AWS Cloud Practitioner Study Session Ten
January 03, 2026
I am taking the AWS Cloud Practitioner Exam in approximately one day and want to ensure I am prepared. This series will serve as non-exhaustive note taking for the information that I am internalizing as I go.
ChatGPT Summary
Monitoring, Auditing, and Governance on AWS
Exam-Focused Summary with Tips & Memory Aids
For the AWS Cloud Practitioner exam, monitoring and governance questions often test service differentiation:
“Which service monitors performance?” vs “Which audits API calls?” vs “Which proves compliance?”
This section ties those together.
Monitoring vs Auditing vs Governance (Big Picture)
| Category | Goal | Key Services |
|---|---|---|
| Monitoring | Observe performance & health | CloudWatch, AWS Health |
| Auditing | Record & review actions | CloudTrail, AWS Config |
| Compliance Evidence | Prove compliance | AWS Artifact, Audit Manager |
| Governance | Control & scale accounts | Organizations, Control Tower |
| Optimization | Improve cost & security | Trusted Advisor |
🧠 Memory Tip
Watch → Trail → Prove → Govern → Optimize
Amazon CloudWatch (Monitoring)
Amazon CloudWatch monitors AWS resources and applications in real time.
Core Components
- Metrics – Performance data (CPU, memory, latency, etc.)
- Alarms – Trigger actions or notifications when thresholds are crossed
- Dashboards – Visual monitoring views
- Logs – Centralized logs from apps, systems, AWS services
Key Capabilities
- Monitor AWS and on-prem resources
- Trigger Auto Scaling (e.g., add EC2 instances when CPU is high)
🧠 Memory Tip
CloudWatch watches performance
Amazon CloudTrail (Auditing & API Logging)
Amazon CloudTrail records who did what, when, and from where in your AWS account.
What CloudTrail Captures
- API calls
- Console actions
- SDK / CLI activity
CloudTrail Components
- Event History
- Last 90 days
- Searchable, downloadable
- Management events only
- CloudTrail Logs
- Delivered to Amazon S3
- Long-term retention
- Used for compliance (HIPAA, PCI, etc.)
- CloudTrail Insights
- Detects unusual API activity
- Flags abnormal call volumes or error rates
🧠 Memory Tip
CloudTrail = Audit trail
CloudWatch vs CloudTrail (Very Common Exam Comparison)
| Feature | CloudWatch | CloudTrail |
|---|---|---|
| Purpose | Monitoring | Auditing |
| Focus | Performance & health | API activity |
| Typical Question | “CPU is high” | “Who deleted this?” |
🧠 Rule of Thumb
If it’s about performance → CloudWatch
If it’s about actions → CloudTrail
AWS Artifact (Compliance Evidence)
AWS Artifact provides on-demand access to AWS compliance documentation.
Two Main Sections
- Artifact Agreements
- Review & accept compliance agreements (e.g., HIPAA)
- Artifact Reports
- Third-party audit reports
- SOC, ISO, PCI, etc.
🧠 Memory Tip
Artifact = Proof folder
AWS Compliance / Customer Compliance Center
- Compliance whitepapers
- FAQs
- Industry-specific guidance
- Customer compliance stories
🧠 Exam Clue
- “Where do I find compliance documentation?”
→ AWS Compliance / Artifact
AWS Config (Configuration Auditing)
AWS Config continuously records and evaluates resource configurations.
What It Does
- Tracks configuration changes
- Compares resources against desired state
- Helps with:
- Security audits
- Change management
- Troubleshooting
🧠 Memory Tip
Config checks configurations
AWS Audit Manager (Automated Audits)
AWS Audit Manager automates evidence collection for audits.
Key Benefits
- Automatic evidence gathering
- Centralized audit data
- Read-only evidence integrity
🧠 Memory Tip
Audit Manager = Audit automation
AWS Organizations (Multi-Account Governance)
AWS Organizations lets you centrally manage multiple AWS accounts.
Core Features
- Centralized billing
- Account creation
- Policy management
Service Control Policies (SCPs)
- Define maximum permissions
- Apply to:
- Individual accounts
- Organizational Units (OUs)
🧠 Memory Tip
SCPs set guardrails, not permissions
Governance at Scale
AWS Control Tower
- Automated multi-account setup
- Built-in governance controls
- Uses best practices by default
Landing Zone
- Secure, well-architected multi-account environment
- Foundation for enterprise governance
🧠 Memory Tip
Control Tower = Account factory + rules
AWS Service Catalog
- Curated list of approved AWS resources
- Enforces standard configurations
- Used to deploy consistent environments
🧠 Memory Tip
Service Catalog = Approved menu
AWS License Manager
- Tracks and manages software licenses
- Reduces license compliance risk
- Supports Microsoft License Mobility
🧠 Memory Tip
License Manager manages licenses
AWS Health
AWS Health Dashboard
- Account-specific service health events
- Proactive notifications
- API access for automation
🧠 Memory Tip
AWS Health = What AWS is doing to you
Trusted Advisor (Best Practices Checker)
Trusted Advisor continuously evaluates your AWS environment.
Categories Checked
- Cost optimization
- Security
- Performance
- Fault tolerance
- Service limits
🧠 Memory Tip
Trusted Advisor gives advice
IAM Access Analyzer
- Identifies external access
- Analyzes IAM policies
- Helps enforce least privilege
Use Cases
- Detect unused permissions
- Find overly broad access
- Validate security standards
🧠 Memory Tip
Access Analyzer = Who can access what
Exam Power Summary Table
| Scenario | Correct Service |
|---|---|
| Monitor CPU or memory | CloudWatch |
| Track API calls | CloudTrail |
| Compliance reports | AWS Artifact |
| Config drift detection | AWS Config |
| Automated audits | Audit Manager |
| Multi-account governance | Organizations |
| Account setup at scale | Control Tower |
| Best practice checks | Trusted Advisor |
| License tracking | License Manager |
| External access review | IAM Access Analyzer |
Final Exam Tip
If the question says:
- “Monitor” → CloudWatch
- “Audit / API calls” → CloudTrail
- “Compliance proof” → Artifact / Audit Manager
- “Multiple accounts” → Organizations / Control Tower
Study materials:
- Free Code Camp Preparation
- AWS Certified Solutions Architect Practice Tests
- AWS Cloud Practitioner Essentials
- AWS Documentation
- What is Cloud Computing?
- Shared Responsibility Model
- Regions and Availability Zones
- Containers on AWS
- Amazon Elastic Container Registry
- Amazon Elastic Container Service
- Amazon Elastic Kubernetes Service
- AWS Fargate
- AWS Elastic Beanstalk
- AWS Batch
- What is Amazon Lightsail?
- What is AWS Outposts?
- Choosing a modern application strategy
- AWS Global Infrastructure
- AWS for the Edge
- AWS CloudFormation
- Amazon Virtual Private Cloud
- Subnet
- Internet gateway
- Virtual private gateway
- AWS Client VPN
- AWS Site-to-Site VPN
- AWS PrivateLink
- AWS Direct Connect
- Network Access Control List (network ACL)
- Security groups
- Domain Name System (DNS)
- Amazon Route 53
- Amazon CloudFront
- AWS Global Accelerator
- Amazon Transit Gateway
- NAT Gateway
- API Gateway
- Amazon EC2 Instance Store User Guide
- Amazon Elastic Block Store (Amazon EBS)
- Amazon Elastic Block Store (Amazon EBS) FAQ
- Amazon EBS Snapshots User Guide
- Amazon Data Lifecycle Manager User Guide
- Amazon Simple Storage Service (Amazon S3)
- Amazon Simple Storage Service (Amazon S3) FAQ
- Amazon S3 Storage Classes
- Amazon S3 Versioning User Guide
- Amazon S3 Buckets User Guide
- Amazon Elastic File System (Amazon EFS)
- Amazon Elastic File System (Amazon EFS) FAQ
- Amazon FSx
- Amazon FSx for Windows File Server
- Amazon FSx for NetApp ONTAP
- Amazon FSx for OpenZFS
- Amazon FSx for Lustre
- AWS Storage Gateway
- Amazon S3 File Gateway
- Tape Gateway
- Volume Gateway
- Amazon Relational Database Service (Amazon RDS)
- Amazon RDS Security
- Amazon Aurora
- AWS Database Migration Service (AWS DMS)
- Amazon DynamoDB
- Amazon ElastiCache
- Amazon DocumentDB
- Amazon Backup
- Amazon Neptune
- What Is a Relational Database?
- What Is a NoSQL Database?
- What Is an In-Memory Caching Service?
- AWS Shared Responsibility Model
- Amazon Comprehend
- Amazon Polly
- Amazon Transcribe
- Amazon Translate
- Amazon Kendra
- Amazon Rekognition
- Amazon Textract
- Amazon Lex
- Amazon Personalize
- Amazon SageMaker AI
- Amazon SageMaker JumpStart
- Amazon Bedrock
- Amazon Q Business
- Amazon Q Developer
- Amazon Kinesis Data Streams
- Amazon Data Firehose
- Amazon S3
- Amazon Redshift
- AWS Glue Data Catalog
- AWS Glue
- Amazon EMR
- Amazon Athena
- Amazon QuickSight
- Amazon OpenSearch Service
- AWS Identity and Access Management (IAM)
- AWS IAM Identity Center
- AWS Secrets Manager
- AWS Systems Manager
- AWS Shield
- AWS WAF
- AWS Key Management Service (AWS KMS)
- Amazon Macie
- AWS Certificate Manager (ACM)
- Amazon Inspector
- Amazon GuardDuty
- Amazon Detective
- AWS Security Hub
- Amazon CloudWatch
- AWS CloudTrail
- AWS Artifact
- AWS Config
- AWS Audit Manager
- AWS Organizations
- AWS Control Tower
- AWS Service Catalog
- AWS License Manager
- AWS Trusted Advisor
- AWS Health
- AWS Identity and Access Management Access Analyzer
- ChatGPT
Raw Input Notes:
- Amazon CloudWatch: Monitors AWS resources and the applications that you run on AWS in real time.
