Ensure that all your Amazon Simple Email Service (SES) identities are configured to allow access only to trusted (friendly) AWS accounts in order to prevent unauthorized users from sending emails on your behalf. Prior to running this rule by the Cloud Conformity engine, you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using overly permissive policies that allow unknown cross-account access to your AWS SES identities can authorize untrusted AWS users to send emails using your verified domain/email address.
Audit
To determine if there are any Amazon SES identities that allow unknown cross-account access available within your AWS account, perform the following:
Remediation / Resolution
To update the sending authorization policies associated with your Amazon SES identities in order to allow sender requests only from trusted AWS entities (delegate senders), perform the following actions:
References
- AWS Documentation
- Amazon Simple Email Service FAQs
- Using Sending Authorization with Amazon SES
- Overview of Amazon SES Sending Authorization
- Amazon SES Sending Authorization Policies
- Amazon SES Sending Authorization Policy Examples
- AWS Policy Generator
- AWS Command Line Interface (CLI) Documentation
- ses
- list-identities
- list-identity-policies
- get-identity-policies
- put-identity-policy