SES policy with allowed IAM actions

Documentos > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SES policy with allowed IAM actions

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

Id: 34b921bd-90a0-402e-a0a5-dc73371fd963

Cloud Provider: AWS

Platform: Terraform

Severity: High

Category: Access Control

Learn More

Provider Reference

Description

Amazon SES identity policies that allow access to all principals (‘AWS’: ‘*’) create a significant security risk by granting any AWS account permissions to perform the specified actions on your SES resources. This overly permissive configuration can lead to unauthorized email sending, potential data breaches, and could be exploited for phishing campaigns or reputation damage.

Instead, SES policies should explicitly specify the ARNs of trusted principals that require access. For example, replace "AWS": "*" with "AWS": "arn:aws:iam::ACCOUNT_ID:root" or a more specific IAM role or user to implement the principle of least privilege.

Compliant Code Examples

resource "aws_ses_identity_policy" "negative1" {
  identity = aws_ses_domain_identity.example.arn
  name     = "example"
  policy   = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Principal": {
        "AWS": "arn:aws:iam::987654321145:root"
      },
      "Effect": "Allow",
      "Resource": "*",
      "Sid": ""
    }
  ]
}
EOF
}

Non-Compliant Code Examples

resource "aws_ses_identity_policy" "positive1" {
  identity = aws_ses_domain_identity.example.arn
  name     = "example"
  policy   = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Principal": {
        "AWS": "*"
      },
      "Effect": "Allow",
      "Resource": "*",
      "Sid": ""
    }
  ]
}
EOF
}