We are having a pretty bad attack on our SES service right now. Some 25K+ emails have gone out and its with a large bounce rate. And apparently emails are still going out. Is there a way we can reduce the number of hour or daily email sent limit or completely stop SES emails sending until this is resolved?
What are any recommended action to take in this situation? I am looking at cloud watch but it does not provide any helpful information than the stats. Is there any way to know from where these emails are being sent?
Any help is very much appreciated!!
2
Answers
If Cloudtrail is enabled, you should be able to see the API requests using that service: AWS SES – Logging Using Cloudtrail.
To answer your question on how to stop it while you figure out whats going on. The easiest would be to disable to IAM user or IAM role that it’s being sent as. You can find this information using Cloudtrail if you have multiple identities that can send via SES.
If you can I’d pause all SES activity for now. With the AWS CLI you can do something like:
(yes, "no-enabled" is a weird way of disabling it). See this page for details. From there you can find out if this is a credential leak (i.e. someone got a hold of a credential and is sending mail as you) or a code problem (i.e. you have some code on a website that is being abused). I’d do this soon – AWS doesn’t keep your SES account active very long when there are many bounces or spam reports.