AP - Fotolia

What's the business case for Amazon's three AWS monitoring tools?

CloudTrail, CloudWatch and AWS Config are three different tools from Amazon that help enterprises monitor AWS. Expert Dan Sullivan explains the differences between the three and when each should be used.

How do Amazon's three AWS monitoring tools (CloudTrail, CloudWatch and AWS Config) differ, and what is the business...

case for using each in the enterprise? Are there other tools on-premises that should complement them for an AWS environment?

AWS CloudTrail, CloudWatch and Config all serve distinct purposes and are all useful from a security perspective.

CouldTrail is a service that logs all API calls made from your account. This includes APIs your applications make as well as those made by AWS on your behalf. Log entries include information about the identity of the caller, the IP address of the caller, the date and time of the API call and the response to the call. Log entries are kept in log files which are stored in S3. You can configure CloudTrail to provide notifications when a new log is written.

CloudTrail logging is available for many AWS services, including EC2, Elastic Block Store, Elastic MapReduce, Elastic Load Balancing and the Relational Database Service. For a complete list of services, see the CloudTrail FAQ.

There is no charge for CloudTrail data collection, but you will be charged for storage and any notification services. For most customers, the combined cost of storage and notification is less than $4/month.

Where CloudTrail is designed to provide information about functions and services executed, CloudWatch is designed to provide performance information. Application designers and developers can use information from CloudWatch to identify bottlenecks in applications or workflows. Performance details are also useful for security analytics as they can complement data collected by other security systems. For example, if a security control logs an unusual event, the CloudWatch service could be used to assess the impact on performance after the event. A large number of unusual I/O operations, for example, may be indicative of a data leak. By correlating events across multiple monitors, you may be able to better identify significant events while reducing the instance of false positives.

The recently announced AWS Config is a service for collecting inventory information about your resources in the AWS cloud. It can collect and store data about configuration changes to your systems. Although you could cull much of this information from CloudTrail, the AWS Config service is designed to streamline the process for administrators. AWS Config will be useful for organizations running instances for the long term.

Ask the Expert:
Perplexed about cloud security? Send Dan Sullivan your questions today. (All questions are anonymous.)

Next Steps

Uncover the most effective approaches to AWS cloud monitoring

Learn more about CloudTrail, CloudWatch and AWS Config

Dig Deeper on Cloud Network Security Trends and Tactics