More Info:

AWS SES identities (domains and/or email addresses) should not allow unknown cross-account access via authorization policies. Your SES identities should be configured to allow access only to trusted (friendly) AWS accounts in order to prevent unauthorized users from sending emails on your behalf.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the issue of SES Identities allowing cross-account access in AWS using the AWS Management Console, follow these steps:
  1. Sign in to the AWS Management Console: Go to the AWS Management Console and sign in using your credentials.
  2. Navigate to the SES Console: In the AWS Management Console, search for “SES” in the services search bar and click on “Simple Email Service” to open the SES console.
  3. Select the SES Identity: In the SES console, select the SES identity (email address, domain, or email sending authorization) that you want to remediate for cross-account access.
  4. Check the Identity Policies: Under the “Identity Policies” section, review the policies associated with the selected SES identity to identify any cross-account access permissions.
  5. Remove Cross-Account Access Permissions: To remove cross-account access permissions from the identity policy, follow these steps:
    • Click on the “Edit Policy” button next to the policy that allows cross-account access.
    • In the policy editor, locate the statement that grants cross-account access and delete or modify it accordingly.
    • Ensure that the policy only allows necessary permissions for the SES identity without granting access to other AWS accounts.
  6. Save the Policy Changes: After removing the cross-account access permissions from the identity policy, click on the “Save Changes” or “Update Policy” button to save the updated policy.
  7. Verify the Changes: Verify that the identity policy no longer allows cross-account access by reviewing the updated policy in the SES console.
By following these steps, you can remediate the issue of SES identities allowing cross-account access in AWS SES using the AWS Management Console.

To remediate the misconfiguration of allowing cross-account access for AWS SES identities, you can follow these steps using AWS CLI:
  1. List the identities in SES: Run the following command to list all the identities in SES: 
    aws ses list-identities
  2. Get the policy for the identity: Identify the identity (email address or domain) for which you want to restrict cross-account access and run the following command to get the policy for that identity: 
    aws ses get-identity-policies --identity <IDENTITY>
  3. Update the policy to restrict cross-account access: Edit the policy to restrict cross-account access. You need to update the policy to allow access only from the AWS account that owns the SES identity. Here is an example of a policy that restricts access to the identity owner’s account: 
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "ses:SendEmail",
            "Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com"
        }
    ]
}
  4. Update the policy: Run the following command to update the policy for the SES identity with the new policy that restricts cross-account access: 
    aws ses put-identity-policy --identity <IDENTITY> --policy-name <POLICY_NAME> --policy <POLICY_JSON>
    Replace <IDENTITY> with the SES identity (email address or domain), <POLICY_NAME> with a name for the policy, and <POLICY_JSON> with the updated policy JSON.
  5. Verify the policy: You can verify the updated policy by running the get-identity-policies command again.
By following these steps and updating the SES identity policy to restrict cross-account access, you can remediate the misconfiguration in AWS SES using AWS CLI.
To remediate the misconfiguration of SES identities allowing cross-account access in AWS using Python, you can follow these steps:
  1. Identify the SES Identities: First, you need to identify the SES identities that are allowing cross-account access. You can do this by listing all the identities in your AWS account.
  2. Update the IAM Policy: You need to update the IAM policy attached to the SES identities to restrict cross-account access. You can achieve this by modifying the policy to allow access only from the specific AWS account where the SES identities are intended to be used.
  3. Use Boto3 to Modify IAM Policy: Here is a Python script using Boto3 to update the IAM policy for SES identities: 
import boto3

# Initialize the SES client
ses_client = boto3.client('ses')

# Specify the SES identity ARN for which you want to update the policy
identity_arn = 'YOUR_SES_IDENTITY_ARN'

# Specify the updated IAM policy document to restrict cross-account access
updated_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "YOUR_AWS_ACCOUNT_ID"
            },
            "Action": "ses:SendEmail",
            "Resource": identity_arn
        }
    ]
}

# Update the IAM policy for the SES identity
response = ses_client.put_identity_policy(
    Identity=identity_arn,
    PolicyName='Policy',
    Policy=json.dumps(updated_policy)
)

print("IAM policy updated successfully.")
  1. **Replace ‘YOUR_SES_IDENTITY_ARN’ and ‘YOUR_AWS_ACCOUNT_ID’ with your actual SES identity ARN and AWS account ID in the script.
  2. Run the Script: Save the script in a Python file and run it in your AWS environment where you have the necessary permissions to update IAM policies for SES identities.
By following these steps and running the Python script, you can remediate the misconfiguration of SES identities allowing cross-account access in AWS.

Additional Reading: