From 8acdf8e65b5edfdadfb15582ef6fcec5e9fd0c01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20De=20la=20Torre=20Vico?= Date: Fri, 26 Dec 2025 13:03:58 +0100 Subject: [PATCH] chore(aws): enhance metadata for `ses` service (#9411) Co-authored-by: Daniel Barranquero --- prowler/CHANGELOG.md | 1 + ...tity_not_publicly_accessible.metadata.json | 30 +++++++++++-------- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 04a646ebc2..9eb9de122b 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -27,6 +27,7 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Resource Explorer v2 service metadata to new format [(#9386)](https://github.com/prowler-cloud/prowler/pull/9386) - Update AWS SageMaker service metadata to new format [(#9407)](https://github.com/prowler-cloud/prowler/pull/9407) - Update AWS Security Hub service metadata to new format [(#9409)](https://github.com/prowler-cloud/prowler/pull/9409) +- Update AWS SES service metadata to new format [(#9411)](https://github.com/prowler-cloud/prowler/pull/9411) --- diff --git a/prowler/providers/aws/services/ses/ses_identity_not_publicly_accessible/ses_identity_not_publicly_accessible.metadata.json b/prowler/providers/aws/services/ses/ses_identity_not_publicly_accessible/ses_identity_not_publicly_accessible.metadata.json index eb92fcef83..ef682f1820 100644 --- a/prowler/providers/aws/services/ses/ses_identity_not_publicly_accessible/ses_identity_not_publicly_accessible.metadata.json +++ b/prowler/providers/aws/services/ses/ses_identity_not_publicly_accessible/ses_identity_not_publicly_accessible.metadata.json @@ -1,29 +1,35 @@ { "Provider": "aws", "CheckID": "ses_identity_not_publicly_accessible", - "CheckTitle": "Ensure that SES identities are not publicly accessible", + "CheckTitle": "SES identity resource policy does not allow public access", "CheckType": [ - "Software and Configuration Checks/AWS Security Best Practices" + "Software and Configuration Checks/AWS Security Best Practices/Network Reachability", + "TTPs/Initial Access", + "Effects/Data Exposure" ], "ServiceName": "ses", "SubServiceName": "", - "ResourceIdTemplate": "arn:aws:ses:region:account-id:identity/", + "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "AwsSesIdentity", + "ResourceType": "AwsIamPolicy", "ResourceGroup": "messaging", - "Description": "This control checks whether SES identities are not publicly accessible via resource policies.", - "Risk": "Publicly accessible SES identities can allow unauthorized email sending or receiving, leading to potential abuse or phishing attacks.", - "RelatedUrl": "https://docs.aws.amazon.com/ses/latest/dg/identity-authorization-policies.html", + "Description": "**Amazon SES identities** are evaluated for **publicly accessible resource policies**-for example, statements with `Principal:\"*\"` or broadly trusted principals that permit actions against the identity.", + "Risk": "Public SES identity policies allow unauthorized email sending or configuration changes.\n- Integrity: spoofed emails and brand impersonation\n- Confidentiality: exposure of identity details\n- Availability: reputation loss causing throttling or suspension", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://docs.aws.amazon.com/ses/latest/dg/policy-anatomy.html", + "https://docs.aws.amazon.com/ses/latest/dg/identity-authorization-policies.html" + ], "Remediation": { "Code": { - "CLI": "aws ses delete-email-identity-policy --identity --policy-name ", + "CLI": "aws sesv2 delete-email-identity-policy --email-identity --policy-name ", "NativeIaC": "", - "Other": "", - "Terraform": "" + "Other": "1. In the AWS Console, go to Simple Email Service (SES)\n2. Open Verified identities and select the affected identity\n3. Click Resource policies\n4. Delete the public policy, or Edit it to remove any Principal of \"*\" and restrict to a specific AWS account\n5. Save changes", + "Terraform": "```hcl\nresource \"aws_ses_identity_policy\" \"\" {\n identity = \"\"\n name = \"\"\n\n policy = jsonencode({\n Version = \"2012-10-17\"\n Statement = [{\n Effect = \"Allow\"\n Principal = { AWS = [\"\"] } # Critical: restrict to a specific AWS account, not \"*\"\n Action = [\"ses:SendEmail\"]\n Resource = \"arn:aws:ses:::identity/\"\n }]\n })\n}\n```" }, "Recommendation": { - "Text": "Review and restrict SES identity policies to prevent public access. Ensure policies follow the Principle of Least Privilege.", - "Url": "https://docs.aws.amazon.com/ses/latest/dg/policy-anatomy.html" + "Text": "Restrict SES identity policies to known principals and actions following **least privilege**. Prefer explicit account ARNs for sending authorization, and add conditions like `aws:SourceIp` and `aws:SecureTransport`. Review grants regularly and remove unused access as part of **defense in depth**.", + "Url": "https://hub.prowler.com/check/ses_identity_not_publicly_accessible" } }, "Categories": [