🔮 Want modern and radically cheaper log management than CloudWatch?
Head over to Better Stack and start ingesting your logs for free in 5 minutes.
Amazon CloudWatch vs CloudTrail: The Key Differences to Know
Ayooluwa Isaiah
Updated on January 17, 2024
Amazon CloudTrail and Amazon CloudWatch are two separate services offered by Amazon Web Services (AWS) for different purposes. The former records API activity in your AWS account and delivers log files to an Amazon S3 bucket, while the latter is a monitoring tool used for real-time monitoring of AWS resources and applications.
In this article, we will discuss the differences between both services, and also explore how they can complement each other to provide a comprehensive view of the performance and activity of your AWS resources and applications.
CloudWatch vs CloudTrail summary
Here's a summary of how CloudWatch compares to CloudTrail and how they are typically used in the real-word:
Definition
CloudWatch is a suite of monitoring tools that lets you monitor various AWS services and applications. CloudTrail is also a monitoring tool, but it focus on tracking user and API activity in your AWS account.
Value proposition
CloudWatch lets you collect logs from the services you use, track metrics from your resources and applications, set alarms based on collected data, and visualize all the collected data using custom dashboards. CloudTrail logs details that help you analyze and respond to activity in your AWS account such as when an event occurred, who or what performed an action, what resources were accessed, etc.
Event delivery rate
Typically, CloudWatch delivers an event within 5 minutes for basic monitoring metrics and 1 minute for detailed metrics. On the other hand, CloudTrail typically delivers its logs within 15 minutes of an API call.
Supported services
Both CloudTrail and CloudWatch support most AWS services, including Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, and many others.
Real-world example
Imagine that you have an application running on Amazon EC2 instances and storing data in an Amazon RDS database. You want to monitor the performance and availability of these resources, as well as track changes made to them.
To do this, you can use both Amazon CloudTrail and Amazon CloudWatch. With CloudTrail, you can log all API calls made in your AWS account and review them to track changes made to your resources and identify any potential security issues.
With CloudWatch, you can set alarms to notify you if certain thresholds are breached, such as if the CPU utilization of an Amazon EC2 instance exceeds a certain level. You can also use CloudWatch to monitor the performance of your Amazon RDS database, including the number of connections, the number of queries executed, and the amount of storage used.
What is CloudWatch?
CloudWatch is a monitoring service provided by Amazon Web Services (AWS) that allows you to monitor various metrics and logs for your AWS resources. It can be used to monitor a wide range of resources, including EC2 instances, Kinesis, Lambda Functions, Amazon S3, and much more.
With CloudWatch, you can view and analyze metrics, set alarms, and take automated actions based on data patterns (such as launching or stopping EC2 instances based on the current load). You can also use CloudWatch to gain visibility into application performance, resource utilization, and overall health.
Log management capabilities are also bundled with the service so that you can centralize, search, and analyze log data from your AWS resources. This can be useful for debugging, auditing, or security analysis.
CloudWatch is a paid service, but it offers a free lifetime tier that includes 10 custom metrics and alarms, up to 5GB of log data ingestion and archiving, 1 million API requests, and 3 dashboards with up to 50 metrics each per month.
What is CloudTrail?
Amazon CloudTrail is an AWS service that allows you to track all the actions taken by a user, role, or an AWS service in one place. These includes the actions taken through the AWS Management Console, command line tools, and other AWS services and APIs.
Each action is recorded in a CloudTrail event and you can view a log of all the recorded events by going to Event History in the CloudTrail console. This event history can help you track changes to your resources, the security of user access and other operational issues.
CloudTrail logs are stored in an S3 bucket and are updated in near real-time, so you can quickly view the latest log data. You can also create multiple trails meant for different purposes and store them in separate S3 buckets.
The native CloudTrail UI can run basic searches to filter 90 days worth of data, but an additional service called CloudTrail Data Lake is also provided for the querying of CloudTrail data using SQL. It also comes with a retention policy of up to 7 years.
You can also use CloudTrail to set up alarms and notifications for specific activity in your AWS account, such as the creation of an IAM user or the start time of an AWS API call.
