SES API usage tracking
My SES account has been paused due to a breach resulting in a bunch of spam being sent from my account. We are in the process of trying to identify where the breach is. Is it a server breach, a repository breach, an SES key breach... To do this, it would be very helpful if I could somehow get the IP address of where the API calls or SMTP connections came from.
If it was our server vs an unknown IP source, we will be able to better identify the solution to resolve this. All passwords will be changed, but pointless if our server is breached and the criminals will just get the new passwords.
Is there some way, with cloud watch, cloud trail, some audit trail we can do this? We are new to AWS services.
Hi. Good question. Sorry to hear about your breach.
There are a few different tools available for your triage activities:
- Monitoring SES Sending Activity: https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity.html
- CloudWatch can monitor Sends, Deliveries, Opens, Clicks, Bounces, Bounce Rates, Complaints, etc.
- You can also enable Event Publishing to track more/receive notifications.
- SES Console will show Sends, some overall numbers, as well as bounce and complaint rates. The API can also be used for this.
- For SES, the following events (SES administration events) are tracked in AWS CloudTrail: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/logging-using-cloudtrail.html. That can provide source IP address from where the request was made, who made the request, when it was made, etc.
Note: However, SendEmail and SendRawEmail are not in AWS CloudTrail.
From a overall security perspective, you could look at rotating/quarantining credentials for AWS. This could look like IAM Roles, Security Credentials tied to IAM Users, etc. If someone has access to an IAM entity in your AWS Account, they could have unauthorized access to other infrastructure and resources as well as the ability to create/modify resources in your AWS Account.
One such guide from AWS is as follows: https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/
My aws SES production access is deniedasked a month ago
SES API usage trackingasked 6 months ago
Sometimes Spam - Sometimes Notasked a year ago
SES GetSendStatistics has a drifting timestamp?Accepted Answerasked 6 months ago
[SES ]Sending is paused for this account.asked a month ago
AWS SES Keep Email or Sent Mail Data ?asked 5 years ago
moving a SES identity from one account to another accountAccepted Answerasked a month ago
How to receive bounce replies to e-mail address when sending via Amazon SES? [Xenforo Forum Bounce Handling]asked 4 months ago
Cognito/SES giving error that Email is not verified despite being verifiedasked 4 months ago
SES Best pratice to send a lot of emailsasked 7 months ago