Azizul maqsud's Blog

CloudWatch vs CloudTrail : Two Interactive Watch-dogs In The AWS

CloudWatch vs CloudTrail : Two Interactive Watch-dogs In The AWS

“CloudWatch focuses on monitoring; CloudTrail for auditing trail of API for governance & compliance purposes”

Azizul maqsud's photo
Azizul maqsud
·

8 min read

What are the differences between CloudWatch and CloudTrail?

CloudWatch and CloudTrail are both services provided by Amazon Web Services (AWS) to monitor and manage your AWS resources, but they serve different purposes:

1. CloudWatch:

- CloudWatch is a monitoring and observability service that collects and tracks metrics, log files, and events from various AWS resources and applications.

- It enables you to gain insights into the performance and operational health of your resources, set alarms, and automatically react to changes in your AWS environment.

- CloudWatch provides metrics such as CPU utilization, network traffic, and database performance, as well as customizable dashboards and visualizations.

- CloudWatch is designed to monitor and manage the operational health and performance of your AWS resources.

- It collects and tracks metrics, logs files, and events from various AWS services, including EC2 instances, databases, load balancers, and more.

- CloudWatch provides a wide range of metrics, such as CPU utilization, network traffic, disk usage, and latency.

- You can create custom dashboards and visualizations to gain insights into the performance of your resources and applications.

- It supports setting alarms based on predefined or custom thresholds, which can trigger notifications or automated actions.

- CloudWatch Logs allows you to centralize and analyze logs from multiple sources, making it easier to troubleshoot issues.

- Additionally, CloudWatch provides tools like CloudWatch Events, which allow you to respond to changes in your AWS environment by triggering actions or running code.

2. CloudTrail:

- CloudTrail is a service that provides governance, compliance, and auditing capabilities for your AWS account.

- It records and logs all API activity within your AWS account, including actions taken through the AWS Management Console, AWS CLI, SDKs, and other AWS services.

- CloudTrail tracks who made the API call, when it was made, which resources were affected, and the source IP address of the requester.

- It helps you ensure compliance with security standards, troubleshoot operational issues, and investigate security incidents by providing a detailed history of API actions.

- CloudTrail focuses on providing an audit trail of API activity within your AWS account.

- It records and logs all API actions taken in your AWS account, including actions performed through the AWS Management Console, AWS CLI, SDKs, and other AWS services.

- CloudTrail captures information such as who made the API call when it was made, which resources were involved, and the source IP address of the requester.

- These logs are useful for compliance, security, and troubleshooting purposes.

- CloudTrail logs can be analyzed to understand who accessed or modified resources, to investigate security incidents, and to ensure compliance with regulatory requirements.

- It also integrates with AWS CloudTrail Insights, which uses machine learning algorithms to detect anomalous activity and potential security threats in your AWS account.

Differences Explained in Details

Two AWS services with very similar names but fulfilling two very different functions in the AWS ecosystem.

What is Amazon CloudWatch?

CloudWatch is an AWS monitoring application and it offers features that allow you to

  • collect,

  • monitor, and

  • analyze your applications help.

These are the three main things that people use Cloud watch for. Now, a lot of folks get confused with Cloud watch is that over time? It is developed with a whole bunch of different features that fit within these three categories. CloudWatch is a kind of an umbrella service because it has so many different functions that are kind of related but in other ways not.

First, in terms of collection:

A main function of any application is collecting application logs like when errors are occurring. It is an indicator of something going wrong in our application, or even if there's not anything going wrong, and we just want to analyze the flow of control in our application. Logs are a critical input that allows us to analyze what is going on now and what has gone on in the past in terms of our application. AWS Cloudwatch offers ways to ingest very large volumes of application logs, and it stores them at a relatively cheap cost.

Second, in terms of monitoring:

Now, in monitoring, one of the big features that Cloud Watch allows you to do is to create metric graphs for CPU or memory for certain applications like hosting maybe a REST API or a back-end application. Cloudwatch allows you to create these graphs and link them to these different metrics to visualize the counts of certain metrics over times. As a result, many different services in AWS emit their own default set of metrics.

However, you can create your own metrics for instance, maybe for your application, for a certain dependency; maybe you want to know how many times you call that dependency, or what's the latency when you call that dependency. You can create and capture these different types of metrics, plot them on the graph, and then see how the information changes over time.

