By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to see CloudTrail of SES calls (SendRawEmail) re TLS 1.1

1

I believe we have our software & systems updated to use TLS 1.2 so that they dont break as AWS removes TLS 1.1 from their APIs. However I would like to verify there are no calls coming in.

We setup a CloudTrail (Lake) for management events but I cannot figure out how to get logs of API calls for most of the AWS services. I am new to using CloudTrail so I could be missing something obvious.

Although I would like to know about ANYTHING that is making TLS <1.2 calls, I would at the least like to know about our SES calls, specifically SendRawEmail calls. We also have old servers using old EC2Config (eg PutLogEvents) which would be nice to know about also.

I cant figure out how to access/create a trail with these logs for me to query!?

Over the last months I have received emails from AWS saying these calls are using TLS 1.1, and (hopefully) I've fixed them - but I'm in the dark and have no idea if I've missed something.

Other related posts & articles for reference: https://repost.aws/questions/QU5eTxXYVdSU-0zFheqXkZ-g/tls1-0-1-1-how-to-find-the-requests https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html https://repost.aws/questions/QUpsEiSekXRWOntH2g-bLqhw/multiple-recent-aws-emails-about-tls1-1-or-older https://aws.amazon.com/about-aws/whats-new/2015/05/amazon-ses-is-now-integrated-with-cloudtrail/ https://repost.aws/questions/QU24iOGqPqS-KPdxZesIJm8w/amazon-ses-sendy-tls-1-2-aws-api-endpoints-update-required https://repost.aws/questions/QU-Y63ExO0QLauQLhOEEV4tg/what-is-the-deadline-for-tls-1-2-to-become-the-minimum-tls-protocol-level-for-all-aws-api-endpoints

Topics
Management & GovernanceFront-End Web & MobileBusiness ApplicationsInternet of Things (IoT)
Tags
AWS CloudTrailAmazon Simple Email ServiceTransport Layer Security (TLS)
Language
English
lagy
asked 10 months ago1511 views
3 Answers
1

Our company received the same notifications. Here are the steps we tried (the last one was finally successful):

1- We first tried the recommended approaches in the email, regarding setting up CloudTrail Lake https://aws.amazon.com/blogs/mt/using-aws-cloudtrail-lake-to-identify-older-tls-connections-to-aws-service-endpoints, but unfortunately, as described here https://docs.aws.amazon.com/ses/latest/dg/logging-using-cloudtrail.html, Amazon SES delivers only management events to CloudTrail, which are different from data events (SendEmail, SendRawEmail, SendTemplatedEmail, SendBulkTemplatedEmail).

2- We then tried to set up Kinesis Data Firehose event destination as described here https://docs.aws.amazon.com/ses/latest/dg/event-publishing-add-event-destination-firehose.html, but despite being able to analyse message events through Amazon S3, the noticed that TLS version is not included in the event object.

3- The solution was to run our application on a local environment and set up Wireshark to analyse outgoing packages, so then we were finally able to identify that we were actually sending SMTP messages over TLSv1. After making the appropriate changes in the application code, we could verify that the new connections were being made over TLSv1.2, which will soon be the minimum supported TLS version.

Before application code changes:

Before application code changes

After application code changes:

After application code changes:

Hope you can use the same approach to identify the version of the TLS connections your application is using.

profile picture
Eduardo Balbinot
answered 7 months ago
0

Same question here. I followed the sample query but observed no SES mail sending calls

jimmy1383
answered 8 months ago
-2

You can use CloudTrail to ID these outdated TLS calls. Follow the steps, and use the sample TLS query, in the following blog post Using AWS CloudTrail Lake to identify older TLS connections. There is also a built-in sample CloudTrail TLS query available in the AWS CloudTrail Lake console.

https://aws.amazon.com/blogs/mt/using-aws-cloudtrail-lake-to-identify-older-tls-connections-to-aws-service-endpoints/\

If this post was helpful please remember to mark the answer as accepted, I hope this helps and good luck.

profile pictureAWS
monroery
answered 10 months ago
  • lagy
    10 months ago

    Ya, I've tried that. I can see Management Events but I'm guessing that SES's SendRawEmail call is NOT a "Management Event" but rather a "Data Event"? However I cannot see how to add those Data Events to the CloudTrail Lake data store.

    I run my code that sends emails using SendRawEmail, I should (in theory) be able to see those logs (whatever version of TLS they use - obviously changing the query as needed) however I see none of them. I only see "Management Events" (ie stuff coming from AWS Console / etc).

    How do I see logs of SendRawEmail calls (regardless of TLS version)?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content