The Amazon Web Services CloudTrail services let AWS customers track API calls, as well as send log files to AWS S3 storage. The service can track the identity of the API users, time of call, and source IP address. This service can also provide notifications for the logs produced.
It's important for cloud providers to offer API-monitoring services, particularly with the compliance and regulatory requirements placed on many systems, especially in finance and health care. Even if compliance requirements aren't an issue, it's simply a good idea to monitor and track who is using your APIs, as well as the AWS APIs, to spot issues before they become real problems.
Moreover, most APIs don't require logins, so the ability to track the identity of the API consumer is paramount to the governance of that API and its security.
I view these kinds of services, from any cloud provider, to be mandatory for any cloud-based deployment. After all, clouds are basically collections of APIs, both infrastructure- and application-oriented, and those APIs defines how the cloud is used.
The use of APIs is a core issue that most IT organizations don't think about; they instead focus their attentions on applications and data. As a result, APIs become second-class citizens, and their management becomes somewhat of an afterthought. That's a ticking bomb.
Ignoring API management will get you in deep trouble at some point. An API gets hacked, or more likely, it's abused by developers, creating performance, compatibility, and/or cost problems.
Using APIs -- especially in the cloud -- requires that you do three things:
- Governance, to place limitations around the use of the API
- Tracking, for the kind of monitoring I described above
- Management, to place APIs into service and monitor their ability to live up to service-level agreements
Do them!