1 Answer
- Newest
- Most votes
- Most comments
1
Hi. Good question. Sorry to hear about your breach.
There are a few different tools available for your triage activities:
- Monitoring SES Sending Activity: https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity.html
- CloudWatch can monitor Sends, Deliveries, Opens, Clicks, Bounces, Bounce Rates, Complaints, etc.
- You can also enable Event Publishing to track more/receive notifications.
- SES Console will show Sends, some overall numbers, as well as bounce and complaint rates. The API can also be used for this.
- For SES, the following events (SES administration events) are tracked in AWS CloudTrail: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/logging-using-cloudtrail.html. That can provide source IP address from where the request was made, who made the request, when it was made, etc. Note: However, SendEmail and SendRawEmail are not in AWS CloudTrail.
From a overall security perspective, you could look at rotating/quarantining credentials for AWS. This could look like IAM Roles, Security Credentials tied to IAM Users, etc. If someone has access to an IAM entity in your AWS Account, they could have unauthorized access to other infrastructure and resources as well as the ability to create/modify resources in your AWS Account.
One such guide from AWS is as follows: https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/
answered 2 years ago
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 7 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
I will recommend to you please follow this link https://docs.aws.amazon.com/ses/latest/DeveloperGuide/monitor-sending-activity.html Here you will find the detail on this topic