Which AWS service allows you to monitor API calls made in your AWS account, including who made the call, from which IP address, and when?
CloudTrail records every API call including who made it, from what IP, at what time, on what resource, with what parameters — the core audit trail for AWS accounts.
Why this answer
AWS CloudTrail is the service that records API activity in your AWS account, capturing details such as the identity of the caller, the source IP address, and the timestamp of each API call. This makes it the correct choice for monitoring who made a call, from where, and when.
Exam trap
The trap here is that candidates often confuse CloudWatch (for monitoring metrics and logs) with CloudTrail (for auditing API calls), because both involve logging, but CloudTrail is specifically designed for recording API activity with caller identity and source IP details.
How to eliminate wrong answers
Option A is wrong because Amazon CloudWatch is a monitoring service for metrics, logs, and alarms, not for recording API call details like caller identity or source IP. Option C is wrong because VPC Flow Logs capture information about IP traffic going to and from network interfaces in a VPC, not API calls made to the AWS management plane. Option D is wrong because AWS Config evaluates resource configurations and compliance rules, and does not log API call metadata such as who made the call or the source IP address.