CloudTrail & AWS Config — Concept
CloudTrail
AWS CloudTrail = records every AWS API call (who, when, what, from where) for audit, security, and troubleshooting. Enabled by default on every account for 90 days of management events.
Event types
| Type | What |
|---|---|
| Management events | Control-plane actions (RunInstances, CreateBucket) — on by default |
| Data events | High-volume (s3:GetObject, lambda:Invoke) — opt-in, paid |
| Insights events | ML-detected unusual API call patterns — opt-in |
Trails
- Trail = persists events to S3 (and optionally CloudWatch Logs) beyond the 90-day default.
- Organization trail = single trail for whole AWS Organization (recommended).
- Multi-region by default.
- File integrity validation with SHA-256 hashes (tamper-evident).
Common uses
- Forensic investigation ("who deleted the bucket?").
- Send to CloudWatch Logs + metric filter + alarm for suspicious calls (e.g. root login).
- Stream to Athena for ad-hoc SQL.
- Detect IAM key compromise.
AWS Config
AWS Config = records resource configuration history + evaluates against rules. Answers "what did this resource look like at 3:42 PM yesterday?" and "are all my S3 buckets encrypted?"
Pieces
- Configuration items — point-in-time snapshots per resource.
- Configuration recorder — what resource types to track (per region).
- Configuration history stored in S3.
- Rules — AWS-managed (e.g.
s3-bucket-public-read-prohibited) or custom Lambda. - Conformance packs — collection of rules + remediation.
- Remediation actions — auto-fix non-compliant resources via SSM Automation.
- Aggregator — view across accounts/regions.
Common uses
- Continuous compliance (PCI, HIPAA).
- Change tracking (who changed the SG to allow 0.0.0.0/0?).
- Auto-remediate (revert to compliant config).
- Inventory + dependency views.
CloudTrail vs Config vs CloudWatch (very common exam confusion)
| Question | Service |
|---|---|
| Who called API and when? | CloudTrail |
| What did the resource look like before/after a change? | AWS Config |
| Is the resource compliant with rules? | AWS Config |
| What metrics / logs are coming from my apps? | CloudWatch |
| Trigger something on an event (state change)? | EventBridge (was CloudWatch Events) |
Common exam scenarios
- "Audit who terminated a production EC2" → CloudTrail event lookup.
- "Auto-detect public S3 bucket and fix it" → AWS Config rule + SSM remediation.
- "Send alert when root user signs in" → CloudTrail → CW Logs → metric filter → alarm → SNS.
- "View configuration history of a security group" → AWS Config.
- "Single audit trail across 30 accounts" → Organization trail in CloudTrail.
- "Query CloudTrail logs ad-hoc" → ship to S3 → Athena.
- "Continuous PCI compliance check" → Config conformance pack.
Exam tip
- Audit API calls = CloudTrail.
- Audit / track resource state = AWS Config.
- Detect/respond in real time = EventBridge (often fed by CloudTrail or Config).