AWS Security ChangesHomeSearch

AWS ses medium security documentation change

Service: ses · 2025-04-11 · Security-related medium

File: ses/latest/dg/eb-ingress.md

Summary

Added documentation for configuring SES ingress endpoints through Amazon VPC endpoints, including security requirements and private network configuration options

Security assessment

The changes introduce VPC endpoint integration for private email ingestion, emphasizing secure private networking, account ownership validation, and removal of public DNS exposure. While no explicit vulnerability is mentioned, these are security-focused architectural improvements.

Diff

diff --git a/ses/latest/dg/eb-ingress.md b/ses/latest/dg/eb-ingress.md
index 99f5bd95c..d37646deb 100644
--- a//ses/latest/dg/eb-ingress.md
+++ b//ses/latest/dg/eb-ingress.md
@@ -5 +5 @@
-Configuring your environmentCreating an ingress endpoint (console)
+Configuring ingress endpointsCreating an ingress endpoint (console)
@@ -26 +26 @@ At the time of creating your ingress endpoint, you must assign it a traffic poli
-Once you create your ingress endpoint, you must configure it with the environment you're using to receive email, whether that be the configuration of an on-premise SMTP client or a web-based DNS domain host. This is discussed below in Configuring your environment to use an ingress endpoint.
+Once you create your ingress endpoint, you must configure it with the environment you're using to receive email, whether that be the configuration of an on-premise SMTP client or a web-based DNS domain host. This is discussed below in Receiving email through the public endpoints.
@@ -29,0 +30,4 @@ Once you create your ingress endpoint, you must configure it with the environmen
+SES supports both public endpoints and Amazon Virtual Private Cloud (VPC) endpoints for ingress endpoints to accept incoming email. The following sections explain how to configure your ingress endpoint to use either of these options.
+
+### Receiving email through the public endpoints
+
@@ -70 +74 @@ For the authorized senders whom you’ve shared your SMTP credentials with in or
-  * Username – This is the ingress endpoint ID and must be encoded in Base64. _(SeeStep 10. in the console procedures to learn how to find the ingress endpoint ID.)_
+  * Username – This is the ingress endpoint ID and must be encoded in Base64. _(SeeStep 11. in the console procedures to learn how to find the ingress endpoint ID.)_
@@ -107 +111,90 @@ This example contains the following properties:
-The procedure in the next section will walk you through creating an ingress endpoint in the SES console.
+### Receiving email through Amazon VPC endpoints
+
+In addition to public ingress endpoints, you can use VPC endpoints with SES ingress endpoints for secure, private email ingestion within your private network infrastructure.
+
+###### Configuration differences compared to using public ingress endpoints
+
+  * The "A" Record typically available for public endpoints is not provided.
+
+  * You must connect to the ingress endpoint using DNS names provided by your VPC endpoint.
+
+  * All connections use private networking within your VPC.
+
+
+
+
+###### Types of ingress endpoints supported through VPC endpoints
+
+SES supports two types of ingress points through VPC endpoints:
+
+  * Open ingress endpoint – Email sent to your domain route directly through the VPC endpoint without requiring sender authentication.
+
+Configuration requirements:
+
+    * Create a private open ingress endpoint by associating it with a VPC endpoint ID you own.
+
+    * Supported ports: 25, 587
+
+    * Supports STARTTLS: Yes
+
+  * Authenticated ingress endpoint – Mail sent to your domain has to come from authorized senders whom you’ve shared your SMTP credentials with, such as your on-premise email servers.
+
+Configuration requirements:
+
+    * Create a private authenticated ingress endpoint by associating it with a VPC endpoint ID you own.
+
+    * Supported ports: 25, 587 
+
+    * Supports STARTTLS: Yes
+
+    * Authentication uses the same base64-encoded username and password mechanism as public authenticated endpoints.
+
+
+
+
+###### VPC endpoint requirements
+
+To use a VPC endpoint with an SES ingress endpoint, the following requirements must be met:
+
+  * The VPC endpoint must be active and available.
+
+  * The VPC endpoint must be owned by the same AWS account as the ingress endpoint (cross-account access is not supported).
+
+  * The VPC endpoint must be created for the appropriate service name based on the type of ingress endpoint:
+
+    * Open ingress endpoint – `com.amazonaws.`region`.mail-manager-smtp.open`
+
+    * Authenticated ingress endpoint – `com.amazonaws.`region`.mail-manager-smtp.auth`
+
+    * FIPS open ingress endpoint – `com.amazonaws.`region`.mail-manager-smtp.open.fips`
+
+    * FIPS authenticated ingress endpoint – `com.amazonaws.`region`.mail-manager-smtp.auth.fips`
