Interview › AWS

What is AWS Config, and how does it differ from CloudTrail?

AWS · Intermediate level

Answer

AWS Config records resource configuration history and compliance; CloudTrail records API calls. Config shows what changed and whether it is compliant, while CloudTrail shows who made the change and when.

Technical explanation

Config compliance rules detect drift and noncompliance; CloudTrail identifies the API caller behind the change.

Observability should answer symptoms, cause, scope, and owner: metrics show trends and alerts, logs provide context, traces connect calls, and audit logs attribute changes.

Alert only on actionable conditions such as user impact, fast SLO burn, saturation, unhealthy capacity, or security-sensitive changes.

Centralize retention and access policies so operational debugging and audit investigations are possible without exposing sensitive logs unnecessarily.

Hands-on example

1. Enable the relevant telemetry source: CloudWatch metrics/logs, CloudTrail, Config, ALB logs, VPC Flow Logs, or application structured logs.

2. Create a dashboard and one actionable alarm tied to user impact or security risk.

3. Trigger a controlled change or failure and verify that the signal appears with enough context to identify owner and root cause.

4. Document the query, dashboard link, alarm routing, and runbook action.

More AWS interview questions

• What is the AWS shared responsibility model, and where is the line between AWS and the customer?
• Explain the difference between a Region, an Availability Zone, and an Edge Location.
• What is a VPC, and what are its core components (subnets, route tables, IGW, NAT)?
• Difference between a public and a private subnet, and how does each reach the internet?
• What is the difference between a Security Group and a Network ACL?
• Are Security Groups stateful or stateless? What about NACLs?
• What is an Internet Gateway versus a NAT Gateway, and when do you need each?
• How does a NAT Gateway differ from a NAT instance?

← All AWS questions