iCompaas Support

Profile Applicability:

• Level 1

Description:

Amazon Simple Email Service (SES) is a fully managed email sending service that allows you to send and receive emails using your own domains. SES identities, such as email addresses or domain names, need to be verified before they can be used to send or receive emails. Publicly accessible SES identities are those that can be viewed or accessed by unauthorized parties, which may result in misuse or security vulnerabilities.

Ensuring that SES identities (whether email addresses or domain names) are not publicly accessible ensures that only authorized users can interact with them, thus preventing unauthorized email usage or impersonation attacks.

Rationale:

• Security: Exposing SES identities publicly could allow attackers to spoof emails or abuse your domain, leading to email spoofing, phishing, or spam.

• Access Control: By restricting access to SES identities, you ensure that only authorized services and users have permission to send emails, enhancing security.

• Compliance: Certain regulatory frameworks (e.g., SOC 2, PCI-DSS, HIPAA) require ensuring that sensitive email identities are not exposed to unauthorized parties.

• Prevention of Abuse: Publicly accessible SES identities increase the risk of your domain being added to email blacklists, which can impact the delivery of legitimate emails.

Impact:

Pros:

• Enhanced Security: Protects your SES identities from unauthorized access and misuse.

• Prevents Email Spoofing: Reduces the risk of attackers impersonating your domain and sending phishing emails.

• Maintains Email Reputation: By securing SES identities, you ensure that your domain remains trusted by email providers and does not end up on blacklists.

• Compliance: Meets regulatory and industry standards for controlling sensitive data and resources.

Cons:

• Operational Complexity: Restricting access to SES identities might require configuring IAM policies and ensuring proper access control.

• Administrative Overhead: Additional management may be required to ensure identities remain protected and not publicly exposed.

Default Value:

By default, SES identities (such as email addresses or domains) are private and cannot be accessed by the public. However, issues may arise if IAM policies, domain records, or other configurations inadvertently expose SES identities publicly.

Pre-requisite:

• AWS IAM Permissions:

  • ses:ListIdentities

  • ses:GetIdentityVerificationAttributes

  • ses:SetIdentityNotificationTopic

  • ses:DeleteIdentity

• AWS CLI installed and configured.

• SES Identities (email addresses or domains) must be verified within the SES service.

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon SES under Services.

3. In the SES Dashboard, go to Identity Management > Identities.

4. Review the list of verified email addresses and domains.

5. Ensure that IAM policies or domain configurations do not inadvertently expose SES identities to the public.

6. Review any associated SNS topics or notifications and ensure that only authorized users and services can modify or view SES identity configurations.

7. If a public identity is found, modify the settings to restrict access.

Using AWS CLI:

1. To check the list of SES identities, run:
   

   aws ses list-identities --identity-type EmailAddress --query 'Identities'

2. To check the verification status of each identity, run:
   

   aws ses get-identity-verification-attributes --identities <identity>

3. To ensure that no public identities exist, verify that the identity verification status is correct and there are no unauthorized access configurations.

4. If a public identity is found, revoke access by removing any policies or notifications that allow public access.

Implementation Steps:

Using AWS Console:

1. Log in to the AWS Management Console and navigate to Amazon SES.

2. In the SES Dashboard, go to Identity Management > Identities.

3. Review each identity and verify that only authorized accounts or services have access to modify or use the identity.

4. Update IAM policies and domain records to restrict public access to SES identities.

   • For email identities, ensure that they are not shared publicly or exposed via unsecured DNS configurations.

5. Ensure that SNS topics or other notification mechanisms are secured and do not allow unauthorized modifications to SES identities.

6. Save any changes to ensure that SES identities are protected.

Using AWS CLI:

1. To check the list of SES identities, run:
   

   aws ses list-identities --identity-type EmailAddress --query 'Identities'

2. To remove a public identity or prevent it from being used by unauthorized parties, revoke permissions or remove it from public access:
   

   aws ses delete-identity --identity <identity>

3. Ensure that only the authorized services or users can access and modify SES identities.

Backout Plan:

Using AWS Console:

1. If restricting access to SES identities causes issues, sign in to the AWS Management Console.

2. Navigate to Amazon SES, select the SES identity, and modify its access permissions.

3. Remove any restrictive policies or settings that may have unintentionally caused legitimate email operations to fail.

Using AWS CLI:

1. If access restrictions to an SES identity cause issues, run the following command to delete the restrictive policy:
   

   aws ses delete-identity-policy --identity <IDENTITY> --policy-name <POLICY_NAME>

2. Revert the SES identity policy to allow broader access if necessary, or adjust the policy to resolve issues:
   

   aws ses set-identity-policies --identity <IDENTITY> --policy-name <POLICY_NAME> --policy-document <POLICY_DOCUMENT_JSON>

References:

• Amazon SES Documentation

• AWS CLI: list-identities

• AWS CLI: delete-identity

CIS Controls Mapping: