AWS Simple Email Service (SES) is a powerful tool for sending emails, but it comes with a significant responsibility to secure your SES SMTP credentials. A compromised SMTP user can lead to misuse, such as sending spam or phishing emails, severely damaging your reputation and potentially getting your account flagged or banned.
Here are three common ways SES keys can be compromised, especially in team environments:
- Poor protection of development devices – A compromised developer computer can expose sensitive credentials.
- Inadequate server hardening – Unsecured servers are prime targets for attackers.
- Accidental commits to version control – Sensitive .env files can inadvertently be pushed to repositories.
To mitigate these risks, implement the following three simple policies to improve the security of your AWS SES SMTP user:
1. Restrict Access to Specific Identities
If your AWS account manages multiple identities (domains or email addresses), restrict the SES SMTP user to access only the required identity.
Why? This ensures that even if the credentials are compromised, they cannot be used to send emails from other domains or addresses under your account.
How to Implement:
Use an IAM policy with the ses:SendEmail or ses:SendRawEmail actions, specifying the allowed identity:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ses:SendEmail",
"Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com"
}
]
}
2. Enforce a Specific “From” Address
By default, if your identity is domain-validated, emails can be sent from any address within that domain. While flexible, this opens the door for abuse, such as spam or identity theft. Restricting the SES user to a single verified “From” address prevents misuse.
How to Implement:
Extend the IAM policy to include the ses:FromAddress condition key:
{
"Effect": "Allow",
"Action": "ses:SendEmail",
"Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Condition": {
"StringEquals": {
"ses:FromAddress": "[email protected]"
}
}
}
3. Restrict Access to Trusted IPs
Limit SES SMTP user access to the specific IP address(es) of your sending server. Even if the credentials are exposed, they cannot be used from unauthorized locations.
Why? This adds an additional layer of security, ensuring the credentials work only from your trusted infrastructure.
How to Implement:
Use an IAM policy with the aws:SourceIp condition:
{
"Effect": "Allow",
"Action": "ses:SendEmail",
"Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
This policy combines restrictions for identity access, specific “From” address, and trusted IPs into one comprehensive configuration:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ses:SendEmail",
"Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Condition": {
"StringEquals": {
"ses:FromAddress": "[email protected]"
},
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
How to Use
1. Replace 123456789012 with your AWS account ID.
2. Replace example.com with your verified identity (domain or email address).
3. Replace [email protected] with your desired “From” email address.
4. Replace 203.0.113.0/24 with the IP address or CIDR block of your trusted servers.
In Conclusion
By implementing these policies, you can significantly reduce the risk of your SES SMTP credentials being misused. Regularly review and update your security practices to stay ahead of potential vulnerabilities. AWS provides powerful tools to safeguard your account – use them to your advantage.
Stay secure and email responsibly!
