A compromised AWS IAM key with SES permissions gives an attacker a trusted, authenticated email channel at scale — any phishing or BEC email sent through your account will appear to come from a legitimate AWS-backed sender, bypassing the email security controls your organization has invested in. BEC campaigns targeting finance, HR, or executive staff carry direct financial loss risk through fraudulent wire transfers or payroll diversion; impersonation of brands like DocuSign adds invoice fraud and credential theft vectors. Organizations may also face reputational damage if their SES-verified domain is used to send phishing to customers or partners, and regulatory exposure under GDPR, HIPAA, or SOC 2 frameworks if the compromised keys accessed or exfiltrated additional AWS resources beyond SES.
You Are Affected If
Your organization uses Amazon SES in any AWS region for transactional or bulk email sending
AWS IAM access keys with SES permissions exist in your environment (especially keys associated with applications or CI/CD pipelines)
IAM access keys are or have been stored in public or semi-public code repositories, environment files, or CI/CD configuration
Your IAM policy grants SES:SendEmail or SES:SendRawEmail to broad principals rather than scoped service accounts
You lack automated secret scanning (e.g., TruffleHog, detect-secrets) in your development and repository workflows
Board Talking Points
Attackers are stealing AWS credentials left exposed in code repositories and using them to send authenticated phishing emails that our email security tools cannot block.
Security and engineering teams should audit and rotate all AWS email-sending credentials within 48 hours and implement automated scanning to prevent future exposure.
Without action, attackers retain a trusted channel to impersonate our organization or deceive our staff — increasing the probability of a successful wire fraud or data breach.
GDPR — Compromised IAM keys may provide access to AWS resources storing personal data of EU residents beyond SES alone; unauthorized email campaigns to EU data subjects may constitute a personal data breach requiring notification under Article 33.
HIPAA — If SES-enabled AWS accounts operate within environments that process or store protected health information, key compromise may trigger breach notification obligations under the HIPAA Breach Notification Rule.
SOC 2 — Unauthorized use of IAM credentials and uncontrolled outbound email sending directly implicates SOC 2 Trust Services Criteria for logical access controls (CC6) and monitoring (CC7).
