By using AWS re:Post, you agree to the Terms of Use
/SES API usage tracking/

SES API usage tracking


My SES account has been paused due to a breach resulting in a bunch of spam being sent from my account. We are in the process of trying to identify where the breach is. Is it a server breach, a repository breach, an SES key breach... To do this, it would be very helpful if I could somehow get the IP address of where the API calls or SMTP connections came from.

If it was our server vs an unknown IP source, we will be able to better identify the solution to resolve this. All passwords will be changed, but pointless if our server is breached and the criminals will just get the new passwords.

Is there some way, with cloud watch, cloud trail, some audit trail we can do this? We are new to AWS services.

1 Answers

Hi. Good question. Sorry to hear about your breach.

There are a few different tools available for your triage activities:

  1. CloudWatch can monitor Sends, Deliveries, Opens, Clicks, Bounces, Bounce Rates, Complaints, etc.
  2. You can also enable Event Publishing to track more/receive notifications.
  3. SES Console will show Sends, some overall numbers, as well as bounce and complaint rates. The API can also be used for this.

Note: However, SendEmail and SendRawEmail are not in AWS CloudTrail.

From a overall security perspective, you could look at rotating/quarantining credentials for AWS. This could look like IAM Roles, Security Credentials tied to IAM Users, etc. If someone has access to an IAM entity in your AWS Account, they could have unauthorized access to other infrastructure and resources as well as the ability to create/modify resources in your AWS Account.

One such guide from AWS is as follows:

answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions