More Info:
AWS SES identities (domains and/or email addresses) should not allow unknown cross-account access via authorization policies. Your SES identities should be configured to allow access only to trusted (friendly) AWS accounts in order to prevent unauthorized users from sending emails on your behalf.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the issue of SES Identities allowing cross-account access in AWS using the AWS Management Console, follow these steps:
- Sign in to the AWS Management Console: Go to the AWS Management Console and sign in using your credentials.
- Navigate to the SES Console: In the AWS Management Console, search for “SES” in the services search bar and click on “Simple Email Service” to open the SES console.
- Select the SES Identity: In the SES console, select the SES identity (email address, domain, or email sending authorization) that you want to remediate for cross-account access.
- Check the Identity Policies: Under the “Identity Policies” section, review the policies associated with the selected SES identity to identify any cross-account access permissions.
-
Remove Cross-Account Access Permissions: To remove cross-account access permissions from the identity policy, follow these steps:
- Click on the “Edit Policy” button next to the policy that allows cross-account access.
- In the policy editor, locate the statement that grants cross-account access and delete or modify it accordingly.
- Ensure that the policy only allows necessary permissions for the SES identity without granting access to other AWS accounts.
- Save the Policy Changes: After removing the cross-account access permissions from the identity policy, click on the “Save Changes” or “Update Policy” button to save the updated policy.
- Verify the Changes: Verify that the identity policy no longer allows cross-account access by reviewing the updated policy in the SES console.
Using CLI
Using CLI
To remediate the misconfiguration of allowing cross-account access for AWS SES identities, you can follow these steps using AWS CLI:
-
List the identities in SES:
Run the following command to list all the identities in SES:
-
Get the policy for the identity:
Identify the identity (email address or domain) for which you want to restrict cross-account access and run the following command to get the policy for that identity:
-
Update the policy to restrict cross-account access:
Edit the policy to restrict cross-account access. You need to update the policy to allow access only from the AWS account that owns the SES identity. Here is an example of a policy that restricts access to the identity owner’s account:
-
Update the policy:
Run the following command to update the policy for the SES identity with the new policy that restricts cross-account access:
Replace
<IDENTITY>
with the SES identity (email address or domain),<POLICY_NAME>
with a name for the policy, and<POLICY_JSON>
with the updated policy JSON. -
Verify the policy:
You can verify the updated policy by running the
get-identity-policies
command again.
Using Python
Using Python
To remediate the misconfiguration of SES identities allowing cross-account access in AWS using Python, you can follow these steps:
- Identify the SES Identities: First, you need to identify the SES identities that are allowing cross-account access. You can do this by listing all the identities in your AWS account.
- Update the IAM Policy: You need to update the IAM policy attached to the SES identities to restrict cross-account access. You can achieve this by modifying the policy to allow access only from the specific AWS account where the SES identities are intended to be used.
- Use Boto3 to Modify IAM Policy: Here is a Python script using Boto3 to update the IAM policy for SES identities:
- **Replace ‘YOUR_SES_IDENTITY_ARN’ and ‘YOUR_AWS_ACCOUNT_ID’ with your actual SES identity ARN and AWS account ID in the script.
- Run the Script: Save the script in a Python file and run it in your AWS environment where you have the necessary permissions to update IAM policies for SES identities.