Cool, yet simple finding from the DataDog security team where calls to an undocument
iamadmin service would also not appear in CloudTrail logs but could reproduce the functionality of several standard IAM service methods.
The DataDog team found the undocumented API just by scanning what APIs the cloud console was using and noted the
iamadmin one as unfamiliar. Upon trying to determine if it was just calling the normal IAM service to fulfill the requests they realized the requests were not being logged at all. Its a solid finding, and one of those vulnerabilities that is a vulnerability because it defeats a large part of the entire purpose of the CloudTrail service.