AWS monitoring service for metrics, logs, alarms, and dashboards. Used to track performance and operational health of resources and applications.

Service that records API calls and console actions in your AWS account. Used for auditing, security investigations, and compliance.

Service that records configuration changes to supported AWS resources and evaluates them against compliance rules.

Service for centrally managing and governing multiple AWS accounts using Organizational Units and Service Control Policies.

Service that helps you set up and govern a secure, multi-account AWS environment (landing zone) with built-in guardrails.

Service that records configuration changes of AWS resources and evaluates them against compliance rules.

Service that lets you set custom cost and usage budgets and receive alerts when thresholds are reached.

What is AWS CloudTrail?

Service that records AWS API calls and console actions for auditing, security, and compliance.

What is AWS Control Tower?

Service to set up and govern a secure, multi-account AWS environment (landing zone) with built-in guardrails.

Management, Monitoring, and Automation in AWS — AWS Certified Cloud Practitioner (CLF-C02) Fast-Track Prep

Q: Your security team needs a detailed record of who changed an IAM policy last week, including the time and source IP. Which AWS service is the primary place to look?

AWS CloudTrail. **AWS CloudTrail** records API calls and console actions, including IAM policy changes, with timestamps and source IPs. CloudWatch focuses on performance metrics and logs, AWS Config tracks resource configurations and compliance, and Systems Manager automates operational tasks.

Big Picture: Operating Workloads with AWS Management Tools

From What to How

Earlier modules covered what you run on AWS (compute, storage, databases, networking). This module is about how you operate and govern those resources day to day.

Three Big Ideas

We group tools into: 1) Management and governance (organization, security, compliance), 2) Monitoring and logging (seeing what is happening), 3) Automation and IaC (repeatable deployments).

Key Service Names

You will meet CloudTrail, CloudWatch, AWS Config, Systems Manager, CloudFormation, Organizations, Control Tower. For CLF-C02, focus on their purpose and when to use which.

Observe, Govern, Automate

Think in three verbs: Observe (CloudWatch, CloudTrail), Govern (Organizations, Control Tower, Config, Budgets), Automate (CloudFormation, Systems Manager, CodePipeline).

AWS Management and Governance: Organizing at Scale

AWS Organizations

AWS Organizations lets you manage many AWS accounts together. Use Organizational Units to group accounts and Service Control Policies to set maximum permissions across them.

AWS Control Tower

AWS Control Tower sits on top of Organizations and gives you a pre-built, secure multi-account setup with guardrails and a landing zone for new accounts.

Access Management at Scale

IAM controls permissions inside one account. IAM Identity Center centrally manages user access to multiple accounts and roles from a single place.

Cost Governance

AWS Budgets lets you set alerts for spending or usage. AWS Cost Explorer helps you visualize and analyze historical costs by service, tag, or account.

Exam Mapping

Remember: Organizations = multi-account guardrails; Control Tower = landing zone; IAM/Identity Center = access; Budgets/Cost Explorer = cost visibility and alerts.

Example: Designing a Simple Governance Setup

Scenario Setup

A company has dev, test, and prod. They want one bill, freedom in dev, and strict controls in prod. How do AWS management tools help?

Step 1: Organizations and OUs

Create an AWS Organization with one management account. Add accounts to OUs: `Dev-OU`, `Test-OU`, `Prod-OU` for environment-based governance.

Step 2: SCPs for Guardrails

Attach SCPs: Dev-OU allows most services; Prod-OU blocks risky actions like disabling CloudTrail or turning off encryption on S3 buckets.

Step 3: Control Tower

Use AWS Control Tower to quickly set up a landing zone, with log archive and security accounts and prebuilt guardrails for compliance.

Step 4–5: Access and Cost

Use IAM Identity Center for central access across accounts. Use AWS Budgets and Cost Explorer to set budgets and analyze spend by environment tags.

Monitoring and Logging: CloudWatch, CloudTrail, and Friends

CloudWatch Overview

Amazon CloudWatch monitors performance and health. It handles metrics, logs, alarms, and dashboards for AWS services and your applications.

CloudWatch Details

Use CloudWatch metrics for numbers like CPU, logs for app output, alarms to trigger alerts or actions, and dashboards to visualize system health.

CloudTrail Overview

AWS CloudTrail records API calls and console actions. It answers "who did what, when, and from where" in your AWS accounts.

AWS Config Overview

AWS Config tracks configurations of resources over time and checks them against rules, supporting compliance and change tracking.

Putting It Together

CloudWatch = performance now. CloudTrail = account activity history. AWS Config = configuration history and compliance. Together they provide full visibility.

Thought Exercise: Choose the Right Monitoring Tool

Match each situation to the best primary AWS service. Think before checking the hints.

You want an alarm if an EC2 instance's CPU stays above 90% for 10 minutes.

Which service? Why?

You need to know who deleted an S3 bucket yesterday and from which IP address.

Which service? Why?

Your security team wants to ensure that no security group allows inbound SSH (port 22) from 0.0.0.0/0.

Which service? Why?

You want to view logs from your Lambda function in near real time to debug an error.

Which service? Why?

Suggested answers (hide, then compare):

Amazon CloudWatch – use a CloudWatch metric (CPUUtilization) and a CloudWatch alarm.
AWS CloudTrail – check the CloudTrail event history or query CloudTrail logs to see who called `DeleteBucket`.
AWS Config – create or use a managed Config rule that checks security group rules for SSH from 0.0.0.0/0.
Amazon CloudWatch Logs – Lambda automatically writes logs to CloudWatch Logs log groups that you can stream and search.

Automation and Infrastructure as Code (IaC) in AWS

Why Automation and IaC

Automation and Infrastructure as Code (IaC) reduce manual clicks. You define infrastructure in templates or code, gaining consistency, speed, and version control.

CloudFormation Basics

AWS CloudFormation uses JSON/YAML templates to create, update, and delete AWS resources as a single unit called a stack, handling dependencies for you.

AWS CDK Concept

The AWS CDK lets you define infrastructure using languages like TypeScript or Python. It generates CloudFormation templates behind the scenes.

Systems Manager and Beanstalk

AWS Systems Manager automates operational tasks on instances. AWS Elastic Beanstalk deploys applications while hiding much of the infrastructure detail.

CI/CD Tools

CodePipeline, CodeBuild, CodeDeploy form AWS's CI/CD toolset, automating build, test, and deployment steps for your applications.

Code Example: A Tiny CloudFormation Template

This simple example shows what infrastructure as code looks like with CloudFormation. You do not need to memorize syntax for CLF-C02, but recognizing the pattern helps.

The template below creates:

One S3 bucket with versioning enabled.

```yaml

AWSTemplateFormatVersion: '2010-09-09'

Description: Simple example - S3 bucket with versioning

Resources:

MyVersionedBucket:

Type: AWS::S3::Bucket

Properties:

VersioningConfiguration:

Status: Enabled

Tags:

Key: Environment

Value: dev

```

Key ideas to notice

Declarative style: You describe the desired end state ("I want a bucket with versioning"), not the step-by-step API calls.
Resources section: Each resource has a logical name (`MyVersionedBucket`), a type (`AWS::S3::Bucket`), and properties.
Repeatability: You can deploy this template in multiple accounts or regions and get the same setup.

In practice, you would deploy this via the CloudFormation console, the AWS CLI, or from a CI/CD pipeline.

Quick Check: Pick the Right Service

Test your understanding of which AWS management, monitoring, or automation service fits a scenario best.

Your security team needs a detailed record of who changed an IAM policy last week, including the time and source IP. Which AWS service is the primary place to look?

Amazon CloudWatch
AWS CloudTrail
AWS Config
AWS Systems Manager

Show Answer

Answer: B) AWS CloudTrail

**AWS CloudTrail** records API calls and console actions, including IAM policy changes, with timestamps and source IPs. CloudWatch focuses on performance metrics and logs, AWS Config tracks resource configurations and compliance, and Systems Manager automates operational tasks.

Review Key Terms

Flip through these flashcards to reinforce the most important concepts for CLF-C02.

Amazon CloudWatch: AWS monitoring service for metrics, logs, alarms, and dashboards. Used to track performance and operational health of resources and applications.
AWS CloudTrail: Service that records API calls and console actions in your AWS account. Used for auditing, security investigations, and compliance.
AWS Config: Service that records configuration changes to supported AWS resources and evaluates them against compliance rules.
AWS Organizations: Service for centrally managing and governing multiple AWS accounts using Organizational Units and Service Control Policies.
AWS Control Tower: Service that helps you set up and govern a secure, multi-account AWS environment (landing zone) with built-in guardrails.
Infrastructure as Code (IaC): Practice of defining and managing infrastructure using machine-readable templates or code instead of manual console configuration.
AWS CloudFormation: Core AWS IaC service that uses JSON/YAML templates to create, update, and delete resources as stacks.
AWS Systems Manager: Service for operational management of resources, including running commands, patching, parameter storage, and automation workflows.
AWS Budgets: Cost management service that lets you set custom budgets for cost or usage and receive alerts when thresholds are exceeded.
AWS IAM Identity Center: Successor to AWS SSO. Central service to manage workforce access to multiple AWS accounts and applications.

Key Terms

AWS Config: Service that records configuration changes of AWS resources and evaluates them against compliance rules.
AWS Budgets: Service that lets you set custom cost and usage budgets and receive alerts when thresholds are reached.
AWS CloudTrail: Service that records AWS API calls and console actions for auditing, security, and compliance.
AWS Control Tower: Service to set up and govern a secure, multi-account AWS environment (landing zone) with built-in guardrails.
AWS Organizations: Service to centrally manage multiple AWS accounts using Organizational Units and Service Control Policies.
Amazon CloudWatch: AWS monitoring service providing metrics, logs, alarms, and dashboards to track performance and operational health.
AWS CloudFormation: AWS service that uses JSON/YAML templates to create, update, and delete groups of resources called stacks.
AWS Systems Manager: Service for operational management and automation across AWS resources, including patching, run commands, and parameter storage.
AWS IAM Identity Center: AWS service (successor to AWS SSO) that centrally manages workforce access to multiple AWS accounts and applications.
Infrastructure as Code (IaC): Approach where infrastructure is defined and managed using code or templates, enabling automation and repeatability.