3.2.2.8. Configuring AWS X-Ray for Different Services (Containers, API Gateway, Lambda)

3.2.2.8. Comparative Table: Monitoring Tools

Tool	Primary Purpose	Data Source	Query Capability	Cost Model
CloudWatch Metrics	Time-series monitoring & alarms	AWS services, custom metrics	Metric math, anomaly detection	Per-metric, per-alarm
CloudWatch Logs	Log aggregation & search	Applications, AWS services	Logs Insights (SQL-like)	Per-GB ingested + stored
CloudWatch Synthetics	Proactive endpoint monitoring	Canary scripts you define	Pass/fail + screenshots	Per-canary run
AWS X-Ray	Distributed tracing	Instrumented applications	Service map, trace analysis	Per-trace recorded
CloudTrail	API audit logging	All AWS API calls	Athena, CloudTrail Lake	Per-event (data events)
AWS Config	Configuration compliance	Resource configurations	Config queries (SQL)	Per-rule evaluation
Amazon Inspector	Vulnerability scanning	EC2, ECR, Lambda	Findings API, Security Hub	Per-scan
Security Hub	Security finding aggregation	GuardDuty, Inspector, Config	Findings dashboard	Per-finding
Amazon GuardDuty	Threat detection	CloudTrail, VPC Flow, DNS	Findings API	Per-GB analyzed

Selection guide for exam scenarios:

"Track API calls for security" → CloudTrail
"Monitor application performance" → CloudWatch Metrics + X-Ray
"Detect unusual API patterns" → CloudTrail Insights or GuardDuty
"Check resource compliance" → AWS Config
"Find vulnerabilities in containers" → Amazon Inspector
"Aggregate all security findings" → Security Hub

Exam Trap: GuardDuty and CloudTrail Insights both detect unusual API activity — but they serve different purposes. GuardDuty uses ML to detect threats (compromised credentials, cryptocurrency mining, data exfiltration). CloudTrail Insights detects anomalous call volumes (sudden spike in DeleteBucket calls). For security threats, GuardDuty is the answer. For operational anomalies, CloudTrail Insights is the answer.

Written byAlvin Varughese•Founder•15 professional certifications