AWS Config vs. CloudTrail

AWS is a vast universe with over 100 cloud services, all geared to provide you with the most robust, reliable, and cost-effective cloud computing experience. Many of these services are closely related, and almost seem to overlap. There are multiple database services, logging services, resource creation services, compute services, notification services and even multiple configuration and management tools.

In the configuration and management category, there are two major AWS monitoring tools that are similar, and can be easy to confuse if you are new to AWS. They are AWS Config and AWS CloudTrail.

If you’re an AWS veteran, you know that Config and CloudTrail are not actually the same thing. They’re different tools with different purposes. In this article, I explain what each tool does, and when to use it.

What is AWS Config?

AWS Config is a service that lets you set certain configuration rules that you’d like your AWS resources to comply with, and it tracks whether the resources comply with those rules. Every time a resource is changed, Config records the change in an S3 bucket. It stores a snapshot of the system at a regular period of time set by you, and even records how one AWS resource relates to another. It stores a configuration history in S3, and presents an overview of your resources and their configurations in a dashboard.

What is AWS CloudTrail?

CloudTrail is a logging service that records all API calls to any AWS service. It records details of the call like which user or application made the call, when it was made, and what IP address it was made from. AWS also has another logging service called CloudWatch Logs, but this reports application logs, unlike CloudTrail which reports on how AWS services are being used.

Where CloudTrail and Config Overlap

Config and CloudTrail have a lot in common. For starters, both are monitoring tools for your AWS resources. They both track changes and store a history of what happened to your resources in the recent past. They are both used for similar purposes—compliance and governance, auditing, security policies, and more. Essentially, if you notice something going wrong with your AWS resources, you’ll likely see it reflected in both Config and CloudTrail.

How CloudTrail and Config are Different

Though they often report on the same incidents, their perspective and approach is different. Config reports on what has changed, whereas CloudTrail reports on who made the change, when, and from which location. Config is focused on the configuration of your AWS resources and reports with detailed snapshots on how your resources have changed. CloudTrail focuses on the events, or API calls, that drive those changes. It focuses on the user, application, and activity performed on the system.

How they work together

Taking a different approach to the same incident, Config and CloudTrail work very well together. While Config is a great starting point to find out what happened to your AWS resources, you can get the full picture by digging into your CloudTrail logs, too. You can correlate changes in Config with events that took place at the same time as reported by CloudTrail.

Config merely watches and reports on instances of rules being violated. It doesn’t allow you to make changes to the resources from its console. You can integrate Config with IAM to set permissions for what a user can or cannot do within a resource. CloudTrail gives you more control in this regard. It integrates with CloudWatch Events to allow you to set automated rules-based responses to any event that occurs in your resources.

In the event of a security breach, if an attacker has made numerous changes in a short period of time, Config may not be able to report on this in detail. Config only stores the most recent and important changes to resources and disregards minute and frequent changes. Config does this to keep the system responsive for the end user rather than stalling with every change till it records the change in its history in S3. CloudTrail, on the other hand, records every single change in its stream of logs. It even has an integrity validation feature that lets you check if the attacker manipulated the API logs to cover their tracks. This is vital when investigating a data breach or cyber attack.

Both tools are helpful when implementing a self-serve IT policy. Config works well with CloudFormation to enable IT to create approved templates for every type of AWS resource. These templates, when shared with developers, let them provision the resources they require without needing IT’s approval every time. It speeds up development, and importantly, enforces a consistent level of quality across the organization. If an employee changes the template while creating the resource, Config catches the change and notifies IT of the violation. If IT wants to dig deeper, they can use CloudTrail to help discover who made the change, from where, and when.

The benefits of using Config and CloudTrail together are many. They bring deeper and wider visibility across your AWS services. With their different approaches to change management, they complement each other well.

Conclusion: Using AWS Config and CloudTrail Together

Config and CloudTrail are a powerful combination if you want to secure your application in the AWS cloud, better meet compliance and regulatory requirements, gain deeper visibility into performance, and troubleshoot issues faster. Dismissing them as two separate services that do the same thing is shortsighted. Understanding their unique take on monitoring will enable you to get the most out of your investment in AWS, and let you appreciate even more why they are the leading cloud vendor today.

Additional Resources

• How to Read, Search, and Analyze AWS CloudTrail Logs