AWS Config vs CloudTrail
Automate Azure SQL Database Lifecycle
28 Jan 2021
How we use Slack to dramatically reduce AWS costs & improve security
11 Feb 2021
A lot of AWS users and DevOps engineers asked us:
What’s the difference between AWS Config and AWS CloudTrail? Why should I choose one over the other?
A good way to think of it is that AWS Config will tell you what your resource state is now or what it was at a specific point in the past whereas CloudTrail will tell you when specific events in the form of API calls have taken place.
How does AWS CloudTrail work?
AWS CloudTrail is a service that records every event inside your AWS environment via the console, SDKs, CLIs & other means. It then stores them in an S3 bucket for inspection later.
There are a number of other ways that CloudTrail events can be leveraged. For example, you can inspect them via the CloudTrail Console or you can use a product like GorillaStack’s Real Time Events to get alerted and trigger remediation by triggering a Lambda from that CloudTrail event.
If you’re working with a particularly large dataset and want to take a look back over a significant period of time, you may wish to consider using AWS Athena to query your CloudTrail events.
What is AWS Config?
AWS Config Rules allow organizations to determine a number of standards for which they would like their configurations to comply. Those rules can be set as Managed Rules. To set Managed Rules, you can choose to use out of the box rules as best practice presets or create Custom Rules on your own which require a lot of tinkering.
The rules, which in the case of Custom Rules operate as Lambda functions, can be run periodically and/or every time a relevant resource changes. If a compliance status changes, a notification will be sent to your SNS topic.
What can I do with Managed AWS Config Rules?
At the time of writing, there are a handful of configurations you can check with Managed Config Rules. This includes essentials such as IAM Policy configuration, S3 Bucket configuration, EC2 compliance, and more. This should stand you in good stead to monitor the fundamentals of your infrastructure. However, it is fairly limited for more complex environments. If you’d like to monitor anything deeper than the essentials, you’ll need to set up Custom Config Rules.
Creating AWS Custom Config rules
If the services that you want to stay abreast of are not covered by Managed Rules, you can always write and deploy your own Custom Rules for AWS Config. These require you to write your own Lambda functions and the code can be fairly involved if you want to write a number of these at scale. There are AWS Config examples out there though which you can deploy or further customize for your own needs.
Should I use AWS CloudTrail or AWS Config for Security?
Sorry to be boring but the answer is that you ought to use both. Config Rules will trigger on a change in the status of your environment and that may not happen immediately. It will often only give you an update on the state itself. For example, a number of events have lead to that state change). They are extremely important for telling you whether your organization was in compliance. When it fell out of compliance, you can identify gaps in time that were at risk.
On the other hand, CloudTrail is a log of every event which details the kinds of things that took place. Also, it helps identify all the causes that may have lead to a security event in the first place. For more information on CloudTrail, check out our detailed guide on CloudTrail vs Cloudwatch.
What’s more, if you’re monitoring them carefully using GorillaStack’s Real Time Events, you can know about and remediate the most important CloudTrail security events in real time. Give it a try and let us know what you think!
First published on 19 Aug 2019. Last updated on 29 Jan 2021.
