Skip to main content

AWS SES GetAccount action invoked via AccessKey

ID:aws_ses_get_account
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0007:T1580

Description

AlphaSOC detected the invocation of the AWS SES GetAccount action using an AccessKey. This action retrieves information about the email-sending status and capabilities of an Amazon SES account in the current AWS Region. Such activity may indicate an adversary attempting to gather information about the AWS environment, potentially as a precursor to further attacks.

Impact

Unauthorized use of the GetAccount action exposes sensitive information about AWS SES email capabilities that can be leveraged to launch phishing campaigns, distribute spam, or conduct other malicious activities, potentially leading to reputational damage to the organization.

Severity

SeverityCondition
Low
AWS SES GetAccount action invoked via AccessKey

Investigation and Remediation

Investigate the GetAccount action. Review AWS CloudTrail logs for suspicious activity associated with the same access key. If unauthorized access is confirmed, delete the access key, rotate all potentially compromised credentials, and assess the extent of potential damage.