Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate: exploitation is not confirmed in this organization, but the attack vector — exposed IAM keys in public repositories — is mechanistically straightforward and the technique is actively used by threat actors at scale; any organization with public-facing code repositories or SES-enabled IAM keys faces non-trivial exposure probability. Impact is high because a compromised SES-capable IAM key renders the organization's email authentication controls (SPF, DKIM, DMARC) ineffective, enabling authenticated phishing and BEC at scale with direct financial loss potential through fraudulent wire transfer or payroll diversion requests, and secondary reputational and regulatory exposure if the organization's SES account is weaponized against third parties.
Treatment rationale: The attack surface — exposed IAM credentials and misconfigured SES permissions — is directly controllable through secrets scanning, least-privilege IAM scoping, and SES sending controls, making active mitigation the appropriate primary treatment rather than acceptance or transfer.
Third-Party / Supply-Chain Risk
AWS SES is a shared-platform dependency: the organization's email deliverability trust is inherited from AWS's IP reputation and authentication infrastructure, meaning an attacker who abuses your SES-enabled IAM key sends mail that carries AWS's authentication posture, not just yours. Additionally, DocuSign brand impersonation introduces downstream third-party risk — recipients inside partner or customer organizations may act on fraudulent DocuSign-branded emails that appear to originate from a trusted AWS-backed sender, creating vendor-relationship and contractual exposure. Per NIST SP 800-161, this is a shared-service/platform dependency risk: the organization does not control AWS SES sending infrastructure or DocuSign brand controls, and cannot unilaterally revoke the trust signal those brands carry.
Loss Exposure (illustrative)
Magnitude: High — illustrative $250K–$2.5M per event
Frequency: Illustrative: an organization with at least one SES-enabled IAM key exposed in a public repository faces a plausible primary-loss event probability in the range of once every 1–3 years absent active remediation; BEC financial loss events would be discrete within that window
Annualized: Illustrative ALE: $85K–$830K annually, reflecting loss magnitude range divided across a 1–3 year mean time to event; this collapses to the lower bound if SES exposure is remediated promptly
Basis: Loss magnitude driven by: (1) BEC wire fraud or payroll diversion as the primary loss scenario — typical BEC transaction requests are in the $50K–$500K range per incident with potential for multiple events before detection; (2) incident response, forensic investigation, and credential rotation costs across the AWS environment; (3) reputational and customer-notification costs if the organization's SES account is confirmed as a phishing origin. Frequency estimate derived from the mechanistic accessibility of the attack vector — automated repository scanning for exposed keys is well-documented — moderated by the assumption that not all exposed keys have SES permissions and not all organizations have keys exposed. Figures are illustrative constructs based on attack-path logic, not drawn from any external study or benchmark.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If the organization's SES account is used to send phishing emails to external parties, this may constitute unauthorized use of a cloud service with third-party harm implications — potential trigger for cyber liability coverage notice obligations — verify with broker.
• BEC-driven fraudulent wire transfer or payroll diversion resulting in financial loss may trigger a crime/social engineering rider under a cyber or commercial crime policy — verify with broker whether social engineering loss sub-limits apply.
• If employee or customer PII is accessed or exfiltrated as part of a BEC follow-on compromise, state breach-notification obligations and applicable federal/sector-specific notification requirements may be triggered — verify with counsel.
• Use of the organization's AWS account to send unsolicited commercial or fraudulent email to third parties may implicate CAN-SPAM, GDPR Article 5 integrity obligations, or similar — verify with counsel.
