Skip to main content
  1. Home
  2. >
  3. AWS
  4. >
  5. SAA-C03
  6. >
  7. This article

AWS SAA-C03 Drill: Compliance Monitoring - The Service Role Confusion Trap

·788 words·4 mins·
Architecture Drills AWS SAA-C03 FinOps Decision Matrix AWS Config AWS CloudTrail Compliance Governance
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the AWS SAA-C03, many candidates get confused by AWS Config vs. CloudTrail. In the real world, this is fundamentally a decision about ‘What Changed’ vs. ‘Who Changed It’. Let’s drill into a simulated scenario.

The Scenario
#

TechVault Financial Services operates a multi-tier loan processing application on AWS. Due to regulatory requirements from financial authorities (SOC 2, PCI-DSS compliance), the company must maintain a comprehensive audit trail that captures:

  1. Configuration state changes of all AWS resources (e.g., when a security group rule was modified, or an S3 bucket policy changed)
  2. API call history showing who made each change, from which IP address, and at what time

The compliance team needs to answer questions like:

  • “What was the state of our RDS instance configuration on January 15th?”
  • “Who deleted the production S3 bucket last week?”

Key Requirements
#

Implement a cost-effective, native AWS solution that satisfies both compliance requirements with minimal operational overhead.

The Options
#

  • A) Use AWS CloudTrail to track configuration changes, and use AWS Config to record API calls.
  • B) Use AWS Config to track configuration changes, and use AWS CloudTrail to record API calls.
  • C) Use AWS Config to track configuration changes, and use Amazon CloudWatch to record API calls.
  • D) Use AWS CloudTrail to track configuration changes, and use Amazon CloudWatch to record API calls.

Correct Answer
#

Option B.

The Architect’s Analysis
#

Correct Answer
#

Option B – Use AWS Config to track configuration changes, and use AWS CloudTrail to record API calls.

Step-by-Step Winning Logic
#

This solution correctly maps service capabilities to compliance requirements:

AWS Config is purpose-built for:

  • Configuration tracking: Continuously records resource configurations (what settings existed at any point in time)
  • Compliance as Code: Evaluates resources against Config Rules (e.g., “Are all S3 buckets encrypted?”)
  • Change timeline: Provides a configuration history timeline for audits
  • Example use case: “Show me all security group changes in the last 90 days”

AWS CloudTrail is purpose-built for:

  • API call logging: Records every API action (CreateBucket, ModifyDBInstance, etc.)
  • Identity attribution: Captures WHO (IAM user/role), WHEN (timestamp), and WHERE (source IP)
  • Event history: Searchable log of all control plane activities
  • Example use case: “Who terminated the EC2 instance at 2 AM last Tuesday?”

Together, they form the compliance duo:

  • Config answers: “What changed?”
  • CloudTrail answers: “Who changed it and how?”

The Traps (Distractor Analysis)
#

Why not Option A?

  • Reverses the service roles: CloudTrail does NOT track configuration state changes—it only logs API calls. You cannot use CloudTrail to see “what the security group rules were 30 days ago.”
  • Config cannot record API calls: Config focuses on resource configuration snapshots, not the granular API activity log with caller identity.
  • This is the most common mistake (chosen by ~40% of candidates who memorize services without understanding function).

Why not Option C?

  • CloudWatch is not an audit log: CloudWatch Logs can store CloudTrail logs, but it doesn’t natively capture API calls with identity metadata.
  • CloudWatch is for metrics and operational monitoring (CPU usage, disk I/O), not compliance auditing.
  • Missing the “who made the change” requirement.

Why not Option D?

  • Double mistake: Both services are misapplied.
  • CloudTrail cannot track configuration history, and CloudWatch cannot provide API call attribution.
  • Fails both compliance requirements.

The Architect Blueprint
#

graph TD User([IAM User/Role]) -->|API Call: ModifySecurityGroup| CT[AWS CloudTrail] User -->|Changes Resource| Resource[EC2 Security Group] Resource -->|Configuration Snapshot| Config[AWS Config] CT -->|Logs stored in| S3_CT[S3 Bucket - CloudTrail Logs] Config -->|Configuration history| S3_Config[S3 Bucket - Config Snapshots] S3_CT -->|Query with| Athena[Amazon Athena] S3_Config -->|Compliance Dashboard| ConfigDash[AWS Config Dashboard] ConfigDash -->|Answer: What changed?| Auditor([Compliance Team]) Athena -->|Answer: Who changed it?| Auditor style CT fill:#FF9900,stroke:#232F3E,color:#fff style Config fill:#FF9900,stroke:#232F3E,color:#fff style Auditor fill:#3F8624,stroke:#232F3E,color:#fff

Diagram Note: CloudTrail captures the API call event with identity context, while Config records the resulting configuration state—both feed into S3 for long-term audit retention and analysis.

Real-World Practitioner Insight
#

Exam Rule
#

“For the exam, always pick AWS Config for configuration tracking and CloudTrail for API call logging when you see compliance/audit requirements.”

Real World
#

In reality, we would likely implement additional layers:

  • CloudTrail Insights for anomaly detection (e.g., unusual API call patterns indicating compromise)
  • AWS Security Hub to aggregate Config compliance findings with other security alerts
  • Athena queries on CloudTrail logs for advanced forensic analysis (saved as named queries)
  • Config Aggregator for multi-account/multi-region compliance dashboards in Organizations
  • Lifecycle policies to transition CloudTrail/Config S3 logs to Glacier after 90 days (reducing storage costs by ~70%)

Cost optimization note: For a 100-resource environment with moderate change frequency:

  • Config: ~$300/month (100 resources × $0.003 × ~30,000 configuration items)
  • CloudTrail: Free for management events (first copy), ~$50/month for S3 storage
  • Total: ~$350/month vs. the $0 cost of “doing nothing” (which fails audits and risks non-compliance fines in the thousands).

Related Articles

Weekly AWS SAA-C03 Drills: Think Like a CTO

Get 3-5 high-frequency scenarios every week. No brain-dumping, just pure architectural trade-offs.