Exposed SES Identities
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresIdentify any exposed Amazon Simple Email Service (SES) identities and update their sending authorization policy in order to stop unauthorized users from sending emails from domains or addresses owned by your AWS SES account.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
To prevent unauthorized users from sending emails on your behalf, restrict access only to trusted entities by implementing the appropriate AWS SES sending authorization policies. These authorization policies specify which other AWS accounts, IAM users and AWS services can send emails for your identity, and under what conditions.
To identify any exposed AWS SES identities available in your AWS account, perform the following:
01 Sign in to the AWS Management Console.
02 Navigate to SES dashboard at https://console.aws.amazon.com/ses/.
03 In the left navigation panel, under Identity Management, choose Domains to check the sending authorization policies defined for your existing Amazon SES domains or Email Addresses to check the policies defined for your email addresses registered with AWS SES.
04 Select the domain/email address that you want to examine then click View Details button from the dashboard top menu to access the resource details page.
05 Click Identity Policies to expand the panel with the authorization policies defined for the selected domain/email address.
06 In the Policy Actions column, click Show Policy to open the authorization policy document.
07 Inside Show Policy dialog box, within policy document, check the Principal element value. If the Principal element has one of the following values: "*" or { "AWS": "*" } and the policy is not using any Condition clause such as "Condition": { "StringEquals": { "aws:SourceAccount": "<aws_account_number>" } } to filter authorization, the selected Amazon SES identity is publicly accessible (i.e. any AWS entity can send emails on your behalf).
08 Repeat step no. 6 and 7 to verify other sending authorization policies defined for the selected identity.
09 Repeat steps no. 4 – 8 to determine if other Amazon SES identities, created within the current region, are exposed to everyone.
10 Change the AWS region from the navigation bar and repeat the process for the other regions.
01 Run list-identities command (OSX/Linux/UNIX) to list all identities (domains and email addresses) registered with AWS SES, available within the selected AWS region:
aws ses list-identities --region us-east-1
02 The command output should return information about the requested identities:
{
"Identities": [
"cloudconformity.com",
"support@cloudrealisation.com"
]
}
03 Run list-identity-policies to return the list of sending authorization policies that are currently attached to the selected identity (e.g. "cloudconformity.com" domain).
aws ses list-identity-policies --region us-east-1 --identity "cloudconformity.com"
04 The command output should return the requested list:
{
"PolicyNames": [
"Policy-12345678901234"
]
}
05 Run get-identity-policies to describe the sending authorization policy document, associated with the selected identity, returned at the previous step:
aws ses get-identity-policies --region us-east-1 --identity "cloudconformity.com" --policy-names Policy-12345678901234
06 The command output should return the requested sending authorization policy document:
{
"Policies": {
"Policy-12345678901234": "{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "stmt1234567890123",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn:aws:ses:us-east-1:123456789012:identity/cloudconformity.com"
}
]
}"
}
}
07 Repeat steps no. 3 – 6 to determine if other Amazon SES identities, available in the current region, are exposed to everyone.
08 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.
To update the sending authorization policies associated with your Amazon SES identities in order to allow sender requests only from trusted AWS entities (delegate senders), perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to SES dashboard at https://console.aws.amazon.com/ses/.
03 In the left navigation panel, within Identity Management section, choose Domains to update the sending authorization policies defined for your existing Amazon SES domains or Email Addresses to update the policies defined for your AWS SES email addresses.
04 Select the domain/email address that you want to reconfigure then click View Details button from the dashboard top menu to access the resource configuration details page.
05 Click Identity Policies to expand the panel with the sending authorization policies defined for the selected domain/email address.
06 In the Policy Actions column, click Edit Policy to edit the associated policy document.
07 On the Edit Policy page, inside Policy Document box, perform one of the following actions:
08 Click Apply Policy to apply the changes.
09 In the Overwrite Existing Policy dialog box, click Overwrite to confirm the action.
10 Repeat steps no. 4 – 9 to update sending authorization policies for other Amazon SES identities, available within the current region.
11 Change the AWS region from the navigation bar and repeat the process for the other regions.
01 First, define the necessary sending authorization policy for the selected Amazon SES identity and save it in a JSON file named ses-sending-authorization-policy.json. You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your own custom policies. The following example describes an authorization policy document that allows an AWS account, identified by the ARN "arn:aws:iam::123456789012:root", to send emails on the behalf of the selected AWS SES identity, i.e. "cloudconformity.com":
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "stmt1234567890123",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn:aws:ses:us-east-1:123456789012:identity/cloudconformity.com"
}
]
}
02 Run put-identity-policy command (OSX/Linux/UNIX) to replace an existing sending authorization policy, identified by the name "Policy-12345678901234" with the one defined at the previous step, for the selected SES identity, i.e. "cloudconformity.com" (the command does not produce an output):
aws ses put-identity-policy --region us-east-1 --identity "cloudconformity.com" --policy-name Policy-12345678901234 --policy file://ses-sending-authorization-policy.json
03 Repeat step no. 1 and 2 to update sending authorization policies for other Amazon SES identities, available in the current region.
04 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat