AWS Cloudtrail vs CloudWatch (with examples)

  • Blog

What is the difference between Amazon CloudWatch and AWS Cloudtrail?

Amazon Cloudwatch is a monitoring service that gives you visibility into the performance and health of your AWS resources and applications, whereas AWS Cloudtrail is a service that logs AWS account activity and API usage for risk auditing, compliance and monitoring.

If you are studying for the AWS Certification exam, you may come across questions where you are presented with a certain scenario and you have to determine whether to use Cloudwatch or Cloudtrail in the given situation. In this post we will explore several examples and use cases for Cloudwatch and Cloudtrail to get a better understanding of what each service does.

AWS Cloudtrail vs. Cloudwatch

A quick way to remember each service is to think about Cloudwatch as a way to “watchhow your resources are doing, whereas Cloudtrail is for viewing a “trail” of who did what within your AWS environment.

Amazon Cloudwatch

What is Amazon Cloudwatch?

Amazon Cloudwatch provides metrics about your various AWS resources and and allows you to monitor the performance and health of your applications. It collects data from your cloud resources in the form of logs or events and creates visualizations of these metrics so that you can see how all your resources are performing. This can allow you to detect spikes or anomalies within your infrastructure and help you determine which actions to take. Cloudwatch lets you create and set alarms so that you can be notified or trigger an automated response action when a certain metric reaches a threshold. 

Cloudwatch basic monitoring records events at a 5-min frequency but can be switched to the detailed monitoring mode to collect data at 1-min intervals. 

Cloudwatch metrics in EC2
Examples of Cloudwatch Metrics as seen from the EC2 monitoring tab

Examples and Use Cases for Amazon Cloudwatch

  • Monitoring & Troubleshooting: Let’s say you notice that one of your applications hosted on an EC2 instance is running slower than usual. To figure out if it’s an infrastructural issue, you could use the Cloudwatch metrics for that Ec2 instance to check factors such as CPU utilization, disk read/write operations, network, etc. Cloudwatch also allows you to search and analyze your application logs to help you troubleshoot at the application level.
  • Automated response actions: You can set alarms that are triggered when a metric reaches a certain threshold and automatically set off a response action. For example, you could create an alarm that gets triggered once CPU utilization hits 80% and have it automatically launch additional instances to your autoscaling group.
  • Resource Allocation: Cloudwatch can help you determine which resources are over utilized or under utilized and thereby help optimize resource and cost allocation. 

AWS Cloudtrail

What is AWS Cloudtrail?

AWS Cloudtrail logs account activity and actions across your infrastructure to help you understand who did what within your environment. It tracks activities and events that happen from the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This data can be used for risk auditing, compliance, security analysis and anomaly detection. 

 

Cloudtrail events
Examples of different events logged to Cloudtrail

This screenshot of the Cloudtrail events area shows a list of events, filtered by a specific username. In this example, it shows that I visited S3 and EC2 from the console. Each event can be clicked to get additional details.

Examples and Use Cases for AWS Cloudtrail

  • Troubleshooting: Cloudtrail can be used to determine the cause of certain operational issues. For example, Cloudtrail allows you to check the event history to determine which resources were recently created, deleted or modified as well as who made these changes. 
  •  Anomaly Detection: Cloudtrail Insights allows you to detect spikes or unusual activity and set alerts.
  • Security, compliance and risk auditing: Cloudtrail allows you to have an event history should you need to go back and check past events. For example, if it is suspected that a user account was breached, Cloudtrail can be used to review all activities performed by that user. Cloudtrail can also be used in conjunction with other services to trigger a an action in response to certain events. For example, it could detect when a user is trying to modify a security group or perform other actions not allowed by your organization and trigger a response.

AWS Certification: Cloudwatch & Cloudtrail Questions

As we have seen so far, each of these services have their own specific use cases. It it important to note that in many cases, both of these services can be used in conjunction. For example, you could use Cloudwatch to visualize metrics that come from Cloudtrail. 

To help you develop an intuition for which types of use cases fit each service, here are some sample questions or scenarios you might see in an AWS certification exam that deal with Cloudwatch or Cloudtrail. For each of these scenarios, try to determine which service to use.

  1.  An organization is running a script using Lambda and notices that it’s failing. Which service could they use to help troubleshoot this issue?  
    Answer: They can look at Cloudwatch Logs to see what might be causing the script to fail.
  2. A company notices that someone deleted all the files in a certain S3 bucket. Which service could they use to figure out who did this?
    Answer: They can check the S3 events logged in Cloudtrail, such as the “DeleteObject” action and see which user took this actions and when. 
  3. The operations team wants to monitor the CPU utilization across EC2 instances to make sure an alarm is triggered if it reaches above 80%. Which service could they use to monitor this?
    Answer: They can use Cloudwatch metrics to monitor this and create an alarm that is triggered based on a CPU utilization threshold.
  4. A company needs to ensure that it can detect if there is ever unusual API activity within their AWS environment and trigger an alarm to notify the security team. How would the company achieve this? 
    Answer: They can use Cloudtrail Insights to detect anomalies in activity and use Cloudwatch to trigger an alarm based on the Cloudtrail data.

Summary

Cloudwatch allows you to monitor how your AWS resources are doing while Cloudtrail allows you to monitor who did what within your AWS environment. In general, use cases that lean towards visualizing and using resource metrics, analyzing logs and triggering alarms tend to fit well with Cloudwatch whereas Cloudtrail helps with logging activity history, security and compliance. However, it’s important to keep in mind that practically speaking, in most cases both of these services are used in conjunction with each other to get greater visibility into the overall AWS environment. 

Additional resources:
Cloudwatch Documentation
Cloudtrail Documentation 
CloudTrail and best practices

 

Found this interesting? Share it!
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *