Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Exposed SES Identities

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: SES-003

Identify any exposed Amazon Simple Email Service (SES) identities and update their sending authorization policy in order to stop unauthorized users from sending emails from domains or addresses owned by your AWS SES account.

This rule can help you with the following compliance standards:

  • GDPR
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

To prevent unauthorized users from sending emails on your behalf, restrict access only to trusted entities by implementing the appropriate AWS SES sending authorization policies. These authorization policies specify which other AWS accounts, IAM users and AWS services can send emails for your identity, and under what conditions.


Audit

To identify any exposed AWS SES identities available in your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SES dashboard at https://console.aws.amazon.com/ses/.

03 In the left navigation panel, under Identity Management, choose Domains to check the sending authorization policies defined for your existing Amazon SES domains or Email Addresses to check the policies defined for your email addresses registered with AWS SES.

04 Select the domain/email address that you want to examine then click View Details button from the dashboard top menu to access the resource details page.

05 Click Identity Policies to expand the panel with the authorization policies defined for the selected domain/email address.

06 In the Policy Actions column, click Show Policy to open the authorization policy document.

07 Inside Show Policy dialog box, within policy document, check the Principal element value. If the Principal element has one of the following values: "*" or { "AWS": "*" } and the policy is not using any Condition clause such as "Condition": { "StringEquals": { "aws:SourceAccount": "<aws_account_number>" } } to filter authorization, the selected Amazon SES identity is publicly accessible (i.e. any AWS entity can send emails on your behalf).

08 Repeat step no. 6 and 7 to verify other sending authorization policies defined for the selected identity.

09 Repeat steps no. 4 – 8 to determine if other Amazon SES identities, created within the current region, are exposed to everyone.

10 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-identities command (OSX/Linux/UNIX) to list all identities (domains and email addresses) registered with AWS SES, available within the selected AWS region:

aws ses list-identities
	--region us-east-1

02 The command output should return information about the requested identities:

{
    "Identities": [
        "cloudconformity.com",
        "support@cloudrealisation.com"
    ]
}

03 Run list-identity-policies to return the list of sending authorization policies that are currently attached to the selected identity (e.g. "cloudconformity.com" domain).

aws ses list-identity-policies
	--region us-east-1
	--identity "cloudconformity.com"

04 The command output should return the requested list:

{
    "PolicyNames": [
        "Policy-12345678901234"
    ]
}

05 Run get-identity-policies to describe the sending authorization policy document, associated with the selected identity, returned at the previous step:

aws ses get-identity-policies
	--region us-east-1
	--identity "cloudconformity.com"
	--policy-names Policy-12345678901234

06 The command output should return the requested sending authorization policy document:

{
    "Policies": {
        "Policy-12345678901234": "{
            "Version": "2008-10-17",
            "Statement": [
                {
                    "Sid": "stmt1234567890123",
                    "Effect": "Allow",
                    "Principal": "*",
                    "Action": [
                        "ses:SendEmail",
                        "ses:SendRawEmail"
                    ],
                    "Resource": "arn:aws:ses:us-east-1:123456789012:identity/cloudconformity.com"
                }
            ]
        }"
    }
}

Check the Principal element value available within the returned policy document. If the Principal element has one of the following values: "*" or { "AWS": "*" } and the policy is not using any Condition clause such as "Condition": { "StringEquals": { "aws:SourceAccount": "<aws_account_number>" } } to filter authorization, the selected Amazon SES identity is publicly accessible, therefore any AWS entity can send emails on your behalf.

07 Repeat steps no. 3 – 6 to determine if other Amazon SES identities, available in the current region, are exposed to everyone.

08 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To update the sending authorization policies associated with your Amazon SES identities in order to allow sender requests only from trusted AWS entities (delegate senders), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SES dashboard at https://console.aws.amazon.com/ses/.

03 In the left navigation panel, within Identity Management section, choose Domains to update the sending authorization policies defined for your existing Amazon SES domains or Email Addresses to update the policies defined for your AWS SES email addresses.

04 Select the domain/email address that you want to reconfigure then click View Details button from the dashboard top menu to access the resource configuration details page.

05 Click Identity Policies to expand the panel with the sending authorization policies defined for the selected domain/email address.

06 In the Policy Actions column, click Edit Policy to edit the associated policy document.

07 On the Edit Policy page, inside Policy Document box, perform one of the following actions:

  1. Replace the "Everyone" grantee, i.e. "*", from the Principal element value with a trusted AWS account ID (e.g. { "AWS": "123456789012" } ), an AWS account ARN (e.g. { "AWS": "arn:aws:iam::123456789012:root" } ) or an IAM user ARN (e.g. { "AWS": "arn:aws:iam::123456789012:user/ses-delegate-sender" } ).
  2. Add a Condition clause to the existing policy statement to grant cross-account access only to a specific AWS account (e.g. "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" } }).

08 Click Apply Policy to apply the changes.

09 In the Overwrite Existing Policy dialog box, click Overwrite to confirm the action.

10 Repeat steps no. 4 – 9 to update sending authorization policies for other Amazon SES identities, available within the current region.

11 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 First, define the necessary sending authorization policy for the selected Amazon SES identity and save it in a JSON file named ses-sending-authorization-policy.json. You can also use the AWS Policy Generator available at https://awspolicygen.s3.amazonaws.com/policygen.html to build your own custom policies. The following example describes an authorization policy document that allows an AWS account, identified by the ARN "arn:aws:iam::123456789012:root", to send emails on the behalf of the selected AWS SES identity, i.e. "cloudconformity.com":

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "stmt1234567890123",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "arn:aws:ses:us-east-1:123456789012:identity/cloudconformity.com"
        }
    ]
}

02 Run put-identity-policy command (OSX/Linux/UNIX) to replace an existing sending authorization policy, identified by the name "Policy-12345678901234" with the one defined at the previous step, for the selected SES identity, i.e. "cloudconformity.com" (the command does not produce an output):

aws ses put-identity-policy
	--region us-east-1
	--identity "cloudconformity.com"
	--policy-name Policy-12345678901234
	--policy file://ses-sending-authorization-policy.json

03 Repeat step no. 1 and 2 to update sending authorization policies for other Amazon SES identities, available in the current region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.

References

Publication date Sep 10, 2016