I possess an IAM key for which the "last used" date indicates activity 15 hours ago. Yet, upon scrutinizing the CloudTrail logs filtered by the specific AWS access key for all events, there appears to be no record of activity associated with that key over the past few days. Furthermore, an examination of the CloudTrail logs via Athena yielded identical events to those displayed in the UI from a couple of days ago.
In the IAM user's Access Advisor report, one service indicates activity as recent as today. However, upon clicking on the service name, it becomes apparent that none of the permitted actions have been accessed for weeks.
What other entities could potentially be utilizing the AWS access key without leaving a trace in the CloudTrail logs? How can one identify such entities in the absence of CloudTrail logs?
