SES identity resource policy does not allow public access
ses_identity_not_publicly_accessible
Amazon SES identities are evaluated for publicly accessible resource policies-for example, statements with Principal:"*" or broadly trusted principals that permit actions against the identity.
Risk
Public SES identity policies allow unauthorized email sending or configuration changes.
- Integrity: spoofed emails and brand impersonation
- Confidentiality: exposure of identity details
- Availability: reputation loss causing throttling or suspension
prowler aws --checks ses_identity_not_publicly_accessible
Recommendation
Restrict SES identity policies to known principals and actions following least privilege. Prefer explicit account ARNs for sending authorization, and add conditions like aws:SourceIp and aws:SecureTransport. Review grants regularly and remove unused access as part of defense in depth.
Remediation
aws sesv2 delete-email-identity-policy --email-identity <IDENTITY-NAME> --policy-name <POLICY-NAME>
- In the AWS Console, go to Simple Email Service (SES)
- Open Verified identities and select the affected identity
- Click Resource policies
- Delete the public policy, or Edit it to remove any Principal of "*" and restrict to a specific AWS account
- Save changes
Source Code
Resource Type
AwsIamPolicy