Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Identify Cross-Account Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: SES-004

Ensure that all your Amazon Simple Email Service (SES) identities are configured to allow access only to trusted (friendly) AWS accounts in order to prevent unauthorized users from sending emails on your behalf. Prior to running this rule by the Cloud Conformity engine, you need to provide the friendly accounts identifiers represented by a comma-separated list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root).

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using overly permissive policies that allow unknown cross-account access to your AWS SES identities can authorize untrusted AWS users to send emails using your verified domain/email address.


Audit

To determine if there are any Amazon SES identities that allow unknown cross-account access available within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SES dashboard at https://console.aws.amazon.com/ses/.

03 In the left navigation panel, under Identity Management, choose Domains to check the sending authorization policies defined for your existing Amazon SES domains or Email Addresses to check the policies defined for your email addresses registered with AWS SES.

04 Select the domain/email address that you want to examine then click View Details button from the dashboard top menu to access the identity details page.

05 Click Identity Policies to expand the panel with the sending authorization policies defined for the selected domain/email address.

06 In the Policy Actions column, click Show Policy to open the authorization policy document.

07 Inside Show Policy dialog box, within policy document, check the AWS account ID (e.g. 123456789012) or AWS account ARN (e.g. arn:aws:iam::123456789012:root), defined as value for the Principal element.

08 Sign in to your Cloud Conformity console, access SES Identity Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s) or ARN(s)) against each identifier listed in the rule configuration section. If the identifier found within the verified sending authorization policy does not match any of the trusted account entities listed on your Cloud Conformity console, the cross-account access is not secured, therefore the AWS entity is not trusted and should not be authorized to send emails using the selected Amazon SES identity.

09 Repeat steps no. 6 – 8 to verify other sending authorization policies created for the selected identity.

10 Repeat steps no. 4 – 9 to determine if other Amazon SES identities, available in the current region, allow unknown cross-account access.

11 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run list-identities command (OSX/Linux/UNIX) to list all identities (domains and email addresses) registered with AWS SES, available within the selected AWS region:

aws ses list-identities
	--region us-east-1

02 The command output should return information about the requested identities:

{
    "Identities": [
        "cloudrealisation.com",
        "sales@cloudconformity.com"
    ]
}

03 Run list-identity-policies to return the list of sending authorization policies that are currently attached to the selected identity:

aws ses list-identity-policies
	--region us-east-1
	--identity "cloudrealisation.com"

04 The command output should return the names of the associated authorization policies:

{
    "PolicyNames": [
        "Policy-12345678901234"
    ]
}

05 Run get-identity-policies to describe the sending authorization policy document, associated with the selected identity (domain), returned at the previous step:

aws ses get-identity-policies
	--region us-east-1
	--identity "cloudrealisation.com"
	--policy-names Policy-12345678901234

06 The command output should return the requested sending authorization policy document:

{
    "Policies": {
        "Policy-12345678901234": "{
            "Version": "2008-10-17",
            "Statement": [
                {
                    "Sid": "stmt123456789abcd",
                    "Effect": "Allow",
                    "Principal": {
               	     "AWS": "arn:aws:iam::123456789012:root"
          		 },
                    "Action": [
                        "ses:SendEmail",
                        "ses:SendRawEmail"
                    ],
                    "Resource": "arn:aws:ses:us-east-1:123456789012:identity/cloudrealisation.com"
                }
            ]
        }"
    }
}

Within the policy document returned as output, check the AWS account ID (e.g. 123456789012) or AWS account ARN (e.g. arn:aws:iam::123456789012:root), defined as value for the Principal element.

07 Now sign in to your Cloud Conformity console, access SES Identity Cross Account Access conformity rule settings and compare the identifier(s) found at the previous step (ID(s) or ARN(s)) against each identifier listed in the rule configuration section. If the identifier found in the sending authorization policy does not match any of the trusted account entities listed on your Cloud Conformity console, the cross-account access is not secured, therefore the AWS entity defined within the authorization policy is not trusted.

08 Repeat steps no. 3 – 7 to determine if other Amazon SES identities, created in the current region, allow unknown cross-account access.

09 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To update the sending authorization policies associated with your Amazon SES identities in order to allow sender requests only from trusted AWS entities (delegate senders), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SES dashboard at https://console.aws.amazon.com/ses/.

03 In the left navigation panel, within Identity Management section, choose Domains to update the sending authorization policies defined for your existing Amazon SES domains or Email Addresses to update the policies defined for your AWS SES email addresses.

04 Select the domain/email address that you want to reconfigure then click View Details button from the dashboard top menu to access the resource configuration details page.

05 Click Identity Policies to expand the panel with the sending authorization policies defined for the selected domain/email address.

06 In the Policy Actions column, click Edit Policy to edit the associated policy document.

07 On the Edit Policy page, inside Policy Document box, perform one of the following actions:

  1. Replace the "Everyone" grantee, i.e. "*", from the Principal element value with a trusted AWS account ID (e.g. { "AWS": "123456789012" } ), an AWS account ARN (e.g. { "AWS": "arn:aws:iam::123456789012:root" } ) or an IAM user ARN (e.g. { "AWS": "arn:aws:iam::123456789012:user/ses-delegate-sender" } ).
  2. Add a Condition clause to the existing policy statement to grant cross-account access only to a specific AWS account (e.g. "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" } }).

08 Click Apply Policy to apply the changes.

09 In the Overwrite Existing Policy dialog box, click Overwrite to confirm the action.

10 Repeat steps no. 4 – 9 to update sending authorization policies for other Amazon SES identities, available within the current region.

11 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 First, define the necessary sending authorization policy for the selected Amazon SES identity and save it in a JSON file named ses-sending-authorization-policy.json. You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your own custom policies. The following example describes an authorization policy document that allows an AWS account, identified by the ARN "arn:aws:iam::123456789012:root", to send emails on the behalf of the selected AWS SES identity, i.e. "cloudconformity.com":

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "stmt1234567890123",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "arn:aws:ses:us-east-1:123456789012:identity/cloudconformity.com"
        }
    ]
}

02 Run put-identity-policy command (OSX/Linux/UNIX) to replace an existing sending authorization policy, identified by the name "Policy-12345678901234" with the one defined at the previous step, for the selected SES identity, i.e. "cloudconformity.com" (the command does not produce an output):

aws ses put-identity-policy
	--region us-east-1
	--identity "cloudconformity.com"
	--policy-name Policy-12345678901234
	--policy file://ses-sending-authorization-policy.json

03 Repeat step no. 1 and 2 to update sending authorization policies for other Amazon SES identities, available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.

References

Publication date Feb 2, 2018