AWS SES identities discovery via access key
Description
AlphaSOC detected AWS Simple Email Service (SES) identities discovery via an
access key, indicated by the use of both ListIdentities and
GetIdentityVerificationAttributes actions. These API calls are typically used
to enumerate existing AWS SES identities and check their verification status.
This behavior may indicate that threat actors are gathering information about
the organization's email infrastructure, potentially in preparation for an AWS
SES-based mailing attack.
Impact
This activity could serve as an early indicator of a larger attack. After the discovery, adversaries may exploit AWS SES to send malicious emails, potentially leading to phishing campaigns, spam distribution, or brand impersonation. This could result in data breaches, financial losses, and reputational damage for the organization.
Severity
| Severity | Condition |
|---|---|
Medium | AWS SES identities discovery via access key |
Investigation and Remediation
Review AWS CloudTrail logs to identify the specific AWS IAM user or role associated with these actions. Verify whether they were authorized. If unauthorized, rotate all potentially compromised credentials and review recent account activity for signs of compromise.