I have an IAM user that last accessed Amazon SES six days ago, but the only permission they have is "ses:SendRawEmail." I've checked the CloudTrail Event history for their AWS Access Key across all regions without finding any records. I've also searched for instances of the "SendRawEmail" event and their username in all regions, but no luck there either. There are no mentions of this user in any documentation or source code. Does anyone have suggestions on how to trace their activity if it's not showing up in CloudTrail?
5 Answers
You might consider adding a Deny * policy for the user. Sometimes you can figure out their activity by listening for help desk tickets or complaints that come in afterward!
Make sure to enable CloudTrail data events for SES, since those events often don’t log by default. This is especially true for activities through SMTP. Refer to the AWS documentation on this to find out how to turn them on.
It sounds like you could be dealing with an SMTP user. Their actions might not be showing up in CloudTrail, which is consistent with what AWS documentation says about SMTP interface events not being logged.
If there's nothing in CloudTrail, they may be using SMTP for sending emails. The SendRawEmail API calls should normally be captured, but SMTP events aren’t logged by CloudTrail without additional setup. You might want to look into publishing some events specifically to catch those SMTP sends.
AWS documentation confirms that events through the SMTP interface are typically not captured by CloudTrail. If you need more details, check their official logging info.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads