# AWS SES Service Modification

Detect when the Amazon Simple Email Service (SES) has been modified in ways that could allow an attacker to propagate phishing email campaigns. This includes actions like creating, deleting, and verifying identities, as well as enabling or configuring SES sending.

## Detection Query
Execute the following query to find alerts related to this rule.

In [None]:
%ingest.source_type="aws:cloudtrail"
eventSource:"ses.amazonaws.com"
eventName:(
CreateEmailIdentity
DeleteEmailIdentity
VerifyEmailIdentity
VerifyDomainIdentity
VerifyDomainDkim
UpdateAccountSendingEnabled
UpdateConfigurationSetSendingEnabled
PutAccountSendingAttributes
PutConfigurationSetSendingOptions
)
not errorCode:*
| groupbycount(
recipientAccountId,
userIdentity.arn,
awsRegion
)
| where @q.count > 0

## Investigation Steps
1. **Identify the Principal**: Who performed the action?
2. **Review Context**: What else did this principal do?
3. **Check Permissions**: Did the principal have legitimate reasons for this action?
4. **Verify Resource**: Is the resource critical or sensitive?

In [None]:
%ingest.source_type:aws:cloudtrail
userIdentity.arn: <PRINCIPAL_ARN>
| count(eventName) by eventName