I'm using Amazon SES to send emails from my services, but recently I've noticed a troubling increase in bounces. I'm concerned that my account may have been compromised. I've already disabled the SMTP keys associated with my IAM account, but I want to dig deeper to find out where the issue might be. Unfortunately, SES doesn't provide a default message log, making it impossible for me to track the sending IP. I've heard about enabling CloudWatch logs, but it seems more like a traffic/event analyzer rather than a straightforward message log. What else can I do to investigate this situation? Any advice would be greatly appreciated!
2 Answers
Definitely keep an eye on any unexpected resources, like Lightsail instances. Sometimes, people can misuse your credentials to launch those instances and run spam scripts from there. It's a clever way to hide their tracks, so make sure to check there too!
Have you checked CloudTrail? It's a great tool for keeping track of all account activity. If you suspect someone is abusing your account, look into the IAM Access Analyzer, Detective, and GuardDuty as well. They can help identify unusual activity. Also, using Cost Explorer could provide insights—often, an attacker will create resources in less obvious regions, which can be a red flag.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux