4

I have a verified domain that works with the IAM user I have created.

Emails go out successfully.

I am looking to lock this down, so I have first created a VPC endpoint, that allows SMTP traffic from the entire VPC. This too works without issue.

Finally, I want to only allow email to be sent via this endpoint, and as such want to have the SES Authorization policy to accept email sending from the local VPC range (10.204.0.0/16 for example). This is to ameliorate for any leaked credentials so bad actors cannot send emails impersonating our domain just because they have some SES access.

I cannot filter by aws:SourceIp as this only works for public IP addresses.

As such, is this even possible or do I have to allow for the possibility (however unlikely that is) that leaked credentials could allow external actors to send as our verified domain?

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44
mrsnoobs
  • 43
  • 6

2 Answers2

4

Amazon SES can use SMTP credentials, which essentially means SES is connected to the internet & is theoretically public by nature.

While you can restrict IAM users & roles from using the Amazon SES API, there's no way you can restrict someone from connecting to any of the Amazon SES endpoints to abuse your SMTP server using stolen credentials. This is how the SMTP protocol works by design - using credentials.

It has no idea of a VPC IP range.

While you can't prevent leaked credentials from being used, you can monitor your Amazon SES sending activity & perhaps use CloudWatch alarms to notice any suspicious behaviour to be more reactive in case leakage happens.

Also be proactive to prevent leaking in the first instance - storing SMTP credentials in a locked-down AWS Parameter Store, only giving one main IAM SMTP user the permission to carry out the ses:SendRawEmail action at a time etc.

The combination of high levels of monitoring, tight restrictions on what application has access to the SMTP credentials at what time, constant rotation of the IAM SMTP user and thus SMTP credentials and general security awareness should hopefully prevent leakage of your credentials and if the worst does happen, the above actions should reduce the time to detect & the blast radius so to speak.

Thank you for trying to apply security at all layers & preparing for security events!

Ermiya Eskandary
  • 15,323
  • 3
  • 31
  • 44
  • Thanks for this. I was rather hoping that attaching restrictions to the IAM user policy would be possible, but it seems not. We have only one user allowed to send mail per VPC, and this users' creds are only found in the Terraform tfstate file, held in S3, encrypted at rest and only available to internal users. I think we can do better but that is a separate task. – mrsnoobs Oct 14 '21 at 19:07
  • 1
    No worries :) you're able to restrict IAM users but it doesn't have anything to do with leaked SMTP credentials – Ermiya Eskandary Oct 14 '21 at 19:08
  • 1
    That is what I was hoping for with the VPC endpoint - to route all of my desired traffic that I expect to use the verified domain (ie internal to the VPC) and deny all others. If that is not evaluated by the time it reaches the SMTP service (ie it has no idea that it is coming from inside the VPC) then it seems that is not possible, and I will have to get creative with storing credentials more securely. – mrsnoobs Oct 14 '21 at 19:13
  • Yes correct - there's no way, not because of AWS but because of the SMTP protocol itself; best of luck! – Ermiya Eskandary Oct 14 '21 at 19:14
-1

You can restrict sending emails - Remove all SMTP credentials and send emails via the API through a specific IAM user to which you attach a proper Policy with the restricitons you need

Abdel Wahed Bendaoua
  • 1