudWatch as your real-time performance and health monitor.
🕵️♂️ 2. AWS CloudTrail – “Who did what?”
Arjun’s next problem was figuring out who changed a security group that opened up SSH to the entire internet.
The answer? CloudTrail.
🔍 What it does:
Records every API call made in your AWS account.
Tracks:
Who made the request (user/role/service)
When it was made
Where it came from (IP address)
What was changed
CloudTrail gave Arjun an audit trail. It showed exactly who removed the firewall rule and when.
🧠 Use CloudTrail when you want a full history of every action taken in your AWS account.
✅ 3. AWS Config – “Is everything still compliant?”
Arjun then discovered that someone removed the SSL certificate from his Load Balancer — silently.
This wasn’t a performance issue or an API call he was watching.
This was a config drift — and AWS Config helped him detect it.
✅ What AWS Config does:
Continuously records configuration changes to AWS resources.
Compares them against predefined compliance rules.
Flags non-compliant resources.
Stores config history in S3 for auditing.
Can trigger auto-remediation using Lambda or SSM Documents.
For example:
“Every S3 bucket must be encrypted.”
“No security group should allow unrestricted SSH.”
If someone breaks the rule, Config marks the resource non-compliant — and can even fix it automatically.
🧠 Use AWS Config to enforce compliance, detect drift, and view resource history over time.
🎯 CloudWatch vs CloudTrail vs AWS Config – One Chart to Rule Them All
Feature / Tool | CloudWatch 📊 | CloudTrail 🕵️♂️ | AWS Config ✅ |
Purpose | Monitor performance + logs | Track API activity (audit trail) | Track config changes + compliance |
Records | Metrics, logs, alarms | API calls | Resource configurations |
Real-time? | Yes | Near real-time | Continuous |
Who changed it? | ❌ No | ✅ Yes | ✅ Yes (via CloudTrail link) |
Compliance checks | ❌ No | ❌ No | ✅ Yes |
Auto-remediation | ❌ No | ❌ No | ✅ Yes (SSM or Lambda) |
Stores data in S3? | Optional (logs) | ✅ Yes | ✅ Yes |
Example Use Case | High CPU on EC2 | Who opened SSH port? | Is SSL attached to ALB? |
🏁 Final Takeaway from Arjun
“Now I get it,” Arjun smiled.
“CloudWatch tells me what’s happening,
CloudTrail tells me who did what,
and Config tells me what changed — and whether it breaks the rules.”
He finally had visibility, accountability, and control — the trifecta every AWS engineer needs.
✅ TL;DR for AWS SAA Aspirants
CloudWatch = Performance + Monitoring
CloudTrail = API History + Auditing
AWS Config = Compliance + Config History + Remediation
Master this trio and you’re not just passing the exam — you’re becoming a cloud professional who truly understands AWS operations.
Follow me for more such content
Subscribe to my newsletter
Read articles from Jay Tillu directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Jay Tillu
Jay Tillu
Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. I’m always eager to connect and discuss cybersecurity—let's get in touch!