Monitoring Cloud Infrastructure Changes: AWS Config vs. Cloudviz.io

by Valts Ausmanis · March 14, 2025

Detecting infrastructure changes is crucial for maintaining cloud visibility—it alerts you to unexpected modifications like accidental security group updates that could lead to risks or compliance issues. Unlike tools that focus solely on performance metrics, effective change monitoring acts as an early warning system, allowing you to quickly catch and fix misconfigurations before they escalate. In this blog post, I will compare AWS Config and Cloudviz.io to show how each tool enhances cloud visibility by monitoring infrastructure changes.

What is AWS Config?

AWS Config helps keep an up-to-date inventory of AWS resources and continuously checks them against your security rules - something every organization needs, no matter its size.

It does two key things:

Records changes to AWS resources (configuration items) whenever their settings or relationships change.
Evaluates compliance by checking these changes against AWS Config rules. You can use built-in AWS rules or create custom ones with policies or Lambda functions.

What is Cloudviz.io ?

Cloudviz.io is a cloud infrastructure visualization and governance platform that focuses on the needs of DevSecOps, product teams, and cloud architects. It consists of three main foundational blocks:

Visualization. Automatically generate cloud infrastructure diagrams of your AWS cloud environments.
Documentation. Automatically generate technical documentation of your AWS environments.
Monitoring. Monitor cloud infrastructure changes . See how your infrastructure looked last week, last month, or any point in the past.

Importance of Monitoring Cloud Infrastructure Changes

Detecting changes in your infrastructure is key because it tells you immediately when something unexpected happens. While other cloud monitoring tools focus on performance metrics like CPU usage or memory, spotting configuration changes can alert you to potential security risks or compliance issues before they impact your operations.

For example, if someone accidentally changes a security group or updates a resource configuration, you might not notice it by just looking at performance numbers. But by monitoring these changes, you can quickly catch misconfigurations or unauthorized modifications, giving you a chance to fix them right away.

In simple terms, knowing when your infrastructure changes is like having an early warning system—it helps you prevent small issues from turning into major problems, keeping your cloud environment secure and reliable.

Key Functionality for Cloud Infrastructure Change Monitoring

Every tool that monitors cloud infrastructure changes should offer a few essential features:

Infrastructure Change Alerts: Be notified when something changes in your infrastructure so your team can always double-check if these changes are intended and as expected.
Clear Change Details: See exactly what has changed, either through visual diagrams or JSON diffs, so you understand the modifications.
Complete Change History: Access a full record of all infrastructure changes whenever you need it, whether for debugging deployments, troubleshooting issues, or performing security audits.

Let’s Setup Monitoring of AWS Resource Changes

To compare AWS Config and Cloudviz.io for AWS resource change tracking, let's look at a real-life scenario. I’ll deploy a few EC2 instances in VPC and connect them to application load balancer. Then we’ll review the changes that were tracked and see how easy—or challenging—it is to identify what changed.

Enable Infrastructure Change Monitoring with AWS Config

To enable infrastructure change monitoring in AWS config you have to go to Settings and enable recording. As we don’t want to monitor all the AWS resource changes but only specific ones (like EC2, ENI, EBS, Load balancer etc.) we will now select these:

After specific resources types added we can hit the save button and monitoring is enabled.

Enable Infrastructure Change Monitoring with Cloudviz.io

To enable cloud infrastructure monitoring in Cloudviz.io you have to:

Generate infrastructure diagram and by using filter expressions select both VPCs that should be monitored.

Click the Enable Automated Tracking button in the diagram toolbar. This will open a view where we will for now simply click Track Changes button:

That’s it – cloud infrastructure monitoring is enabled. In Cloudviz.io you can specify VPC’s that you want to monitor and we will track all the changes that are related to these VPC’s. No need to specify specific resource types like you would do in AWS Config.

Setup Infrastructure Change Alerts with AWS Config

Create SNS topic where to stream configuration changes.

Create subscription that will let to receive notifications as email.

Update AWS config delivery settings to stream configuration changes to the newly created topic.

There are a few considerations / takeaways you should know before using this notification approach:

For AWS accounts with frequent configuration changes, this notification setup can result in a large number of emails.
You will be charged according to SNS pricing when receiving email notifications.
In order to aggregate AWS Config change notifications and send, for example, a summary once an hour or once a day, you should use Lambda as an SNS subscriber and write your own custom code to handle the change events. You also need to store the aggregated changes somewhere, such as in DynamoDB or an S3 bucket. Then, set up a Lambda trigger (or scheduler) to use another SNS topic with an email subscription or SES to send hourly or daily notifications to your email.

It’s relatively easy to set up simple change notification streaming, but you could be overwhelmed by hundreds (or even thousands) of emails, making it difficult to see what has really changed. If you need a more aggregated view, you should develop a custom Lambda function based on your aggregation requirements.

Setup Infrastructure Change Alerts with Cloudviz.io

To set up infrastructure change alerts with Cloudviz.io, simply click the Enable Automated Tracking button in the diagram toolbar, and then enter the email address where notifications should be sent:

That’s it! You’re all set, and Cloudviz.io will aggregate the changes and send you a nice overview of the top changes, highlighting only the most relevant information.

Access Infrastructure Change History with AWS Config

After deploying a couple of EC2 instances, an auto scaling group, and an ALB load balancer, we received many notification emails from AWS Config regarding resource changes:

As I mentioned earlier, setting up these notifications (without building your custom Lambda aggregator) can be very spammy when there are many changes. In our case, we received around 30 emails, but in other scenarios you might receive many more. Moreover, it's challenging to see the complete picture of exactly what changed from these notifications.

There is nice dashboard to see how many new changes (= configuration items) were recorded.

Querying in the AWS Config is the only way (out-of-the-box) to see what’s changed for specific time period. You can use this sample query to retrieve newly created configuration items:

SELECT resourceId, resourceType, configurationItemCaptureTime WHERE configurationItemCaptureTime BETWEEN '2025-03-14T00:00:00Z' AND '2025-03-14T23:59:59Z'

One thing to note: you won't be able to query deleted resources. In many scenarios, it's important to see not only updated and added resources, but also deleted ones.

When you click on a specific AWS resource configuration item, you can view a detailed resource history timeline for it:

Access Infrastructure Change History with Cloudviz.io

Unlike AWS Config notifications where individual emails sent for each resource change, Cloudviz.io automatically aggregates changes per diagram. You receive a single, comprehensive summary that compiles all added, modified, and deleted resource configuration changes, giving you a complete picture of what has changed.

cloud infrastructure changes summary cloudviz

You can access all your infrastructure change history for specific diagram by clicking the Version History in the diagram toolbar. This will open a view where you can see all the change history of the diagram.

You can easily compare any diagram version to see exactly what has changed, either in the form of a visual diagram or JSON diff.

Having the ability not only to see what has changed for specific resource but also all related changes in one place — in both visual and JSON data formats—is essential for any DevOps team. It enables teams to rapidly understand the impact of changes and drill down to the root cause of specific challenges.

What are Differences Between Cloudviz.io and AWS Config

Let’s know take a closer look on differences between AWS Config and Cloudviz.io.

Infrastructure Change Alerts

Notifying your DevOps teams about AWS resource changes is one of the core tools for teams being pro-active—helping teams verify that changes to AWS environments are intentional (for example, due to new functionality deployments) or unintentional (for example, due to compromised IAM credentials leading to unexpected EC2 instance launches).

AWS Config can stream all changes to your specified SNS topic. You can process these change events by for example, sending an individual email for each change or by triggering an aggregator Lambda function that processes the events and sends a summary to a designated email. While the aggregator Lambda option provides flexibility for custom functionality, it also adds extra complexity and maintenance overhead.

In contrast, Cloudviz.io offers a quick, one-step setup for infrastructure change alerts. All change aggregation is handled automatically, and the notification email contains a summary of changes grouped by added, modified, and deleted resource groups.

Supported AWS Resources

As AWS Config is a native AWS service, it essentially supports most AWS resources.

In contrast, Cloudviz.io focuses on the most frequently used AWS resources rather than monitoring all of them.

Rules

AWS Config supports adding compliance rules (automated checks) that verify whether specific AWS resource configurations comply with a defined set of rules, making it very useful for automated cloud security and compliance monitoring.

Cloudviz.io doesn’t support this functionality yet, but active development is underway to provide automated cloud security and compliance monitoring.

Visual Overview of Changes

Cloudviz.io supports a visual cloud infrastructure change history that presents all changes in one place as a diagram version history. You can compare any diagram version and visually see exactly what has changed.

AWS Config doesn’t offer this functionality.

Monitor Multiple Environments

You can maintain a separate cloud change history for different parts of your infrastructure. For example, if you have various services running in your AWS account, you can monitor the infrastructure change history for each service independently. If each service is managed by a different team, you can easily configure change alerts for each team.

AWS Config doesn’t offer this functionality out-of-the-box.

Multi-region & Account Support

Cloudviz.io supports monitoring multi-region & account environments out-of-the-box. You can monitor multiple regions-account pairs in one diagram. This is really use-full to understand how your resources are distributed across regions and accounts, while also identifying cross-region dependencies, such as VPC peering and transit gateway peering. All that change history – in one place.

AWS Config allows you to create aggregators to collect data from multiple accounts and regions and then (SQL) query the data to investigate the changes.

Flexible Resource Filter Options

Cloudviz.io provides the flexibility to use filter expressions to monitor exactly what’s needed for your use case—whether it’s a specific VPC, tags, resource types, IP ranges, or even specific subnets.

In contrast, AWS Config only allows you to filter resources to be recorded by resource type. Of course, you can record all resource types (although expenses may grow exponentially) and then query for specific resources by their tags or other parameters.

Cost

It’s no secret that AWS Config can get expensive if not configured properly. The costs for AWS environments with frequent changes can easily start at around $2K per month (for example: 30,000 changes daily × $0.003 = $90 per day × 30 = $2.7K per month).

From another perspective, Cloudviz.io has fixed price of $49 per month. Default monitoring limits (such as monitoring and notification frequency) work well for most use-cases and can be increased.

Summary

The fact that cloud infrastructure change monitoring is a must have for any DevOps team out there is not even the question! If your product is being deployed in public cloud – such as AWS cloud – you should have enhanced cloud visibility in your pocket to see what’s actually happening with your cloud infrastructure. Being proactive to react on AWS resource changes can save tons of time and money for your company.

The only question here is what tool to use to monitor your cloud infrastructure?! As I tried to give you different perspective with real life scenario when comparing AWS Config vs Cloudviz.io – you should by now have seen all the differences between the two products and have your own opinion. As it wouldn’t be fair to say use only Cloudviz.io to monitor your infra changes – I will leave it for you to choose!

Looking for tool to automatically monitor your cloud infrastructure changes?

Try out Cloudviz.io and have your infrastructure change history whenever you need it

Start your free trial

As experienced AWS architects and developers, our mission is to provide users an easy way to generate stunning AWS architecture diagrams and detailed technical documentation. Join us to simplify your diagramming process and unleash the beauty of your cloud infrastructure

Product

Support

Contact

support@cloudviz.io