chanciturnervgt2

Automate the Creation & Rotation of Amazon Simple Email Service SMTP Credentials | Amazon IXD – VGT2 Las Vegas

by

VGT2 Las Vegas
in

Automate the Creation & Rotation of Amazon Simple Email Service SMTP Credentials | Amazon IXD - VGT2 Las VegasMore Info

Amazon Simple Email Service (SES) offers a secure and scalable email solution that adapts to your business requirements. However, like all email systems, Amazon SES is a prime target for spammers and malicious actors due to its widespread accessibility.

While SES includes robust features for application-based email sending, managing SMTP credentials is critical to prevent unauthorized access. If these credentials are compromised, it allows bad actors to send harmful emails through legitimate domains, potentially evading security filters and harming the sender’s reputation.

To safeguard your SES implementation, it is vital to encrypt SMTP credentials during both storage and transmission. Moreover, establishing role-based access controls ensures that only authorized personnel can access these credentials. Regularly rotating credentials—typically every 90 days—minimizes the risk of security breaches. By automating this rotation process, you can eliminate human error and maintain consistent security practices across your organization.

Problem Statement

Consider yourself the administrator of a sizable financial institution that has recently adopted Amazon SES to manage email from multiple on-premises servers. Your email servers authenticate with SES using SMTP credentials to access the SES SMTP interface. Your organization’s security protocols require regular credential rotation, including the capability for on-demand rotations. How can you automate the SMTP credential rotation to comply with your organization’s security standards?

This blog post will introduce two solutions for the automated, secure management and rotation of SMTP credentials for Amazon SES. Each option aims to bolster email security, adhere to regulatory requirements, and lessen operational burdens.

Options Overview

  • Option 1: A fully automated solution utilizing AWS Lambda, AWS Secrets Manager, and AWS Systems Manager.
  • Option 2: A partially automated approach with AWS Lambda, AWS Systems Manager Parameter Store, and AWS Step Functions.
  • Option 3: Consider transitioning to an SES Mail Manager authenticated ingress endpoint that supports either a standard SMTP password or AWS Secrets Manager.

Both solutions equip SES users with enhanced tools for improving email security, ensuring compliance, and reducing operational overhead. You can choose the option that best fits your requirements by following the guidance outlined in this blog post.

If your environment supports automated rotation, AWS Systems Manager Documents (SSM Documents) can help by offering predefined or custom automation workflows for secure secrets rotation—deploy Option 1. Conversely, if your environment does not support automated rotation, you can still implement an auditable, managed rotation solution by storing your secrets in AWS Systems Manager Parameter Store through Option 2.

As a pay-per-use service, the AWS components utilized in either deployment option will only charge you for the resources you actively consume. To estimate the runtime costs for your specific workload, you may use the AWS Pricing Calculator. Alternatively, you can connect with your AWS account team to gain more insight into the pricing for these solutions.

Getting SES SMTP Credentials

To send emails via the Amazon SES SMTP interface, email servers must first authenticate with SES using dedicated SES SMTP credentials. Typically, a systems administrator logs into the AWS SES console, clicks the “Create SMTP Credentials” button, and navigates to the AWS Identity and Access Management (IAM) console. There, the administrator establishes an IAM user with permissions for SES and uses the IAM user’s secret access key to generate the SES SMTP password, which is then configured on the email servers or SMTP-enabled applications for SES integration.

The SES SMTP interface authenticates requests using credentials derived from an IAM user’s access key ID and secret access key. Since temporary access keys cannot generate SES SMTP credentials, you must deploy and routinely rotate a long-lived key. Although the manual creation of SES SMTP credentials is feasible for a small number of credentials, it can become burdensome for clients with many email servers or stringent password rotation policies. Automating the credential rotation mechanisms described in the following solutions may be more suitable for such production environments.

Option 1 – Fully Automated Credential Rotation

This fully automated solution employs a custom Lambda function to create an SMTP password, which is stored in AWS Secrets Manager. AWS Secrets Manager’s built-in rotation capability automatically triggers the SES SMTP credentials rotation. AWS Systems Manager Documents leverage AWS Systems Manager Agents to seamlessly update authentication configurations on email servers.

Key Benefits

  • The ability to implement changes on both on-premises and Amazon EC2 hosts, facilitating secret rotations across a hybrid environment.
  • The option to customize the document according to specific email software configurations.
  • Targeting the secret (SMTP credential) rotation document to all email servers based on tags.

How Option 1 Works

AWS Secrets Manager initiates a rotation request, either on a predetermined schedule or upon request from an authorized user, triggering the “rotation Lambda” to rotate the SES SMTP credentials. The SES Secret Rotation Function Lambda carries out the following steps:

  1. Creates a new IAM secret access key for the designated SES IAM user, derives the new SES SMTP password, and stores it in AWS Secrets Manager.
  2. Connects to SES to ensure the new SMTP password can authenticate.
  3. Initiates an AWS Systems Manager Run Command to update the new SMTP password on targeted email servers using a pre-configured Systems Manager Document.
  4. Monitors the execution status of the Systems Manager Document until all updates are completed successfully.
  5. Deletes the old IAM access and secret access keys.

This fully automated solution allows for the rotation of SES SMTP credentials, either on a schedule or manually triggered, without affecting email service uptime.

Deploying the Fully Automated Solution in Your AWS Account (Option 1)

Prerequisites for the Fully Automated Solution:

  • Access to an AWS Account, usually with admin-level permissions for deployment.
  • Your preferred IDE equipped with AWS CLI version 2 and a named profile setup. Alternatively, you can utilize the AWS CLI from the AWS CloudShell in your browser.
  • Clone the GitHub repository (for this solution, just the README.md and sesautomaticrotation.yaml files in /ses-credential-rotation/automatic-rotation are needed).

Note: We adhere to the principles of least privilege in this solution. The CloudFormation templates provided require you to specify an identity or configuration-set resource for the SES sending operation. You can find guidance on defining these values at Actions, resources, and condition keys.

For more insights, you might also be interested in another blog post that dives into related topics here. Additionally, for an authoritative take on this subject, check out this source. If you’re interested in the broader implications of automation in the workplace, Business Insider offers an excellent resource.

Remember, to ensure successful implementation, keep your environment’s unique characteristics in mind, especially if you’re operating from a hybrid model.

Amazon IXD – VGT2
6401 E Howdy Wells Ave, Las Vegas, NV 89115

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *