How can I track down an IAM user’s activity when they only have SES permissions?

0
11
Asked By CuriousCat42 On

I have an IAM user that last accessed Amazon SES six days ago, but the only permission they have is "ses:SendRawEmail." I've checked the CloudTrail Event history for their AWS Access Key across all regions without finding any records. I've also searched for instances of the "SendRawEmail" event and their username in all regions, but no luck there either. There are no mentions of this user in any documentation or source code. Does anyone have suggestions on how to trace their activity if it's not showing up in CloudTrail?

5 Answers

Answered By TechWhizKid On

You might consider adding a Deny * policy for the user. Sometimes you can figure out their activity by listening for help desk tickets or complaints that come in afterward!

Answered By DataSleuth_99 On

Make sure to enable CloudTrail data events for SES, since those events often don’t log by default. This is especially true for activities through SMTP. Refer to the AWS documentation on this to find out how to turn them on.

Answered By EmailExpert2024 On

It sounds like you could be dealing with an SMTP user. Their actions might not be showing up in CloudTrail, which is consistent with what AWS documentation says about SMTP interface events not being logged.

Answered By CloudGuru_2023 On

If there's nothing in CloudTrail, they may be using SMTP for sending emails. The SendRawEmail API calls should normally be captured, but SMTP events aren’t logged by CloudTrail without additional setup. You might want to look into publishing some events specifically to catch those SMTP sends.

Answered By CloudwatchHacker On

AWS documentation confirms that events through the SMTP interface are typically not captured by CloudTrail. If you need more details, check their official logging info.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.