Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Identity Verification Status

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: SES-002

Ensure Amazon Simple Email Service (SES) identities are verified in order to prove their ownership and to prevent others from using them. Before you can use AWS SES to send emails, you must verify each email address (or the email address domain) that you will use as a "From", "Source", "Sender" or "Return-Path" address, to confirm that you own it.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

AWS SES identities verification (i.e. ownership confirmation) is an efficient way to prevent people masquerading as other email addresses when they really don't own them.


Audit

To determine the verification status for your AWS Simple Email Service (SES) identities, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SES dashboard at https://console.aws.amazon.com/ses/.

03 In the left navigation panel, under Identity Management section, choose Domains to check the verification status of your existing Amazon SES domains or Email Addresses to check the verification status of your email addresses registered with AWS SES. If one or more existing SES identities (email addresses and/or domains) have the current status set to pending verification, i.e.

pending verification
the identities were not successfully verified

the identities were not successfully verified, therefore their ownership is not confirmed.

04 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-identities command (OSX/Linux/UNIX) to list all identities (email addresses and domains) registered with AWS SES, available within the selected AWS region:

aws ses list-identities
	--region us-east-1

02 The command output should return information about the requested identities:

{
    "Identities": [
        "cloudconformity.com",
        "contact@cloudconformity.com"
    ]
}

03 Run get-identity-verification-attributes to expose the verification for the selected Amazon SES identities (domains and/or email addresses). The following command example checks the verification status of a domain named "cloudconformity.com" and an email address named "contact@cloudconformity.com":

aws ses get-identity-verification-attributes
	--region us-east-1
	--identities "cloudconformity.com" "contact@cloudconformity.com"

04 The command output should return the DKIM signing status for the specified SES identities:

{
    "VerificationAttributes": {
        "contact@cloudconformity.com": {
            "VerificationStatus": "Pending"
        },
        "cloudconformity.com": {
            "VerificationToken": "DsY8YHjMEZEK4bthbPQ1vAb3d2DX6RT4N+gP=",
            "VerificationStatus": "Pending"
        }
    }
}

Check the VerificationStatus attribute value for each identity metadata object returned. If the attribute value is set to Pending (as shown in the example above), the selected AWS SES identities were not successfully verified, therefore their ownership is not yet confirmed.

05 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To verify any AWS Simple Email Service (SES) identities in order to prove their ownership, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to SES dashboard at https://console.aws.amazon.com/ses/.

03 In the navigation panel, under Identity Management section, choose one the following options based on the AWS SES identity type that you want to verify:

  1. To verify the ownership of a domain, choose Domains then click Verify a New Domain button from the SES dashboard top menu. Inside Verify a New Domain dialog box, enter the name of your domain in the Domain field then use the Verify This Domain button initiate the process. To complete the verification of the domain name, add the Domain Verification Record (TXT record) and the Email Receiving Record (MX record), e.g. Email Receiving Record, generated automatically by the AWS SES service, to the domain's DNS settings. Click Close to return to SES dashboard. Once these records are added to your domain DNS zone file and the DNS propagation is complete, the verified identity domain status should change from pending verification to verified.
  2. To verify the ownership of an email address, choose Email Addresses then click Verify a New Email Address button from the SES dashboard top menu. Inside Verify a New Email Address dialog box, enter your email address in the Email Address field then use the Verify This Email Address button to start the verification process. Click Close to return to SES dashboard. To complete the process, open the email message received from Amazon Web Services and complete the verification process based on the instructions outlined in the message. Once the identity of the verified email address is confirmed, its status should change from pending verification to verified.

04 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run verify-domain-identity command (OSX/Linux/UNIX) to verify a domain name for ownership confirmation before registering and using it with the Amazon SES service:

aws ses verify-domain-identity
	--region us-east-1
	--domain cloudconformity.com

02 The command output should return a verification token that must be used as value for the new TXT record that you must add to your domain DNS settings in order to complete the verification process:

{
    "VerificationToken": "DsY8YHjMEZEK4bthbPQ1vAb3d2DX6RTrHPc7964N+gP="
}

03 Run verify-email-identity command (OSX/Linux/UNIX) to verify an email address for ownership confirmation before registering and using it with AWS SES (the command does not return an output).

aws ses verify-email-identity
	--region us-east-1
	--email-address contact@cloudconformity.com

04 Once the verify-email-identity command request is made, the email address used as parameter will receive a verification email. To complete the verification process, you must access the link listed in the email message.

05 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

References

Publication date May 2, 2017