How do Amazon's three AWS monitoring tools (CloudTrail, CloudWatch and AWS Config) differ, and what is the business...
case for using each in the enterprise? Are there other tools on-premises that should complement them for an AWS environment?
CouldTrail is a service that logs all API calls made from your account. This includes APIs your applications make as well as those made by AWS on your behalf. Log entries include information about the identity of the caller, the IP address of the caller, the date and time of the API call and the response to the call. Log entries are kept in log files which are stored in S3. You can configure CloudTrail to provide notifications when a new log is written.
CloudTrail logging is available for many AWS services, including EC2, Elastic Block Store, Elastic MapReduce, Elastic Load Balancing and the Relational Database Service. For a complete list of services, see the CloudTrail FAQ.
There is no charge for CloudTrail data collection, but you will be charged for storage and any notification services. For most customers, the combined cost of storage and notification is less than $4/month.
Where CloudTrail is designed to provide information about functions and services executed, CloudWatch is designed to provide performance information. Application designers and developers can use information from CloudWatch to identify bottlenecks in applications or workflows. Performance details are also useful for security analytics as they can complement data collected by other security systems. For example, if a security control logs an unusual event, the CloudWatch service could be used to assess the impact on performance after the event. A large number of unusual I/O operations, for example, may be indicative of a data leak. By correlating events across multiple monitors, you may be able to better identify significant events while reducing the instance of false positives.
The recently announced AWS Config is a service for collecting inventory information about your resources in the AWS cloud. It can collect and store data about configuration changes to your systems. Although you could cull much of this information from CloudTrail, the AWS Config service is designed to streamline the process for administrators. AWS Config will be useful for organizations running instances for the long term.
Ask the Expert:
Perplexed about cloud security? Send Dan Sullivan your questions today. (All questions are anonymous.)
Uncover the most effective approaches to AWS cloud monitoring
Dig Deeper on Cloud Network Security Trends and Tactics
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading