Ensure that all your Amazon Simple Email Service (SES) identities are configured to allow access only to trusted (friendly) AWS accounts in order to prevent unauthorized users from sending emails on your behalf. Prior to running this rule by the Cloud Conformity engine, you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).
Using overly permissive policies that allow unknown cross-account access to your AWS SES identities can authorize untrusted AWS users to send emails using your verified domain/email address.
To determine if there are any Amazon SES identities that allow unknown cross-account access available within your AWS account, perform the following:
To update the sending authorization policies associated with your Amazon SES identities in order to allow sender requests only from trusted AWS entities (delegate senders), perform the following actions: