CloudTrail vs Config vs CloudWatch vs Trusted Advisor

Concepts Covered

• CloudTrail versus Config
• Config versus CloudWatch
• CloudWatch versus Trusted Advisor
• Audit events
• Resource configuration history
• Metrics, logs, alarms, and dashboards
• Best-practice recommendations
• Compliance evidence
• Exam wording patterns
• Common traps

1. Plain-English Mental Model

These four services answer four different questions.

CloudTrail: Who did what through the AWS API?
AWS Config: What did this resource look like, and is it compliant?
CloudWatch: How is the system behaving right now or over time?
Trusted Advisor: What best-practice improvements does AWS recommend?

The confusion happens because all four can appear in security, operations, or governance questions.

The trick is to look for the noun in the question: API call, resource state, metric, log, alarm, compliance rule, or recommendation.

2. Why This Service Exists

This comparison exists because exam questions often describe symptoms rather than naming services.

A question may say "determine who deleted an object," "track whether security groups allow SSH from the internet," "trigger an alert when CPU exceeds a threshold," or "find cost optimization opportunities." Each sounds like operations. Each points to a different service.

CloudTrail exists for account activity and API auditing.

AWS Config exists for resource configuration recording and compliance evaluation.

CloudWatch exists for observability: metrics, logs, dashboards, alarms, and operational signals.

Trusted Advisor exists for account best-practice recommendations across categories such as cost optimization, security, fault tolerance, performance, service limits, and operational excellence.

3. The Naive Approach And Where It Breaks

The naive mental model is:

something operational happened -> use CloudWatch

That breaks because not every operational question is a metric question.

If the question asks who changed a route table, CloudWatch is not the primary answer. CloudTrail is.

If the question asks whether an S3 bucket was public last week, CloudTrail may show API calls, but AWS Config is the better service for configuration history.

If the question asks when CPU crosses 80 percent, Config is irrelevant. CloudWatch alarms fit.

If the question asks for AWS best-practice recommendations, neither CloudTrail nor Config alone is the answer. Trusted Advisor fits.

The exam rewards service boundary clarity.

4. Core Primitives

CloudTrail records events from actions taken by users, roles, and AWS services. Trails deliver events to S3, CloudWatch Logs, and EventBridge. CloudTrail Lake supports queryable event data stores.

AWS Config records configuration items, configuration history, snapshots, relationships, rules, conformance packs, aggregators, and remediation.

CloudWatch collects metrics, logs, dashboards, alarms, and observability signals. It can trigger actions when metric thresholds change.

Trusted Advisor runs checks and produces recommendations. It is advisory, not preventive enforcement.

The clean exam mapping is:

5. Architecture Use Cases

Use CloudTrail for security investigations:

who called DeleteBucketPolicy, from where, and when?

Use AWS Config for compliance and drift:

which security groups allow SSH from 0.0.0.0/0, and when did that become true?

Use CloudWatch for runtime visibility:

is CPU high, are errors increasing, are logs showing failures, should an alarm fire?

Use Trusted Advisor for account review:

which resources are underused, risky, missing redundancy, or close to service limits?

In mature environments, these services work together. Config identifies noncompliant resource state. CloudTrail helps identify the actor. CloudWatch alarms on operational symptoms. Trusted Advisor surfaces broader recommendations.

7. Security Model

CloudTrail security focuses on protecting audit logs and limiting who can disable or modify trails.

Config security focuses on protecting configuration history, rule definitions, delivery buckets, and remediation roles.

CloudWatch security focuses on log data, metrics, dashboards, alarm actions, and cross-account observability access.

Trusted Advisor security focuses on who can view findings because findings may reveal sensitive weaknesses.

Centralized account strategy matters for all four. A log archive or security account can protect evidence from workload account administrators.

Use IAM and SCPs to prevent disabling logging, compliance recording, or monitoring where those controls are mandatory.

8. Reliability And Resilience

CloudTrail improves investigation reliability by preserving API activity.

AWS Config improves governance reliability by preserving resource state and evaluating compliance.

CloudWatch improves operational reliability by detecting runtime symptoms and triggering alarms.

Trusted Advisor improves review reliability by surfacing known best-practice gaps.

None of these services by itself makes an application resilient. They provide visibility, evidence, alerts, or recommendations. The architecture still needs multi-AZ design, backups, autoscaling, decoupling, tested recovery, and operational response.

The right design often uses more than one of these services.

9. Performance And Scaling

CloudWatch is the most directly connected to performance monitoring because it collects metrics and logs.

CloudTrail can reveal API throttling patterns, failed API calls, or unusual activity, but it is not a performance dashboard.

Config can detect whether resources are configured according to policy, but it is not a low-latency performance monitor.

Trusted Advisor can recommend performance or quota improvements, but it does not replace load testing or real-time metrics.

At organization scale, centralization matters. CloudWatch cross-account observability, organization trails, Config aggregators, and Trusted Advisor organizational views help teams work across accounts.

10. Cost Model

CloudTrail costs depend on trails, data events, CloudTrail Lake, storage, and queries.

AWS Config costs depend on configuration items, rule evaluations, conformance packs, and related remediation services.

CloudWatch costs depend on custom metrics, logs ingestion and storage, alarms, dashboards, traces, and related observability features.

Trusted Advisor feature access depends on AWS Support plan and check availability.

Cost traps often come from turning everything on everywhere without a plan. That does not mean avoiding observability or governance. It means choosing retention, scope, rule frequency, data events, log volume, and account strategy deliberately.

12. SAA-C03 Exam Signals

"Who performed this API action?" points to CloudTrail.

"Last 90 days of management events" points to CloudTrail Event history.

"Deliver API activity logs to S3" points to CloudTrail trail.

"Track resource configuration history" points to AWS Config.

"Evaluate compliance with rules" points to AWS Config.

"CPU alarm, custom metric, dashboard, or log query" points to CloudWatch.

"Best-practice recommendations for cost, security, fault tolerance, performance, or service limits" points to Trusted Advisor.

"Prevent action before it happens" may point to IAM, SCPs, or Control Tower preventive controls, not these services alone.

13. Common Exam Traps

Do not use CloudWatch when the question asks who made an API call.

Do not use CloudTrail when the question asks for current resource compliance across accounts.

Do not use Config as a runtime metrics alarm service.

Do not use Trusted Advisor as enforcement.

Do not expect a single service to answer both "who did it" and "is it compliant now" unless the question accepts using multiple services.

Do not forget organization-level designs: CloudTrail, Config, CloudWatch, and Trusted Advisor all become more useful when account strategy is clear.

15. Related Topics

Review AWS CloudTrail, AWS Config, Amazon CloudWatch, AWS Trusted Advisor, and AWS Organizations.

Official AWS references:

• What is Amazon CloudWatch?
• What is AWS CloudTrail?
• What is AWS Config?
• AWS Trusted Advisor