SES Account hacked!

Question

Hi,
my SES account was attacked and someone is sending a lot of phishing emails!
Please, how can I block all sendings?
It's very urgent!

SuperManfred · Answer

I only managed to achieve this using AWS cli. If you do not already have cli access keys: 
* access AWS console: [https://us-east-1.console.aws.amazon.com/iamv2/home#/users](https://us-east-1.console.aws.amazon.com/iamv2/home#/users) 
(while you're there take a look into who accessed what resources how recently)
* select *your* User and then select the tab "Security credentials" 
* click button "Create access key" (you need these credentials for next step)
* enter terminal command `aws configure` and enter the key and secret generated

1. check SNS status 
```
aws ses get-account-sending-enabled --region {REGION_OF_SNS}
```
expect this response:
``` 
{
    "Enabled": true
} 
```

2. Disable SNS: 
```
aws ses update-account-sending-enabled --no-enabled --region {REGION_OF_SNS}
```

3. Confirm SNS status 
```
aws ses get-account-sending-enabled --region {REGION_OF_SNS}
```
expect this response:
```
{
    "Enabled": false
}
```

-------

**Now please upvote my answer  : )**

and figure out what else might be happening, and how this happened to you: 
* check out [https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/](https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/) 
* reach out to AWS Support: [https://console.aws.amazon.com/support/home#/](https://console.aws.amazon.com/support/home#/)

jsonc · Answer

Sorry to hear that!  If you haven't already - I would start by limiting IAM Access in your account itself.  
* For IAM Users, rotate their credentials (passwords) and disable access keys.  https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys
* You can remove the ability for IAM entities to use SES by removing allow policies or attaching deny policies on SES usage.

* If using Organizations, you can use SCPs.

Futhermore, you could also check SES:
* Putting the account back in Sandbox Mode (this limits sending to unverified emails).
* Turning on more logging: https://docs.aws.amazon.com/ses/latest/dg/event-publishing-add-event-destination-firehose.html

From a security perspective, if someone has access via IAM to your account, I would also check CloudTrail and other logging to see what else they have done in the account.

This is not comprehensive, but a good start: https://aws.amazon.com/premiumsupport/knowledge-center/potential-account-compromise/

I would also reach out to AWS Support: https://console.aws.amazon.com/support/home#/

SES Account hacked!

Relevant content