---
title: AWS IAM AmazonSESFullAccess policy was applied to a role
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AWS IAM AmazonSESFullAccess policy was
  applied to a role
---

# AWS IAM AmazonSESFullAccess policy was applied to a role
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when the `AmazonSESFullAccess` policy is attached to an AWS IAM role.

## Strategy{% #strategy %}

This rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AmazonSESFullAccess`](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSESFullAccess.html) to an AWS IAM role using the [`AttachRolePolicy`](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html) API call. An attacker with an objective of leveraging the AWS Simple Email Service (SES) may only attach a policy relating to SES to avoid detections relating to the AWS managed policy [`AdministratorAccess`].

## Triage and response{% #triage-and-response %}

1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.
1. If the API call was not made by the user:

- Rotate user credentials.
- Determine what other API calls were made by the user.
- Remove the `AmazonSESFullAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html).
If the API call was made legitimately by the user:
- Determine if the role `{{@requestParameters.roleName}}` requires the `AmazonSESFullAccess` policy to perform the intended function.
- Advise the user to find the [least privileged](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) policy that allows the role to operate as intended.