Skip to main content

AWS SES production access granted

ID:aws_ses_production_access_granted
Data type:AWS CloudTrail
Severity:
Low
MITRE ATT&CK:TA0004:T1098

Description

AlphaSOC detected that AWS Simple Email Service (SES) production access was enabled for an account. This setting allows the account to send emails to recipients outside the AWS SES sandbox environment. Adversaries might enable production access to launch phishing campaigns or send spam emails from a compromised account.

Impact

Enabling AWS SES production access allows threat actors to send large volumes of emails to any recipient, potentially leading to phishing attacks, spam campaigns, or distribution of malware. This can damage the organization's reputation.

Severity

SeverityCondition
Low
AWS SES production access granted

Investigation and Remediation

Investigate the account that enabled AWS SES production access to determine if the action was authorized. If unauthorized, contact AWS Support to revoke the production access, rotate all associated credentials, and investigate for other signs of compromise.