+
+
+
+
+###### Important configuration notes
+
+  * One-to-one relationship – Each VPC endpoint can only be associated with a single ingress endpoint. You cannot use the same VPC endpoint for multiple ingress endpoints.
+
+  * No VPC endpoint policies – Unlike other AWS services, VPC endpoints used with ingress endpoints do not support VPC endpoint policies. SES automatically verifies that the VPC endpoint owner and the ingress endpoint owner are the same AWS account.
+
+  * Private DNS only – All DNS names provided by the VPC endpoint will be private DNS names accessible only within your VPC.
+
+  * Validation at creation time – SES performs validation during resource creation to ensure the VPC endpoint meets all requirements.
+
+
+
+
+###### Connecting to your ingress endpoint through a VPC endpoint
+
+After configuring your VPC endpoint and ingress endpoint:
+
+  1. Retrieve the DNS names generated for your VPC endpoint.
+
+  2. Configure your SMTP clients or email servers to use these DNS names for connection.
+
+  3. If using an authenticated endpoint, configure your SMTP clients with the appropriate base64-encoded credentials used with your authenticated ingress endpoint.
+
+
+
@@ -169 +262,7 @@ For **Key** , you must only enter `password` (anything else will cause authentic
-  6. Select a traffic policy to determine the email you want to block or allow.
+  6. Select a rule set containing the rule actions you want to perform on the email you allow in.
+
+  7. Select a traffic policy to determine the email you want to block or allow.
+
+  8. Choose whether it will be a **Public** or **Private** network.
+
+     * For a public network, choose either **IPv4** only or **Dualstack** (IPv4 and IPv6) addressing.
@@ -171 +270 @@ For **Key** , you must only enter `password` (anything else will cause authentic
-  7. Select a rule set containing the rule actions you want to perform on the email you allow in.
+     * For a private network, select or enter a VPC endpoint that you've shared with authorized senders in the same account, such as IAM users or roles. Optionally, you can create a new VPC endpoint by choosing **Create VPC endpoint** to open the Amazon VPC console.
@@ -173 +272 @@ For **Key** , you must only enter `password` (anything else will cause authentic
-  8. Select **Create ingress endpoint**.
+  9. Select **Create ingress endpoint**.
@@ -175 +274 @@ For **Key** , you must only enter `password` (anything else will cause authentic
-  9. In **General details** , "Provisioning" will be displayed while your ingress endpoint is being created—refresh the page until "Active" is displayed and the **ARecord** field contains a value. Copy the "A" record value and paste it into your DNS configuration or your SMTP client as discussed in Configuring your environment.
+  10. In **General details** , "Provisioning" will be displayed while your ingress endpoint is being created—refresh the page until "Active" is displayed and the **ARecord** field contains a value. Copy the "A" record value and paste it into your DNS configuration or your SMTP client as discussed in Public endpoint configuration.
@@ -177 +276 @@ For **Key** , you must only enter `password` (anything else will cause authentic
-  10. Just above the **General details** container on the console, there is a large, unlabeled number prefixed by "inp" (also replicated in the breadcrumb trail at the top of the page), for example, **inp-1abc2de3fghi4jkl5mnop6qr**. This is referred to as the _ingress endpoint ID_ , its value is used as the _username_ to login to your ingress server. (You'll need to share this with your authorized senders to connect to your endpoint.)
+  11. Just above the **General details** container on the console, there is a large, unlabeled number prefixed by "inp" (also replicated in the breadcrumb trail at the top of the page), for example, **inp-1abc2de3fghi4jkl5mnop6qr**. This is referred to as the _ingress endpoint ID_ , its value is used as the _username_ to login to your ingress server. (You'll need to share this with your authorized senders to connect to your endpoint.)
@@ -179 +278 @@ For **Key** , you must only enter `password` (anything else will cause authentic
-  11. You can view and manage the ingress endpoints you've already created from the **Ingress endpoints** page. If there's an ingress endpoint you want to remove, select it's radio button followed by **Delete**.
+  12. You can view and manage the ingress endpoints you've already created from the **Ingress endpoints** page. If there's an ingress endpoint you want to remove, select it's radio button followed by **Delete**.
@@ -181 +280 @@ For **Key** , you must only enter `password` (anything else will cause authentic
-  12. To edit an ingress endpoint, select its name to open its summary page:
+  13. To edit an ingress endpoint, select its name to open its summary page: