Commonly Confused Services on SOA-C03

Deciding signal

CloudWatch collects operational metrics (CPU, memory, error rates), ingests logs, triggers alarms, and drives dashboards — it answers "how is this resource performing right now?" CloudTrail records every API call: who made it, when, from where, and what changed — it answers "who did what to this account?" Config continuously evaluates resource configurations against defined rules and maintains a configuration history — it answers "is this resource configured correctly and has it always been?" When a scenario asks about detecting configuration drift or proving that an S3 bucket was always encrypted, Config. When it asks about API-level activity for a specific user or role, CloudTrail.

Deciding signal

Systems Manager is AWS-native operations tooling: Run Command for ad-hoc script execution, Patch Manager for automated patching, Session Manager for browser-based shell access, Parameter Store for config, and Automation for runbook-based workflows. It requires no additional agents beyond the SSM Agent and integrates directly with IAM. OpsWorks manages Chef and Puppet environments. OpsWorks Stacks lets you define application layers and run Chef recipes; OpsWorks for Chef Automate and Puppet Enterprise are fully managed versions of those platforms. When a scenario describes using Chef recipes or Puppet manifests for configuration management, OpsWorks. When the scenario describes patching, run command, session access, or AWS-native automation, Systems Manager.

Deciding signal

Inspector scans EC2 instances and container images for software vulnerabilities and unintended network exposure. It runs assessments on a schedule or event-driven basis and produces findings with CVE details. GuardDuty continuously analyzes CloudTrail, VPC Flow Logs, and DNS logs for behavioral anomalies and known threat indicators — it detects threats but does not scan for vulnerabilities. Security Hub is an aggregation layer: it collects findings from Inspector, GuardDuty, Macie, and other services, normalizes them, and runs CIS and PCI benchmark checks. Security Hub does not detect threats itself. When the scenario asks "which service detected that an EC2 instance has an unpatched vulnerability," Inspector. When it asks "which service detected unusual API call patterns," GuardDuty. When it asks "which service gives a single view of findings across security services," Security Hub.

Deciding signal

IAM policies grant permissions to identities — users, roles, groups — within an account. They define what a principal can do. Service Control Policies (SCPs) are applied to AWS Organizations OUs or accounts and define the maximum available permissions — they do not grant anything on their own. If an SCP denies an action, no IAM policy in that account can permit it, even for the root user. SCPs are account-level guardrails. When a scenario asks "how do you prevent any user in a member account from disabling CloudTrail," SCPs. When it asks "how do you allow an EC2 instance to access S3," IAM policies.

Deciding signal

Trusted Advisor runs periodic, account-wide advisory checks across five categories: cost, performance, security, fault tolerance, and service limits. It flags issues like security groups open to the world or underutilized resources. The checks are static and run on AWS-defined schedules. Config Rules continuously evaluate resource configurations in near real-time as resources change. You define rules (or use AWS managed rules) that check specific properties — encryption, public access settings, tag compliance — and Config generates findings each time a resource changes. When the scenario requires continuous, event-driven compliance evaluation of specific resource properties, Config Rules. When it describes a periodic review of broad account health and best practices, Trusted Advisor.

Deciding signal

Native snapshots (EBS snapshots, RDS automated backups, DynamoDB on-demand backups) are managed per-service with their own retention policies and scheduling interfaces. AWS Backup is a centralized service that creates backup plans with unified retention schedules, lifecycle rules, and cross-region and cross-account copy capabilities across EBS, RDS, DynamoDB, EFS, FSx, and other services. When the scenario describes managing backups for multiple services from a single location, enforcing organizational backup policies, or copying backups cross-account for compliance, AWS Backup. When the scenario involves a single service and no cross-service policy requirement, native snapshots are a valid simpler answer.

Deciding signal

CloudFormation is an IaC service: you write templates describing infrastructure and CloudFormation provisions it. It requires the user to have IAM permissions to create the resources in the template. Service Catalog lets administrators define approved products (backed by CloudFormation templates) and publish them so that end users can provision them through a self-service catalog — without needing direct IAM permissions for the underlying resources. Service Catalog assumes an IAM role during provisioning, so users get approved products without broader IAM access. When the scenario describes enabling developers to provision pre-approved infrastructure without direct IAM access to the underlying services, Service Catalog.

Deciding signal

Parameter Store stores strings, string lists, and secure strings (encrypted via KMS). Standard parameters are free. It does not rotate values automatically. Secrets Manager is built for credentials that need lifecycle management: it integrates natively with RDS, Redshift, and DocumentDB to rotate passwords automatically on a schedule, and supports custom rotation Lambda for other services. It has a per-secret monthly cost. When the scenario involves a database password that must be rotated automatically, Secrets Manager. When the scenario involves storing API keys, environment configuration, or secrets that do not require rotation, Parameter Store is the more cost-effective answer.

Deciding signal

Lifecycle Hooks pause an Auto Scaling instance in a pending or terminating state so that custom logic can complete before the instance enters service or is terminated — for example, draining connections, installing software, or running configuration checks before an instance is considered healthy. EventBridge can receive Auto Scaling events (like instance launch or termination notifications) after the fact, but it does not pause the scaling action. When the scenario requires the instance to wait in a pending state while an action completes, Lifecycle Hooks. When the scenario requires reacting to an event after it occurs, EventBridge is the right mechanism.

Deciding signal

CloudWatch Logs Insights is a query engine built directly into CloudWatch Logs. It uses a custom query language, requires no data movement, and is the right answer when the logs are already in CloudWatch and the requirement is interactive ad-hoc queries on recent log data. Athena queries data stored in S3 using standard SQL. It is the right answer when logs have been exported to S3 (for cost reasons or long-term retention) and the requirement involves complex SQL analysis, joining log data with other datasets, or querying historical data beyond CloudWatch retention limits. The deciding factor is where the data lives: CloudWatch (Logs Insights) or S3 (Athena).