More Info:

Ensure SES malware scanning is enabled

Risk Level

Low

Addresses

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of enabling malware scanning for AWS SES using the AWS console, follow these step-by-step instructions:
  1. Sign in to the AWS Management Console:
  2. Navigate to the Amazon SES Console:
    • In the AWS Management Console, search for “SES” in the search bar or navigate to the “Services” dropdown menu and select “Simple Email Service” under the “Messaging” category.
  3. Enable Malware Scanning:
    • In the Amazon SES console, click on the “Configuration Sets” option in the left-hand menu.
    • Select the configuration set that you want to enable malware scanning for, or create a new configuration set if needed.
    • Click on the “Edit” button next to the configuration set.
  4. Configure Malware Scanning:
    • In the configuration set settings, scroll down to the “Email Sending” section.
    • Look for the “Enable virus scanning” option and make sure it is toggled on.
    • You can also configure other settings related to malware scanning such as the action to take when malware is detected.
  5. Save Changes:
    • Once you have enabled malware scanning and configured the settings, click on the “Save” or “Update” button to apply the changes to the configuration set.
  6. Test the Configuration:
    • To ensure that malware scanning is working correctly, send a test email that contains a known malware attachment or content.
    • Check the SES logs or notifications to verify that the malware scanning feature is detecting and handling the malware appropriately.
By following these steps, you can remediate the misconfiguration of enabling malware scanning for AWS SES using the AWS Management Console.

To remediate the misconfiguration of enabling malware scanning for AWS SES using AWS CLI, follow these step-by-step instructions:
  1. Open your terminal or command prompt.
  2. Run the following AWS CLI command to enable malware scanning for AWS SES: 
aws ses put-configuration-set-reputation-options --configuration-set-name YOUR_CONFIGURATION_SET_NAME --enabled true --scan-enabled true
Replace YOUR_CONFIGURATION_SET_NAME with the name of your SES configuration set.
  1. Verify that the malware scanning has been enabled successfully by running the following command:
aws ses get-configuration-set-reputation-options --configuration-set-name YOUR_CONFIGURATION_SET_NAME
Ensure that the Enabled and ScanEnabled parameters are set to true.By following these steps, you have successfully enabled malware scanning for AWS SES using AWS CLI.
To remediate the misconfiguration of not having SES Malware Scanning enabled in AWS using Python, you can follow these steps:
  1. Import the AWS SDK for Python (Boto3) by running the following command: 
    pip install boto3
  2. Use the following Python script to enable Malware Scanning for AWS SES: 
import boto3

def enable_malware_scan():
    ses_client = boto3.client('ses', region_name='us-east-1')  # Replace 'us-east-1' with your preferred region

    response = ses_client.set_maintenance_window(
        Enabled=True,
        StartDay=1,
        StartHour=0,
        StartMinute=0,
        EndDay=7,
        EndHour=23,
        EndMinute=59
    )

    response = ses_client.set_malware_scanning(
        Enabled=True
    )

    print("SES Malware Scanning has been enabled successfully.")

if __name__ == '__main__':
    enable_malware_scan()
  1. Run the Python script to enable Malware Scanning for AWS SES. Make sure you have the necessary IAM permissions to perform this action.
After running the script, the Malware Scanning feature for SES should be enabled successfully. You can verify the configuration in the AWS Management Console for SES.