I've been using AWS SES for sending emails through my services, but recently I've noticed a troubling increase in bounce rates. I'm starting to worry that my account might be compromised. I've already disabled the SMTP keys associated with my IAM account, but I'm trying to dive deeper into where the vulnerability lies. Unfortunately, SES doesn't provide a default message log, making it tough to track the sending IP. I know that enabling CloudWatch logs could help, but it seems more focused on traffic and events rather than serving as a message log. What am I overlooking? Any insights would be appreciated!
2 Answers
Also, it’s worth checking if any LightSail instances were created under your account. Often, attackers will use your credentials to launch instances with scripts to send spam emails, which could be another source of your problems.
You should definitely check out AWS CloudTrail! It tracks user activity and API usage, which could help you pinpoint any suspicious actions. Additionally, tools like IAM Access Analyzer, Detective, and GuardDuty can provide further insights if you suspect abuse. Cost Explorer is handy too, especially if you think someone has bypassed your security and is misusing resources, as they might deploy things in different regions to keep under the radar.
Do these tools work retroactively to examine past events, or do I need to enable them first to start using their features?