AWS has an expanding list of functions and features designed to make its public cloud more manageable. AWS Config Rules, AWS CloudTrail and Amazon Inspector are three related services that can help administrators get a handle on monitoring AWS security and resource configurations.

AWS CloudTrail is an audit log of every API call made within an AWS account, including metadata of those calls. CloudTrail records information, such as the user, IP address, service and affected resource IDs, with each of the log entries.

From a security perspective, AWS CloudTrail is a "must-have," according to Matthew Fuller, inventor of CloudSploit, an open source AWS product and security company based in New York. The service is especially necessary for monitoring AWS accounts with multiple users. "If there is ever a security incident, CloudTrail provides a historical log that can be analyzed to determine exactly what led to the intrusion, what actions the malicious user took and what resources were affected," Fuller said.

AWS Config is slightly different from AWS CloudTrail in that the service records historical states of every enabled resource within the account, allowing AWS users to see how a specific piece of the infrastructure changed over time. AWS Config also shows how future updates or changes might affect the infrastructure. AWS Config integrates with AWS Lambda, allowing IT teams to run custom code in response to a change in resource state.

AWS Config Rules is an additional service that lets an admin define specific states in which resources are allowed. "If the resource fails to remain in that state -- a likely security risk -- a Lambda function can execute," he added.

AWS Config Rules, AWS CloudTrail and Amazon Inspector are three related services that can help administrators get a handle on monitoring AWS security and resource configurations.

While AWS CloudTrail simply provides logs, AWS Config is a "more advanced concept," said Zubin Irani, CEO of cPrime, a Foster City, Calif. company focused on agile training. AWS Config Rules tracks resource use and allocation as well as change history within the infrastructure. "CloudTrail's purpose is to keep records and react on who did what, and Config is about what resources changed and how they looked," Irani said. In other words, while both services help with monitoring AWS, one is resource-centric and the other user-action centric, respectively.

Amazon Inspector is an agent that runs on Elastic Compute Cloud instances and tracks potential compliance violations and security risks at the server level. Inspector aggregates potential vulnerabilities to show whether a project is compliant or not. "Inspector is like a profiling tool that can examine the infrastructure and provide recommendations on how to improve security," Irani said.