AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
DKIM Signing Should Be Enabled For AWS SES
More Info:
The DomainKeys Identified Mail (DKIM) feature should be enabled for domains and addresses in SES. DKIM is a security feature that allows recipients of an email to verify that the sender domain has authorized the message and that it has not been spoofed.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of DKIM signing not being enabled for AWS SES (Simple Email Service) using the AWS console, follow these step-by-step instructions:
-
Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account using your credentials.
-
Navigate to AWS SES Console: Once logged in, navigate to the AWS SES (Simple Email Service) console by typing “SES” in the AWS services search bar and selecting SES from the dropdown.
-
Verify your domain: Before enabling DKIM, you need to verify the domain for which you want to enable DKIM. If you haven’t already verified the domain, go to the “Identity Management” section in the SES console, click on “Domains” and follow the instructions to verify your domain.
-
Enable DKIM Signing: Once your domain is verified, navigate to the “Identity Management” section in the SES console, click on “Email addresses” or “Domains” depending on your setup, and select the domain for which you want to enable DKIM.
-
Click on the domain: Click on the domain for which you want to enable DKIM signing. This will take you to the domain details page.
-
Enable DKIM: In the domain details page, scroll down to the “Authentication” section and click on the “Enable DKIM” button. This will start the process of enabling DKIM signing for your domain.
-
Follow the instructions: Follow the on-screen instructions to complete the DKIM setup. This usually involves adding CNAME records to your DNS settings. AWS will provide you with the CNAME records that you need to add to your DNS provider.
-
Verify DKIM Setup: Once you have added the CNAME records to your DNS provider, go back to the SES console, click on the domain, and verify the DKIM setup. AWS SES will check the DNS records to ensure that DKIM signing is properly configured for your domain.
-
Monitor DKIM Status: After enabling DKIM signing, make sure to monitor the DKIM status in the SES console regularly to ensure that it remains enabled and properly configured for your domain.
By following these steps, you can remediate the misconfiguration of DKIM signing not being enabled for AWS SES and ensure that your email communications are secure and authenticated.
To remediate the misconfiguration of DKIM signing not being enabled for AWS SES using the AWS CLI, follow these steps:
-
Generate DKIM Tokens:
- Run the following AWS CLI command to generate DKIM tokens for your domain:
aws sesv2 create-email-identity --email-identity example.com - Replace
example.comwith your actual domain name.
- Run the following AWS CLI command to generate DKIM tokens for your domain:
-
Get DNS Settings:
- Run the following AWS CLI command to get the DKIM DNS settings:
aws sesv2 get-email-identity --email-identity example.com - Note down the
DkimAttributes.DkimTokensandDkimAttributes.DomainSigningSelectorvalues returned by the command.
- Run the following AWS CLI command to get the DKIM DNS settings:
-
Add DKIM Records to DNS:
- Add CNAME records to your DNS provider using the values obtained in the previous step. The format of the CNAME records should be:
CNAME: <DkimAttributes.DomainSigningSelector>._domainkey.<your-domain> -> <DkimAttributes.Tokens>.dkim.amazonses.com - Replace
<DkimAttributes.DomainSigningSelector>and<DkimAttributes.Tokens>with the values obtained in step 2, and<your-domain>with your actual domain name.
- Add CNAME records to your DNS provider using the values obtained in the previous step. The format of the CNAME records should be:
-
Verify DKIM Settings:
- Run the following AWS CLI command to verify the DKIM settings for your domain:
aws sesv2 verify-email-identity --email-identity example.com - This step is crucial to ensure that the DKIM records have been added correctly to your DNS.
- Run the following AWS CLI command to verify the DKIM settings for your domain:
-
Enable DKIM Signing:
- Run the following AWS CLI command to enable DKIM signing for your domain:
aws sesv2 put-email-identity-dkim-signing-attributes --email-identity example.com --dkim-signing-attributes DomainSigningSelector=<DkimAttributes.DomainSigningSelector>,SigningAttributesOrigin=AWS_SES - Replace
example.comand<DkimAttributes.DomainSigningSelector>with your actual values.
- Run the following AWS CLI command to enable DKIM signing for your domain:
-
Verify DKIM Signing:
- Run the following AWS CLI command to verify that DKIM signing has been enabled for your domain:
aws sesv2 get-email-identity-dkim-attributes --email-identity example.com - Check the
DkimAttributes.DkimEnabledvalue to ensure that DKIM signing is enabled successfully.
- Run the following AWS CLI command to verify that DKIM signing has been enabled for your domain:
By following these steps using the AWS CLI, you can remediate the misconfiguration of not having DKIM signing enabled for AWS SES.
To remediate the misconfiguration of DKIM signing not being enabled for AWS SES using Python, you can follow these steps:
- Install the Boto3 library: Boto3 is the AWS SDK for Python, which will allow you to interact with AWS services including SES. You can install it using pip:
pip install boto3
- Create a Python script to enable DKIM signing for AWS SES:
import boto3
# Initialize the SES client
ses_client = boto3.client('ses', region_name='YOUR_REGION', aws_access_key_id='YOUR_ACCESS_KEY', aws_secret_access_key='YOUR_SECRET_KEY')
# Enable DKIM signing for your domain
response = ses_client.verify_domain_dkim(
Domain='YOUR_DOMAIN'
)
print(response)
Make sure to replace the placeholders ‘YOUR_REGION’, ‘YOUR_ACCESS_KEY’, ‘YOUR_SECRET_KEY’, and ‘YOUR_DOMAIN’ with your actual AWS region, access key, secret key, and domain respectively.
- Run the Python script: Save the script in a file (e.g., enable_dkim.py) and run it using the Python interpreter:
python enable_dkim.py
- Verify DKIM configuration: After running the script, verify that DKIM signing has been enabled for your domain in the AWS SES console.
By following these steps, you should be able to remediate the misconfiguration of DKIM signing not being enabled for AWS SES using Python.