AWS SES GetAccount action invoked via AccessKey
Description
AlphaSOC detected the invocation of the AWS SES GetAccount
action using an
AccessKey. This action retrieves information about the email-sending status and
capabilities of an Amazon SES account in the current AWS Region. Such activity
may indicate an adversary attempting to gather information about the AWS
environment, potentially as a precursor to further attacks.
Impact
Unauthorized use of the GetAccount
action exposes sensitive information about
AWS SES email capabilities that can be leveraged to launch phishing campaigns,
distribute spam, or conduct other malicious activities, potentially leading to
reputational damage to the organization.
Severity
Severity | Condition |
---|---|
Low | AWS SES GetAccount action invoked via AccessKey |
Investigation and Remediation
Investigate the GetAccount
action. Review AWS CloudTrail logs for suspicious
activity associated with the same access key. If unauthorized access is
confirmed, delete the access key, rotate all potentially compromised
credentials, and assess the extent of potential damage.