Interview › AWS

What is the difference between CloudWatch Logs and CloudTrail?

AWS · Intermediate level

Answer

CloudWatch Logs stores application and service log events; CloudTrail records AWS API activity. Logs explain workload behavior, while CloudTrail explains who changed what in the AWS control plane.

Technical explanation

Security investigations often correlate CloudTrail API calls with CloudWatch application logs and VPC Flow Logs.

Observability should answer symptoms, cause, scope, and owner: metrics show trends and alerts, logs provide context, traces connect calls, and audit logs attribute changes.

Alert only on actionable conditions such as user impact, fast SLO burn, saturation, unhealthy capacity, or security-sensitive changes.

Centralize retention and access policies so operational debugging and audit investigations are possible without exposing sensitive logs unnecessarily.

Hands-on example

1. Enable the relevant telemetry source: CloudWatch metrics/logs, CloudTrail, Config, ALB logs, VPC Flow Logs, or application structured logs.

2. Create a dashboard and one actionable alarm tied to user impact or security risk.

3. Trigger a controlled change or failure and verify that the signal appears with enough context to identify owner and root cause.

4. Document the query, dashboard link, alarm routing, and runbook action.

More AWS interview questions

• What is the AWS shared responsibility model, and where is the line between AWS and the customer?
• Explain the difference between a Region, an Availability Zone, and an Edge Location.
• What is a VPC, and what are its core components (subnets, route tables, IGW, NAT)?
• Difference between a public and a private subnet, and how does each reach the internet?
• What is the difference between a Security Group and a Network ACL?
• Are Security Groups stateful or stateless? What about NACLs?
• What is an Internet Gateway versus a NAT Gateway, and when do you need each?
• How does a NAT Gateway differ from a NAT instance?

← All AWS questions