CloudGuild · Blog · Cheat sheets · Lessons · Certifications
AWS CloudTrail & AWS Config — Monitoring and Compliance
AWS CloudTrail and AWS Config provide essential monitoring and compliance capabilities for your AWS resources.
What it is
- AWS CloudTrail: A service that enables governance, compliance, and operational and risk auditing of your AWS account by logging API calls.
- AWS Config: A service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
When I reach for it
- Use CloudTrail to track user activity and API usage across AWS services.
- Use Config to ensure compliance with internal policies and regulatory standards by tracking configuration changes and relationships between resources.
Key architectural decisions
- Choose CloudTrail for detailed event history versus Config for configuration history.
- Enable multi-region trails in CloudTrail for comprehensive logging across all regions.
- Leverage Config Rules to automatically evaluate resource configurations against best practices or compliance standards.
Gotchas & exam traps
- CloudTrail logs are not real-time; there's a delay in log delivery that can impact immediate auditing needs.
- Config does not retain historical configuration data indefinitely; plan retention according to compliance requirements.
The architect view
- Both services are crucial for a robust security posture; integrate them with Amazon CloudWatch for alerts and notifications.
- Ensure proper IAM policies are in place to manage access to CloudTrail logs and Config data.