- Metrics - From resources, apps, services, on AWS and on-prem
- Alarms - Can define thresholds on metrics, send notifications or make changes to resources.
- Dashboards - Customizable home pages in the CloudWatch console for monitoring resources.
- Logs - From all systems, applications and AWS services.
- Can automate additional EC2 instances being deployed when utilzation passes a threshold.
- Amazon CloudTrail: Audit logs of AWS API calls, on-prem, and other cloud providers.
- Benefits: CloudTrail provides auditing, security monitoring, and operational troubleshooting. Also helps prove compliance and improve security posture.
- Use Cases: Can be used for compliance and auditing, identifying security incidents troubleshooting operational issues.
CloudTrail Events: Capture details about actions performed within AWS account (API calls, console actions, etc.)
- Event history provides a viewable, searchable, downloadable, immutable record of past 90 days of management events in AWS Region.
CloudTrail logs: Monitors events and delivers those events as log files to Amazon S3 bucket. Can be used to prove compliance with regulators such as PCI, HIPAA.
CloudTrail Insights: Analyzes normal patterns of API call volume and API error rates, generates insight events when API call volumes / error rates deviate from normal patterns. Can enable to detect anomalous behavior or unusual activity.
AWS Artifact
- Provides no-cost, on-demand access to AWS security, compliance, reports, select online agreements.
- Benefits: Helps you manage at scale, save time with on-demand access to compliance reports, and deploy with more confidence.
- Use Cases: Managing select online agreements, assess third-party security / compliance
AWS Artifact Agreements: Can review, accept, manage agreements for individual account or all accounts.
- Different agreements are offered to address different specific regs, like HIPAA.
AWS Artifact Reports: Provide compliance reports from third-party auditors. Remain up to date with latest reports released.
AWS Compliance: Can read customer compliance stories to discover how companies regulate industries
- Can access compliance whitepapers and documentation on compliance FAQ, overview, auditing security checklist. (Seemingly also referred to as “Customer Compliance Center”)
AWS Config: Assess, audit, evaluate configurations of AWS resources
- Benefits: Helps evaluate configurations against a desired state, manage resource config changes, simplify troubleshooting and remediation.
- Use Cases: Can be used to continually audit security monitoring and analysis, and streamline operational troubleshooting / change management.
AWS Audit Manager: Continually audits AWS usage to simplify risk and compliance assessment. Helps collect evidence and amange audit data.
- Benefits: Audit Manager saves time with automated evidence collection, streamlines collaboration across teams, helps ensure integrity of audits with read-only permissions.
- Use Case: Can be used to automate evidence collection, continually audit to assess compliance, deploy internal risk assessments.
AWS Organizations: Help centrally manage and govern environment as you grow / scale. Helps manage policies for groups of accounts and automate account creation.
- Benefits: Simplify permission management through SCPs and managing and optimizing costs across AWS accounts and resources.
Service Control Policies (SCPs) can apply to individual member accounts, or an organizational unit (OU)
Governance in the AWS Cloud
- AWS Control Tower: Can use to enforce, manage governance rules for security, ops, compliance at scale across orgs and accounts.
- Benefits: Can help you save time while providing governance. Uses pre-configured controls, helps quickly set up multi-account environment, automation with built-in governance, integration of 3rd party software at scale.
- Use Cases: Quickly deploy applications and provision compliant AWS accounts.
-
AWS Control Tower Landing Zone: Well-architected multi-account environment that is based on security / compliance best practices. Enterprise-wide container holding OUs, accounts, users, resources.
- Service Catalog - Can use it to create, share, organize from a curated catalog of AWS services and resources from curated user defined catalog.
-
Can deploy baseline networking resources and security tools for new AWS accounts so can govern consistently.
- AWS License Manager: Helps manage software licenses and fine-tune licensing costs.
- Benefits: License Manager helps with visibility / control, tracking and managing licenses, reducing risk of noncompliance with licenses.
- Use Cases: Use to streamline license management and simplify Microsoft License Mobility through Software Assurance experience. Can also use it to automate distribution and activation of software entitlements across AWS accounts for end users
AWS Health:
- AWS Health Dashboard: Can view account-specific health info and get AWS Health event updates. Can programmatically use the AWS Health API.
- Benefits: Gives timely and actionable guidance to remedy issues, helps manage service health, integrated and automated to use at scale.
- Use Cases: Account-specitif health information. Can use it to plan for lifecycle events or troubshoot an incident.
Continuously Evaluating AWS Environment:
- Trusted Advisor: Can continuously evaluate AWS environment by using best practice checks across several categories.
- Benefits: Helps align with AWS best practices, prioritize recommendations, optimize AWS resources at scale.
- Use Cases: Can be used to optimize cost, efficiency, security, improve performance, track service limits.
IAM Access Analyzer:
- Provides capabilities to set, verify, refine permissions by analyzing external access and validating your policies match corporate security standards
- Benefits: Provides benefits like refining permissions, validating IAM policies, helping meet least privilege goals, automating IAM policy reviews.
- Use Cases: Can be used to set fine-grained permissions, verify who can access what, remediate unused access, refine and remove broad access.