Unrestricted SMTP Access Should Not Be Allowed

More Info:

No security group should allow unrestricted inbound access to TCP port 25 (SMTP).

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, AWSWAF, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate this issue in AWS, you can follow the below steps using AWS CLI:

Open the AWS CLI on your local machine or EC2 instance.
Run the following command to list all the active SMTP settings in the AWS account:

aws ses get-account-sending-enabled

If the command output shows that the “SendingEnabled” parameter is set to “true”, then you need to disable it. Run the following command to disable SMTP access:

aws ses update-account-sending-enabled --no-sending-enabled

After running the above command, verify that the “SendingEnabled” parameter is set to “false” by running the following command:

aws ses get-account-sending-enabled

If the “SendingEnabled” parameter is set to “false”, then SMTP access has been successfully restricted in your AWS account.

Note: This remediation will disable SMTP access for all users in your AWS account. If you need to enable SMTP access for specific users, you can create an IAM policy that allows SMTP access and attach it to their IAM user or role.

Using Python

To remediate unrestricted SMTP access in AWS using Python, you can follow the steps below:

Create a Python script to check for SMTP access:

import boto3

client = boto3.client('ec2')
response = client.describe_security_groups()

for group in response['SecurityGroups']:
    for permission in group['IpPermissions']:
        if permission.get('FromPort') == 25 and permission.get('IpRanges') == [{'CidrIp': '0.0.0.0/0'}]:
            group_id = group['GroupId']
            print(f"Found unrestricted SMTP access in security group {group_id}")

Once you have identified the security group(s) with unrestricted SMTP access, you can update the security group rules to restrict SMTP access to specific IP addresses or ranges.

import boto3

client = boto3.client('ec2')
response = client.authorize_security_group_ingress(
    GroupId='SECURITY_GROUP_ID',
    IpPermissions=[
        {
            'IpProtocol': 'tcp',
            'FromPort': 25,
            'ToPort': 25,
            'IpRanges': [
                {
                    'CidrIp': 'ALLOWED_IP_ADDRESS/32'
                }
            ]
        }
    ]
)

Replace SECURITY_GROUP_ID with the ID of the security group that needs to be updated and ALLOWED_IP_ADDRESS with the IP address or range that should be allowed to access SMTP.

Run the Python script to check for and remediate unrestricted SMTP access in AWS.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unrestricted SMTP Access Should Not Be Allowed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: