If CloudTrail records "who did what" (activity), AWS Config records "what state is the resource in right now and at each point in the past" (configuration). They are complementary. In breach investigation, CloudTrail shows an AuthorizeSecurityGroupIngress call, but AWS Config shows that rule opened security group to 0.0.0.0/0:22 and sustained that state for days — the state and timeline.
For security exams, Config is the core tool for "regulatory compliance assessment," "configuration drift detection," and "enforcing desired state (auto-remediation)."