2

Based on AWS Docs - it seems Config tells you about configuration changes made, but not who made them actually. Is that true? If how do we find who made the change - Cloud Trail?

Can I simply use Cloud Trail only,on its own without using Config,- since it has What/When/Who? Or is it Config + Cloud Trail is the optimal combo.

Sam-T
  • 1,877
  • 6
  • 23
  • 51
  • I just want to note, that Sam was asking if you can see who made the change to a configuration item inside of Config, not can you see who made a change to Config itself like @helloV was answering. Config will only track the what and the when, to get the who, you need to look at CloudTrail. Your summary on hello's answer is correct about the who. You can also get the when and the what in CloudTrail, however to see what was actually changed within the configuration item, you need Config for that. – Loaf Jun 04 '18 at 20:15

1 Answers1

2

Yes. CloudTrail records the changes made to AWS Config including who made the change.

From: AWS Config Information in CloudTrail

Every log entry contains information about who generated the request. The user identity information in the log helps you determine whether the request was made with root or IAM user credentials, with temporary security credentials for a role or federated user, or by another AWS service. For more information, see the userIdentity field in the CloudTrail Event Reference.

helloV
  • 50,176
  • 7
  • 137
  • 145
  • Thanks- somehow the Docs don't exactly mention that. So do I have to use Config + Cloud Trail to get complete picture - what, who, when? If Config gives me all (including S3 push) - than I don't need Cloud Trail. – Sam-T Nov 12 '17 at 04:10
  • There is no service in AWS that can give you a complete picture of API activity. You have to rely on CloudTrail for that. – helloV Nov 12 '17 at 05:39
  • After some research I found 'AWS CloudTrail event ID.' in Config - so this how you would map the 2 and get the Caller? – Sam-T Nov 12 '17 at 06:19
  • Yes. The page I have linked in my answer has enough examples to answer your original question once you have the `event ID`. – helloV Nov 12 '17 at 06:22
  • to summarize - would it be fair to say- Config only has What and When, to get the Who - I need to correlate with Cloud Trail. But on the other hand Cloud Trail has all 3, and if I choose to - I can Only use Cloud Trail and ignore Config. I understand what Config offers - but if I need both anyway - go with Cloud Trail only, for at least some specific use case. – Sam-T Nov 12 '17 at 20:36