Which AWS service should a company implement to monitor API access, in addition to Amazon CloudWatch and VPC logging?

The most suitable service for monitoring API access, alongside Amazon CloudWatch and VPC logging, is AWS CloudTrail. This service is specifically designed to track and log API calls made within your AWS account. AWS CloudTrail provides detailed records of actions taken by users, roles, or AWS services in your environment, thereby creating an audit trail of the AWS resources accessed, the identity of the API caller, and the time the API call was made.

By utilizing CloudTrail, organizations can gain insight into their API usage, which is critical for security auditing, compliance, and troubleshooting purposes. It captures all the necessary details of API requests, enabling users to identify unauthorized access or security breaches effectively.

On the other hand, AWS Lambda is primarily a serverless compute service that allows users to run code in response to events, which does not directly provide monitoring capabilities for API access. AWS Inspector is a security assessment service that helps identify vulnerabilities in applications running on AWS but does not focus on logging or monitoring API calls. AWS Config provides resource inventory, configuration history, and configuration change notifications, but it does not specifically monitor API access.

Thus, AWS CloudTrail stands out as the right choice for monitoring API access, complementing the functionalities provided by CloudWatch and VPC logging