SES API usage tracking
My SES account has been paused due to a breach resulting in a bunch of spam being sent from my account. We are in the process of trying to identify where the breach is. Is it a server breach, a repository breach, an SES key breach... To do this, it would be very helpful if I could somehow get the IP address of where the API calls or SMTP connections came from.
If it was our server vs an unknown IP source, we will be able to better identify the solution to resolve this. All passwords will be changed, but pointless if our server is breached and the criminals will just get the new passwords.
Is there some way, with cloud watch, cloud trail, some audit trail we can do this? We are new to AWS services.
Hi. Good question. Sorry to hear about your breach.
There are a few different tools available for your triage activities:
- Monitoring SES Sending Activity: https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity.html
- CloudWatch can monitor Sends, Deliveries, Opens, Clicks, Bounces, Bounce Rates, Complaints, etc.
- You can also enable Event Publishing to track more/receive notifications.
- SES Console will show Sends, some overall numbers, as well as bounce and complaint rates. The API can also be used for this.
- For SES, the following events (SES administration events) are tracked in AWS CloudTrail: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/logging-using-cloudtrail.html. That can provide source IP address from where the request was made, who made the request, when it was made, etc.
Note: However, SendEmail and SendRawEmail are not in AWS CloudTrail.
From a overall security perspective, you could look at rotating/quarantining credentials for AWS. This could look like IAM Roles, Security Credentials tied to IAM Users, etc. If someone has access to an IAM entity in your AWS Account, they could have unauthorized access to other infrastructure and resources as well as the ability to create/modify resources in your AWS Account.
One such guide from AWS is as follows: https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/
Relevant questions
My aws SES production access is denied
asked a month agoSES API usage tracking
asked 6 months agoSometimes Spam - Sometimes Not
asked a year agoSES GetSendStatistics has a drifting timestamp?
Accepted Answerasked 6 months ago[SES ]Sending is paused for this account.
asked a month agoAWS SES Keep Email or Sent Mail Data ?
asked 5 years agomoving a SES identity from one account to another account
Accepted Answerasked a month agoHow to receive bounce replies to e-mail address when sending via Amazon SES? [Xenforo Forum Bounce Handling]
asked 4 months agoCognito/SES giving error that Email is not verified despite being verified
asked 4 months agoSES Best pratice to send a lot of emails
asked 7 months ago
I will recommend to you please follow this link https://docs.aws.amazon.com/ses/latest/DeveloperGuide/monitor-sending-activity.html Here you will find the detail on this topic