CloudWatch key features
As mentioned earlier, CloudWatch is a suite of various monitoring tools mostly focused on metrics tracking, log management, resource management, and data visualization. Here are some of its key features that you should know about:
1. Metrics tracking and analysis
CloudWatch allows you to view and analyze metrics in real-time, set alarms based on data patterns, and take automated actions based on those patterns.
It can monitor practically any AWS resources, including EC2 instances, RDS databases, EBS volumes, and more. You can also use it to aggregate traces, metrics, logs, alarms, and other resource health information into one place.
Metrics are time-ordered data points that are published to CloudWatch, and
they can come from any AWS service or application that you're using. For
example, Amazon ECU provides a CPUUtilization metric that identifies how
much processing power an application is using on the instance.
2. Log management
CloudWatch provides a log management service that enables you to centralize, search, and analyze log data collected from your various AWS resources. The data is processed as soon as it arrives which could be in real-time or delayed by a few minutes (depending on the service).
Once the CloudWatch agent collects the logs and aggregates them in CloudWatch, you can then query or filter them, and create custom CloudWatch dashboards to visualize the data or create alarms that trigger when certain conditions are met.
Although CloudWatch's logs are kept indefinitely and never expire, it can be challenging to search through an endless amount of data so its probably best to archive older logs in Amazon S3 while setting a log expiration in CloudWatch (which could be between 1 day and 10 years).
3. Alarms and notifications
CloudWatch allows you to set up alarms and notifications for specific activity in your AWS account. Alarms are created to continuously track changes in a metric over a specified period and perform one or more specified actions whenever it falls outside predefined threshold levels. Such actions could be sending a notification to an SNS topic, performing an EC2 operation, or creating an incident in Systems Manager.
An alarm could have one of three states:
- INSUFFICIENT_DATA: For newly created alarms where data isn't available
for the specified metric yet, or when the metric is not available.
- OK: Indicates that the metric is within the predefined thresholds.
- ALARM: Indicates that the metric is outside the predefined thresholds.
4. Custom dashboards
Metrics for all the AWS services you use are displayed by default, but you can also create custom dashboards for select metrics. You can also add alarms to dashboards to detect changes in your AWS resources and applications across multiple regions
CloudTrail key features
CloudTrail's features are centered around recording all AWS user activity and API calls within your account as events for the purposes of auditing or security analysis. Such data can help you understand who did what, where, and when within your AWS account. The key features of CloudTrail include the following:
1. User tracking
CloudTrail automatically tracks and records management events for AWS account for up to 90 days without any configuration, and you can download the most recent 90-day history through the CloudTrail console or the AWS CLI.
2. Events are immutable and encrypted
CloudTrail using S3 server-side encryption. You can add another layer of security to your log files by encrypting them with AWS Key Management Service (KMS). Logs are only decrypted for users or services with relevant permissions. Modifications to the log files are turned off by default effectively making them immutable.
3. Automatic detection of unusual activity
AWS CloudTrail Insights is a
feature of CloudTrail that continuously analyzes CloudTrail management events
so that you can identify and respond to unusual activity in your AWS account
such as spikes in resource provisioning, or unusual API activity. These
events are delivered to a /CloudTrail-Insight folder in the chosen
destination S3 bucket for your trail.
4. Integration with other tools
While CloudTrail events are stored in Amazon S3 by default, they can optionally be delivered to CloudWatch Logs, Amazon EventBridge, or other third-party log monitoring solutions (like Logtail) for further processing and analysis.
5. Compliance
CloudTrail can help you meet compliance and regulatory requirements by providing a record of all activity in your AWS account. If you utilize CloudTrail Lake, you can extend your log retention policy to a maximum of seven years.
How is AWS CloudWatch is typically used?
AWS CloudWatch can be used for a wide range of purposes, including monitoring the performance and availability of applications, setting alarms to notify users of issues or thresholds being breached, and generating reports on resource utilization.
Here are some ways in which CloudWatch is typically used:
Troubleshooting and diagnostic purposes: CloudWatch logs can be used to troubleshoot issues with applications and services running on AWS. The logs provide detailed information on the actions taken by your applications and can help identify the root cause of any issues that may arise.
Alerting. CloudWatch Alarms can be configured to trigger notifications when certain conditions are met so that you can take action. A common scenario is an alarm for billing which triggers when your estimated account billing for a service exceeds the threshold you specify.
