Difference between AWS CloudWatch, CloudTrail and Config

Jay TilluJay Tillu
4 min read

Arjun, a budding cloud engineer, had just built his first production-grade application on AWS.

Everything looked perfect… until it wasn’t.

❌ His app crashed.
❌ A security group was modified.
❌ Compliance rules were silently broken.

And he had no idea what happened.

“I wish AWS had a way to tell me what’s going on under the hood,” he said.

That’s when his mentor told him about the three pillars of observability in AWS:

  • CloudWatch

  • CloudTrail

  • AWS Config

At first, they sounded similar. But once Arjun understood what each service really does, everything clicked.


📊 1. Amazon CloudWatch – “What is happening right now?”

CloudWatch is the performance monitoring tool for your AWS resources and apps.

It helps you answer:

  • Is my EC2 instance running hot?

  • How many requests is my ELB getting?

  • Are my Lambda functions failing?

  • What do my logs say?

🔧 Core Capabilities:

  • Metrics (CPU, memory, network, etc.)

  • Alarms (alert you when thresholds are crossed)

  • Dashboards (visualize performance)

  • Logs (store and search app logs)

  • Events (trigger actions like Lambda or SNS)

🧠 Think of CloudWatch as your real-time performance and health monitor.


🕵️‍♂️ 2. AWS CloudTrail – “Who did what?”

Arjun’s next problem was figuring out who changed a security group that opened up SSH to the entire internet.

The answer? CloudTrail.

🔍 What it does:

  • Records every API call made in your AWS account.

  • Tracks:

    • Who made the request (user/role/service)

    • When it was made

    • Where it came from (IP address)

    • What was changed

CloudTrail gave Arjun an audit trail. It showed exactly who removed the firewall rule and when.

🧠 Use CloudTrail when you want a full history of every action taken in your AWS account.


✅ 3. AWS Config – “Is everything still compliant?”

Arjun then discovered that someone removed the SSL certificate from his Load Balancer — silently.

This wasn’t a performance issue or an API call he was watching.

This was a config drift — and AWS Config helped him detect it.

✅ What AWS Config does:

  • Continuously records configuration changes to AWS resources.

  • Compares them against predefined compliance rules.

  • Flags non-compliant resources.

  • Stores config history in S3 for auditing.

  • Can trigger auto-remediation using Lambda or SSM Documents.

For example:

  • “Every S3 bucket must be encrypted.”

  • “No security group should allow unrestricted SSH.”

If someone breaks the rule, Config marks the resource non-compliant — and can even fix it automatically.

🧠 Use AWS Config to enforce compliance, detect drift, and view resource history over time.


🎯 CloudWatch vs CloudTrail vs AWS Config – One Chart to Rule Them All

Feature / ToolCloudWatch 📊CloudTrail 🕵️‍♂️AWS Config ✅
PurposeMonitor performance + logsTrack API activity (audit trail)Track config changes + compliance
RecordsMetrics, logs, alarmsAPI callsResource configurations
Real-time?YesNear real-timeContinuous
Who changed it?❌ No✅ Yes✅ Yes (via CloudTrail link)
Compliance checks❌ No❌ No✅ Yes
Auto-remediation❌ No❌ No✅ Yes (SSM or Lambda)
Stores data in S3?Optional (logs)✅ Yes✅ Yes
Example Use CaseHigh CPU on EC2Who opened SSH port?Is SSL attached to ALB?

🏁 Final Takeaway from Arjun

“Now I get it,” Arjun smiled.
“CloudWatch tells me what’s happening,
CloudTrail tells me who did what,
and Config tells me what changed — and whether it breaks the rules.”

He finally had visibility, accountability, and control — the trifecta every AWS engineer needs.


✅ TL;DR for AWS SAA Aspirants

  • CloudWatch = Performance + Monitoring

  • CloudTrail = API History + Auditing

  • AWS Config = Compliance + Config History + Remediation

Master this trio and you’re not just passing the exam — you’re becoming a cloud professional who truly understands AWS operations.


Follow me for more such content

0
Subscribe to my newsletter

Read articles from Jay Tillu directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Jay Tillu
Jay Tillu

Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. I’m always eager to connect and discuss cybersecurity—let's get in touch!