Final answer:
To log and durably store all API calls to AWS resources, use AWS CloudTrail, integrated with Amazon S3 for storage, and potentially Amazon Glacier for archiving.
Step-by-step explanation:
To ensure that all API calls to your AWS resources are logged and durably stored, you should use AWS CloudTrail.
This service monitors and records account activity across your AWS infrastructure, providing you with detailed API call histories. CloudTrail logs can help you with security analysis, resource change tracking, and compliance auditing.
Moreover, to achieve durable storage of these logs, consider integrating AWS CloudTrail with Amazon S3 for long-term storage, and optionally with Amazon Glacier for archival purposes.
It is also a good practice to enable log file validation in CloudTrail to ensure the integrity of your logs and set up CloudWatch Logs for real-time monitoring of specific API activity.
By doing so, you'll be well-prepared for the IT audit, with a robust system for oversight and accountability in place regarding your AWS resource access and usage.