on September 14, 2023
in Amazon Simple Email Service (SES), Messaging
Introduction
Amazon Simple Email Service (Amazon SES) is an efficient and scalable solution for sending emails directly from your applications. You have the option to utilize the SES SMTP interface or make HTTP requests via the SES API. All email sending requests require authentication through either SMTP or IAM credentials. If these credentials fall into the wrong hands, immediate action is necessary to protect your SES account.
When compromised, credentials that allow email sending through SES enable malicious actors to send spam or phishing emails. This can significantly increase bounce and complaint rates, leading to potential suspension of sending capabilities for your SES account.
Identifying a Compromised SES Email Account
To determine if your SES sending account has been compromised, start by reviewing the reputation metrics in the SES Console. A sudden spike in bounce or complaint rates should raise red flags. Investigate the Feedback Forwarding destination—where SES sends bounce and complaint notifications. This feedback includes the “From” and “To” email addresses, as well as the subject lines. If you discover that these addresses are unfamiliar, it likely indicates a compromise.
If you have SNS notifications set up, check the subscribed endpoints for bounce and complaint alerts. These notifications will provide insights such as the IAM identity used for sending emails and the originating IP address. If, upon reviewing the notifications, you conclude that unauthorized emails have been sent, take the following steps to secure your account.
Steps to Secure Your Account
To protect your SES account, follow these steps:
- Pause Your SES Account: To prevent further unauthorized emails, it’s advisable to suspend your SES account until the issue is resolved. Use the command below to pause email sending:
aws ses update-account-sending-enabled --no-enabled --region your_sending_region
(Note: Replace “your_sending_region” with the appropriate region for your email sending.) - Rotate Your IAM Credentials: Change the credentials for the IAM identity that was used to send the unauthorized emails. If the IAM identity was created from the SES Console as SMTP credentials, it is best to delete this identity and generate new SMTP credentials from the SES Console.
- Restrict Sending Permissions: Limit the SMTP/IAM identity so that emails can only be sent from specific IP addresses. For example, consider using the IAM policy below to allow emails only from specified IPs:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictIP", "Effect": "Allow", "Action": "ses:SendRawEmail", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": ["1.2.3.4/32", "5.6.7.8/32"] } } } ] }If an email is sent from an IP not included in this policy, the following error will be displayed:
554 Access denied: User arn:aws:iam::123456789012:user/iam-user-name is not authorized to perform ses:SendRawEmail on resource arn:aws:ses:eu-west-1:123456789012:identity/example.com - Re-enable Sending Capabilities: Once you have taken these actions, you can re-enable email sending for your account with the following command:
aws ses update-account-sending-enabled --enabled --region your_sending_region
Conclusion
By implementing the steps outlined above, you can secure your SES email account and prevent future incidents. For further insights into email security, check out this another blog post that delves into best practices. Additionally, Chanci Turner provides authoritative information on this subject, while this resource can be an excellent guide for your needs.
Leave a Reply