This chapter covers AWS CloudTrail and AWS Config, two foundational services for governance, compliance, and operational auditing. For the SOA-C02 exam, approximately 10-15% of questions touch on monitoring and logging, and CloudTrail and Config are heavily tested within that domain. Understanding the differences, integration points, and common configurations is critical for passing the exam. You will learn how to enable, configure, and interpret logs from both services, as well as how to use them to meet compliance requirements and troubleshoot security incidents.
Jump to a section
Imagine a high-security warehouse. AWS CloudTrail is like a set of security cameras that record every action: who entered which door, what they picked up, and when they left. The footage is stored in a secure vault (S3) and can be searched later. If a box goes missing, you review the tapes to see exactly who handled it last. AWS Config is like an inventory system that constantly scans the warehouse and takes snapshots of every shelf's contents. It knows the current state of each item and can alert you if something is moved to a restricted area or if a shelf is not compliant with safety regulations. While CloudTrail answers "who did what and when," Config answers "what is the current state of everything and is it compliant?" Both are essential for auditing and security, but they serve different purposes. The exam tests your ability to choose the right tool for the scenario: CloudTrail for user activity and API calls, Config for resource configuration changes and compliance rules.
What is AWS CloudTrail?
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It logs every API call made to the AWS Management Console, AWS SDKs, command line tools, and other AWS services. CloudTrail records the who, what, when, and where of every action taken in your account.
How CloudTrail Works
When an API call is made, CloudTrail captures the event and delivers it to an S3 bucket (for long-term storage) and optionally to CloudWatch Logs (for real-time monitoring). Each event includes details like the identity of the caller (IAM user or role), the time of the call, the source IP address, the request parameters, and the response elements. CloudTrail can log events from all regions (default) or a single region. The default retention period for CloudTrail events in the management console is 90 days, but logs stored in S3 persist until you delete them.
Key Components of CloudTrail
Trail: A configuration that enables delivery of events to an S3 bucket. You can have up to 5 trails per region (or 5 trails for all regions if using a single trail for all regions).
Management Events: Control plane operations like creating/terminating EC2 instances, IAM policy changes, etc. These are logged by default.
Data Events: Data plane operations like S3 object-level operations (GetObject, PutObject) or Lambda function invocations. These are not logged by default and incur additional costs.
Insights Events: Analysis of normal vs. anomalous API activity using machine learning. Helps detect unusual patterns.
CloudWatch Logs Integration: You can send events to CloudWatch Logs for metric filters and alarms.
CloudTrail Event Structure
A typical CloudTrail event in JSON format includes:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"arn": "arn:aws:iam::123456789012:user/Admin",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Admin"
},
"eventTime": "2023-01-01T00:00:00Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.0",
"userAgent": "console.amazonaws.com",
"requestParameters": {
"instanceType": "t2.micro",
"imageId": "ami-0abcdef1234567890"
},
"responseElements": {
"instancesSet": {
"items": [
{
"instanceId": "i-1234567890abcdef0"
}
]
}
}
}CloudTrail Log File Integrity Validation
CloudTrail can optionally sign log files using SHA-256 hashing and a digital signature. This allows you to verify that log files have not been tampered with after delivery. The validation uses a digest file that contains references to the log files and their hashes.
What is AWS Config?
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It records resource configuration changes and evaluates them against desired configurations (rules). Config provides a detailed view of the configuration history of each resource and helps you ensure compliance with internal policies and regulatory standards.
How AWS Config Works
AWS Config continuously monitors and records your AWS resource configurations. When a resource is created, modified, or deleted, Config records the change as a configuration item (CI). Each CI includes metadata about the resource, its relationships to other resources, and the time of the change. Config also allows you to define rules (AWS managed or custom) that evaluate whether your resources comply with your desired configurations. If a resource violates a rule, Config generates a compliance change notification.
Key Components of AWS Config
Configuration Recorder: The component that discovers and records resource configurations. You must set up a recorder per region.
Configuration Items (CIs): A record of the configuration of a resource at a point in time. Each CI includes resource metadata, relationships, and the configuration snapshot.
Configuration History: A collection of CIs for a resource over time, stored in an S3 bucket.
Configuration Snapshot: A point-in-time snapshot of all resources in a region, delivered to an S3 bucket.
Config Rules: Rules that evaluate whether your resources comply with desired configurations. Rules can be AWS managed (e.g., required-tags) or custom Lambda functions.
Compliance Timeline: A visual timeline showing compliance status changes for each resource.
Remediation Actions: Automated remediation using AWS Systems Manager Automation documents.
AWS Config Rules Evaluation
Config rules are evaluated periodically (e.g., every 10 minutes for some managed rules) or on configuration changes. When a rule is triggered, Config evaluates the resource against the rule logic and returns one of: COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, or INSUFFICIENT_DATA. You can set up remediation actions to automatically fix non-compliant resources.
Integration Between CloudTrail and Config
CloudTrail and Config complement each other. CloudTrail logs the API calls that change resources, while Config records the resulting configuration state. For example, if an IAM user calls CreateBucket, CloudTrail logs that API call. Config then detects the new bucket and records its configuration. If you have a rule that requires buckets to be encrypted, Config will evaluate the new bucket and mark it as non-compliant if encryption is not enabled.
CloudTrail vs. Config: When to Use Which
Use CloudTrail when you need to answer "who made this API call and when?" – for security investigations, audit trails, and compliance with regulations like PCI DSS or SOC.
Use AWS Config when you need to answer "what is the current configuration of my resources?" – for tracking configuration changes, ensuring compliance with internal policies, and detecting configuration drift.
Exam-Relevant Details
CloudTrail is regionally specific but can be configured to deliver logs from all regions to a single S3 bucket (multi-region trail).
CloudTrail logs are delivered to S3 within 15 minutes of the API call, typically faster.
AWS Config supports a limited set of resource types – not all AWS services are supported. Check the supported resource types list.
AWS Config rules can trigger on configuration changes or on a periodic schedule (e.g., every 10 minutes).
Both services support cross-account logging – CloudTrail can deliver logs to a centralized S3 bucket in another account; Config can aggregate compliance data from multiple accounts using an aggregator.
Common CLI Commands
# Create a CloudTrail trail
aws cloudtrail create-trail --name my-trail --s3-bucket-name my-bucket
# Start logging
aws cloudtrail start-logging --name my-trail
# List trails
aws cloudtrail list-trails
# Enable AWS Config
aws configservice subscribe --s3-bucket my-bucket --sns-topic arn:aws:sns:us-east-1:123456789012:config-topic
# List config rules
aws configservice describe-config-rules
# Get compliance details
aws configservice get-compliance-details-by-config-rule --config-rule-name required-tagsEnable CloudTrail in all regions
Create a trail that applies to all regions. In the CloudTrail console, choose 'Create trail', give it a name, select 'Apply trail to all regions' (recommended for comprehensive auditing). Specify an S3 bucket to store logs. Optionally enable log file validation and CloudWatch Logs integration. This ensures all management events across all regions are captured in a single bucket.
Configure CloudTrail for data events
By default, CloudTrail logs management events. To log data events (e.g., S3 object-level operations), you must explicitly select them. In the trail configuration, under 'Data events', choose the data event type (e.g., S3) and optionally filter by bucket or Lambda function. Note that data events incur additional costs and can generate high volumes of logs.
Set up AWS Config recorder
In the AWS Config console, click 'Get started'. Specify an S3 bucket for configuration history and snapshots, and an SNS topic for notifications. Choose the resource types to record (or all supported types). Config will start recording configuration changes immediately. The first snapshot may take a few minutes to deliver.
Create AWS Config rules
Select from AWS managed rules or create custom rules using Lambda. For example, choose the managed rule 's3-bucket-public-read-prohibited' to ensure no S3 buckets are publicly readable. Configure the rule to trigger on configuration changes or periodically (e.g., every 10 minutes). Set up remediation actions if needed, like applying a bucket policy.
Review CloudTrail and Config logs
Access CloudTrail logs in the S3 bucket or use CloudTrail event history in the console (last 90 days). For Config, view configuration timeline and compliance dashboard in the console. Use CloudWatch Logs Insights to query CloudTrail logs for specific API calls. For Config, use the compliance dashboard to identify non-compliant resources and take corrective action.
Enterprise Scenario 1: Security Incident Investigation
A financial services company needs to investigate a data breach. They use CloudTrail to identify that an IAM user with administrative privileges called s3:GetObject on a sensitive bucket from an unusual IP address at 3 AM. The CloudTrail log shows the user's ARN, the source IP, and the request parameters. They then use AWS Config to check the bucket's current configuration – they find that the bucket policy was changed to allow public access 2 hours before the breach. Config's configuration timeline shows the exact change and the previous policy. The security team can now trace the responsible user and revert the policy. In production, they maintain a multi-region trail sending logs to a centralized S3 bucket in a security account, with log file validation enabled to ensure integrity. They also have Config rules that alert on any public access changes and automatically remediate using an SSM automation document.
Enterprise Scenario 2: Compliance Auditing for PCI DSS
A retail company must comply with PCI DSS, which requires logging all access to cardholder data and monitoring configuration changes. They enable CloudTrail to log all management and data events for S3 buckets containing cardholder data. They also enable AWS Config with managed rules like s3-bucket-ssl-requests-only and encrypted-volumes. Config automatically evaluates resources every time a change occurs and generates compliance reports. During an audit, the auditor reviews the CloudTrail logs to verify that only authorized users accessed the data, and the Config compliance dashboard shows that all resources are compliant. The company also uses Config aggregator to consolidate compliance data from multiple accounts (development, test, production) into a single view. A common pitfall is forgetting to enable data events for the specific S3 buckets, which would leave gaps in the audit trail.
Enterprise Scenario 3: Automated Remediation of Misconfigurations
A tech startup uses AWS Config rules to enforce tagging policies. They have a rule required-tags that checks if EC2 instances have the 'Environment' tag. When a developer launches an instance without the tag, Config marks it as non-compliant and triggers an automatic remediation action using AWS Systems Manager Automation. The automation document adds the missing tag with a default value. This prevents configuration drift and ensures cost allocation tags are always present. In production, they also use CloudTrail to monitor who created the non-compliant resources and send alerts to the security team. A misconfiguration scenario: if the remediation action fails (e.g., due to IAM permissions), the resource remains non-compliant, and the team must manually intervene. They also set up CloudWatch alarms on Config compliance change notifications to detect repeated failures.
What SOA-C02 Tests on CloudTrail and AWS Config
The exam objectives under Domain 1 (Monitoring) and specifically Objective 1.2: Implement and manage logging and monitoring solutions. You must understand the differences between CloudTrail and Config, when to use each, and how to configure them. Common exam scenarios include:
CloudTrail: Creating a trail, multi-region vs. single-region, enabling data events, log file validation, integration with CloudWatch Logs, and cross-account logging.
AWS Config: Setting up a recorder, managed vs. custom rules, evaluation triggers (configuration changes vs. periodic), compliance states, remediation actions, and aggregators.
Common Wrong Answers and Why Candidates Choose Them
Using CloudTrail to check current resource configuration: Candidates often think CloudTrail can show the current state of a resource because it logs API calls. However, CloudTrail only shows past events, not current state. AWS Config is designed for current configuration snapshots and history.
Enabling data events by default: Many assume CloudTrail logs all data events automatically. In reality, data events are opt-in and incur additional costs. The exam tests this distinction.
Config rules evaluate in real-time: While Config can evaluate on configuration changes, there is a slight delay (seconds to minutes). Periodic evaluations occur at set intervals (e.g., 10 minutes). The exam may ask about the evaluation frequency.
CloudTrail logs all API calls including those from AWS services: Some internal AWS service calls are not logged. CloudTrail logs only calls made by IAM users/roles or AWS services that are explicitly recorded.
Specific Numbers and Terms to Memorize
CloudTrail default retention in console: 90 days.
CloudTrail log delivery time: within 15 minutes (typically faster).
Maximum trails per region: 5.
Config supported resource types: not all services; check documentation.
Config rule evaluation triggers: configuration changes and periodic (e.g., every 10 minutes).
Compliance states: COMPLIANT, NON_COMPLIANT, NOT_APPLICABLE, INSUFFICIENT_DATA.
Edge Cases and Exceptions
CloudTrail does not log all AWS API calls; some internal calls are excluded.
Config does not support all resource types; unsupported resources are not recorded.
Both services can be used across accounts but require proper IAM permissions and bucket policies.
When using CloudTrail with CloudWatch Logs, you incur additional CloudWatch costs.
Config rules that rely on Lambda custom rules have additional cost and potential execution timeouts (default 5 seconds).
How to Eliminate Wrong Answers
If a question asks about "who performed a specific action at a specific time," the answer is CloudTrail. If it asks about "current configuration of a resource" or "compliance with a policy," the answer is AWS Config. If it asks about "tracking changes over time," both can be used but Config provides a configuration timeline. Pay attention to whether the question mentions "API calls" (CloudTrail) or "resource configurations" (Config).
CloudTrail logs API calls; AWS Config records resource configurations.
Enable CloudTrail for all regions to capture global activity.
Data events (e.g., S3 object-level) must be explicitly enabled in CloudTrail.
AWS Config rules can be AWS managed or custom Lambda functions.
Config rules evaluate on configuration changes or periodically (e.g., every 10 min).
Both services can send logs to a centralized S3 bucket for cross-account analysis.
CloudTrail log file validation uses SHA-256 hashing to detect tampering.
AWS Config supports remediation actions using Systems Manager Automation.
CloudTrail does not log all AWS internal API calls; some are excluded.
Config does not support all resource types; check documentation for supported services.
These come up on the exam all the time. Here's how to tell them apart.
AWS CloudTrail
Logs API calls (management and data events)
Records who made the call, when, and from where
Default retention in console: 90 days
Delivers logs to S3 within 15 minutes
Used for security investigations and audit trails
AWS Config
Records resource configuration changes
Provides configuration history and compliance evaluation
Stores configuration history indefinitely in S3
Evaluates rules on configuration changes or periodically
Used for compliance monitoring and configuration drift detection
Mistake
CloudTrail logs all AWS API calls automatically.
Correct
CloudTrail logs management events by default, but data events (e.g., S3 object-level operations) must be explicitly enabled and incur additional costs.
Mistake
AWS Config can show you who made a configuration change.
Correct
AWS Config records the configuration state, not the identity of the user who made the change. To see who made the change, you need CloudTrail logs.
Mistake
CloudTrail logs are delivered instantly.
Correct
CloudTrail delivers logs to S3 within 15 minutes of the API call, though typically faster. It is not real-time.
Mistake
AWS Config rules evaluate resources in real-time.
Correct
Config rules evaluate on configuration changes (with a slight delay) or on a periodic schedule (e.g., every 10 minutes). Not instantaneous.
Mistake
CloudTrail and AWS Config are the same service.
Correct
They serve different purposes: CloudTrail logs API calls (who, what, when), while Config records resource configurations (current state and history).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CloudTrail logs API calls made in your AWS account, recording who made the call, when, and what action was taken. AWS Config records the configuration state of your resources over time and evaluates them against rules for compliance. Use CloudTrail for auditing user activity and API usage; use Config for tracking configuration changes and ensuring compliance with policies.
When creating or updating a trail, under 'Data events', select S3 as the data event type. You can choose to log all S3 buckets or specific buckets. Note that data events incur additional costs and can generate high volumes of logs. You must also ensure that the S3 bucket policy allows CloudTrail to write logs.
No, AWS Config supports a limited set of resource types. You can find the full list in the AWS documentation. For unsupported resources, Config will not record their configurations. You can still use CloudTrail to log API calls related to those resources.
Yes. CloudTrail can deliver logs to a centralized S3 bucket in another account by setting appropriate bucket policies and IAM permissions. AWS Config can aggregate compliance data from multiple accounts using an aggregator, which collects configuration and compliance data from source accounts into a single view.
CloudTrail typically delivers logs to S3 within 15 minutes of the API call, though it can be faster. It is not real-time. For near-real-time monitoring, you can send events to CloudWatch Logs and set up metric filters or alarms.
AWS Config rules evaluate resources and return one of four compliance states: COMPLIANT (resource meets rule conditions), NON_COMPLIANT (resource violates rule), NOT_APPLICABLE (rule does not apply to the resource), or INSUFFICIENT_DATA (rule cannot be evaluated due to missing data, e.g., Lambda function error).
Yes. You can associate an AWS Systems Manager Automation document with a Config rule to automatically remediate non-compliant resources. For example, you can automatically apply a bucket policy to make a public bucket private. The remediation action runs when the rule evaluates the resource as non-compliant.
You've just covered CloudTrail and AWS Config — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?