Monitoring AWS resource usage. CloudWatch can provide a range of reports on resource utilization and performance for your AWS resources and applications. This can prove useful for optimizing performance and efficiency of your applications to reduce running costs.
Automation. With CloudWatch Events, you can write simple rules to indicate which events are of interest to you, and what automated actions to take when an event matches a rule. For instance, you can monitor resource changes and respond by activating functions, making configuration changes, or capturing state information.
How AWS CloudTrail is typically used
AWS CloudTrail typically used for a variety of purposes, including the following:
Monitor user activity to ensure compliance. Since CloudTrail logs all API calls made in your AWS account, including the identity of the API caller, the time of the API call, the source IP address of the API caller, and the request parameters, it can reliably be used to ensuring compliance with internal policies and regulatory requirements.
Perform security analysis. CloudTrail logs can be used to identify potential security issues, such as unauthorized access to resources or unusual API activity. By analyzing CloudTrail logs, security teams can identify potential threats and take appropriate action to mitigate them.
Resource change tracking. CloudTrail logs provide a record of all changes made to your AWS resources, including when the changes were made and by whom. This information can be useful for tracking the history of resource changes, identifying the cause of any issues that may arise, and debugging problems.
Compliance auditing CloudTrail logs can be used to support compliance with various regulations and standards, such as PCI DSS and HIPAA. By reviewing the logs, organizations can ensure that their AWS usage is compliant with these requirements.
Pricing
CloudWatch and CloudTrail both offer separate pricing models. The pricing for CloudWatch varies depending on the type of resources being monitored and the type of metrics being collected. For most metrics, there is no additional charge beyond the standard AWS usage fees for the resources being monitored. However, for custom metrics, there is a charge based on the number of metrics being collected and the frequency at which they are collected. There may also be charges for using certain features, such as creating alarms or using the CloudWatch Events service.
There is a generous "always free" plan that provides the access to the features listed below. This should give you more than enough room to try out CloudWatch and determine if the paid plan is a worthwhile investment.
- 10 custom metrics
- 10 alarms
- 1,000,000 API requests
- 5GB of log data ingestion and 5GB of log data archive
- 3 dashboards with up to 50 metrics each per month
The pricing of the paid tier depends on the region so you should check the CloudWatch pricing page to get the most up-to-date information.
CloudTrail also provides a free tier that logs management events across AWS services and retains the history for up to 90 days. You can also access a 30-day free trial of CloudTrail Lake which has the following limits:
- Ingest up to 5 GB of data
- Scan up to 5 GB of data
- Store data at no additional cost
CloudTrail's paid tier is based on the volume of events recorded and the number of trails (collections of events) that are created. There is no charge for creating and enabling a trail, but there is a charge for the data delivered to an Amazon S3 bucket and for data events sent to Amazon CloudWatch Logs. There may also be additional charges for using certain features, such as sending events to Amazon EventBridge or enabling continuous delivery of CloudTrail events to an Amazon S3 bucket. See its pricing page for the most up-to-date information.
Final thoughts
Amazon CloudTrail and Amazon CloudWatch are two distinct services that can be used together to monitor and track the performance and availability of your AWS resources, as well as to track changes made to them.
While CloudTrail logs provide a record of API activity in your AWS account, CloudWatch provides metrics and logs for various AWS resources and applications, allowing you to monitor and optimize their performance and availability.
We hope this article has helped you uncover the differences between these two prominent Amazon services, how they work, and when to use each one. Thanks for reading, and happy monitoring!
Ayo is the Head of Content at Better Stack. His passion is simplifying and communicating complex technical ideas effectively. His work was featured on several esteemed publications including LWN.net, Digital Ocean, and CSS-Tricks. When he’s not writing or coding, he loves to travel, bike, and play tennis.
Got an article suggestion?
Let us know
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Make your mark
Join the writer's program
Are you a developer and love writing and sharing your knowledge with the world? Join our guest writing program and get paid for writing amazing technical guides. We'll get them to the right readers that will appreciate them.
Write for usWriter of the month
Marin Bezhanov
Marin is a software engineer and architect with a broad range of experience working...
Build on top of Better Stack
Write a script, app or project on top of Better Stack and share it with the world. Make a public repository and share it with us at our email.
community@betterstack.comor submit a pull request and help us build better products for everyone.
See the full list of amazing projects on github