You can also slice and dice your data by combining different metrics together. Once you're done observing the metrics, another useful feature is to create alarms on those metrics. It allows you to become notified whenever something out of the ordinary happens in your application for a prolonged period of time. An example, if there’s an elevated CPU usage, maybe above 90% for 15 minutes or so that usually indicates that there's something wrong with the application. So you can set up an alarm that triggers a notification that sends an email a text message or even pages to let you know that something is going wrong with your application.

Another big part of monitoring is tracing. It allows you to drill down on certain invocations to see different profile characteristics of those invocations like CPU usage, memory usage, disk space usage, and network throughput. They are related to a particular invocation. You can visualize and deep dive into each of them.

Third, in terms of analyzing:

In the Analyzing category, there are CloudWatch log insights. Cloudwatch, log insights allow you to basically perform SQL-style queries on your log information and do some interesting analysis on them from the data analytics perspective.

There’s a Cloud event. It’s basically just a serverless cron job that allows you to invoke a certain function or perform a certain action at a regular interval or a fixed interval. CloudWatch Event Bridge, which is basically just application events that you can integrate into an Event Bus and respond to programmatically.

What is Amazon CloudTrail?

CloudTrail enables auditing, security monitoring, and operational troubleshooting by tracking user activity and API usage. CloudTrail logs continuously monitors, and retains account activity related to actions across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.

CloudTrail allows you to analyze who performed what actions and when on your AWS resources. It follows the trails. You can create a table, update a table, or describe a table. You can see different times in which the things were executed. You can see the user name, the event source, the resource type and the resource name. In this way, CloudTrail allows you to have an audit log of all of the events that are related to your AWS applications.

This is the main purpose of cloud trail, not meant for applications but meant for auditing your AWS accounts. There are three types of events that CloudTrail offers.

  1. The first one is Management Events: Management or Control Plane events are just the administrative types of events. So the creation of resources like a DynamoDB table, an S3 bucket or the updating or any other modification event to those resources that are considered a management event. Logins or logouts are relatively low volume, and these Management Events are automatically enabled when an AWS account is created. So if you've never gone to the Cloudtrail section before, you can go and check it out now and you should see a list of different events of all the different things that have been happening in your AWS account over the past.

  2. The second type is data events: Data events are usually in much higher volume. It includes things like queries on a DynamoDB table or invocations of a lambda function, much more a higher volume or higher throughput. It doesn’t come enabled by default. You have to enable them on a particular AWS service if you want to capture this type of information.

  3. Thirdly, there are insights: Insights are a special type of trial. It allows you to leverage AWS as a machine learning algorithm to basically detect when anything out of the ordinary is happening in terms of access or usage of your applications. If you have an application that typically only receives 100 calls per hour, and all of a sudden it's receiving 100,000 calls per hour! That can raise an insight event that you can capture and potentially create an alarm on in cloud watch if you want to. Another useful trait of Cloud Trail is that there are export tools that allow you to archive data to cold storage. You may have a compliance use case in your organization and you need to maintain all access to your AWS account over one year two years or 10 years. Cloudtrail gives you some very easy mechanisms to export that data into S3. From S3, you can put it into Glacier in a very low cost, retention for a very long timeframe.

With these three different types of events management data and insights, you can create separate trails that include different portions. You can have a trail that includes management data, another can include management and insights. And each of the different trails can have a different delivery destination, so you can get copies of the same data if you want to replicate it. It's meant for auditing access to your AWS accounts.

A quick summary of the two

CloudWatch is a monitoring service for AWS applications to use primarily for log or metric analysis and also for the creation of alarms. And, for application health, Cloudtrail is a monitoring service for users and resources. It's useful for auditing or compliance purposes, and trails allow you to capture activity and deliver it rapidly to cold storage

Lastly, CloudWatch is primarily used for monitoring and managing the performance of your AWS resources, while CloudTrail focuses on providing an audit trail of API activity within your AWS account for governance, compliance, and security purposes.

Compiled by: Azizul Maqsud

https://www.youtube.com/channel/UCNwP7KEElaJ7cdDTLP-KbBg

https://www.linkedin.com/in/azizul-maqsud/

https://azizulmaqsud-1684501031000.hashnode.dev/

https://medium.com/@azizulmaqsud

https://twitter.com/Sohail2me

https://github.com/azizulmaqsud

Reference: https://aws.amazon.com/cloudtrail/faqs/#:~:text=CloudTrail%20enables%20auditing%2C%20security%20monitoring,%2C%20analysis%2C%20and%20remediation%20actions.

AWSAWS CloudWatchAWS CloudTrail#CloudWatchcloudtrail