How can I tell where an Amazon AWS key is being used?
In addition to Cloudtrail, you should enable logging for your S3 buckets. After doing that, AWS will start logging the canonical user ID used to make authenticated requests to S3.
Quote from AWS S3 Docs on logging fields:
The canonical user ID of the requester, or the string "Anonymous" for unauthenticated requests. If the requester was an IAM user, this field will return the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes.