SES Identities Should Not Allow Cross-Account Access

More Info:

AWS SES identities (domains and/or email addresses) should not allow unknown cross-account access via authorization policies. Your SES identities should be configured to allow access only to trusted (friendly) AWS accounts in order to prevent unauthorized users from sending emails on your behalf.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of allowing cross-account access for AWS SES identities, you can follow these steps using AWS CLI:

List the identities in SES: Run the following command to list all the identities in SES:
```
aws ses list-identities
```
Get the policy for the identity: Identify the identity (email address or domain) for which you want to restrict cross-account access and run the following command to get the policy for that identity:
```
aws ses get-identity-policies --identity <IDENTITY>
```

Update the policy to restrict cross-account access: Edit the policy to restrict cross-account access. You need to update the policy to allow access only from the AWS account that owns the SES identity. Here is an example of a policy that restricts access to the identity owner’s account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "ses:SendEmail",
            "Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com"
        }
    ]
}

Update the policy: Run the following command to update the policy for the SES identity with the new policy that restricts cross-account access:
```
aws ses put-identity-policy --identity <IDENTITY> --policy-name <POLICY_NAME> --policy <POLICY_JSON>
```
Replace <IDENTITY> with the SES identity (email address or domain), <POLICY_NAME> with a name for the policy, and <POLICY_JSON> with the updated policy JSON.
Verify the policy: You can verify the updated policy by running the get-identity-policies command again.

By following these steps and updating the SES identity policy to restrict cross-account access, you can remediate the misconfiguration in AWS SES using AWS CLI.

Using Python

To remediate the misconfiguration of SES identities allowing cross-account access in AWS using Python, you can follow these steps:

Identify the SES Identities: First, you need to identify the SES identities that are allowing cross-account access. You can do this by listing all the identities in your AWS account.
Update the IAM Policy: You need to update the IAM policy attached to the SES identities to restrict cross-account access. You can achieve this by modifying the policy to allow access only from the specific AWS account where the SES identities are intended to be used.
Use Boto3 to Modify IAM Policy: Here is a Python script using Boto3 to update the IAM policy for SES identities:

import boto3

# Initialize the SES client
ses_client = boto3.client('ses')

# Specify the SES identity ARN for which you want to update the policy
identity_arn = 'YOUR_SES_IDENTITY_ARN'

# Specify the updated IAM policy document to restrict cross-account access
updated_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "YOUR_AWS_ACCOUNT_ID"
            },
            "Action": "ses:SendEmail",
            "Resource": identity_arn
        }
    ]
}

# Update the IAM policy for the SES identity
response = ses_client.put_identity_policy(
    Identity=identity_arn,
    PolicyName='Policy',
    Policy=json.dumps(updated_policy)
)

print("IAM policy updated successfully.")

**Replace ‘YOUR_SES_IDENTITY_ARN’ and ‘YOUR_AWS_ACCOUNT_ID’ with your actual SES identity ARN and AWS account ID in the script.
Run the Script: Save the script in a Python file and run it in your AWS environment where you have the necessary permissions to update IAM policies for SES identities.

By following these steps and running the Python script, you can remediate the misconfiguration of SES identities allowing cross-account access in AWS.

Additional Reading:

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-overview.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

SES Identities Should Not Allow Cross-Account Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: