AWS Security ChangesHomeSearch

AWS ses documentation change

Service: ses · 2025-05-16 · Documentation medium

File: ses/latest/dg/eb-logging.md

Summary

Expanded logging documentation with new TRAFFIC_POLICY_DEBUG_LOGS type and detailed debug log structure

Security assessment

Adds documentation for enhanced logging capabilities including traffic policy debugging, which improves security monitoring but does not address a specific vulnerability.

Diff

diff --git a/ses/latest/dg/eb-logging.md b/ses/latest/dg/eb-logging.md
index 4ada07598..9b562af74 100644
--- a//ses/latest/dg/eb-logging.md
+++ b//ses/latest/dg/eb-logging.md
@@ -107 +107 @@ To enable logging for Mail Manager resources using the CloudWatch Logs API, you
-  1. Create a delivery source with [`PutDeliverySource`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html).
+  1. Create a DeliverySource with [`PutDeliverySource`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html).
@@ -109 +109 @@ To enable logging for Mail Manager resources using the CloudWatch Logs API, you
-  2. Create a delivery destination with [`PutDeliveryDestination`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html).
+  2. Create a DeliveryDestination with [`PutDeliveryDestination`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html).
@@ -111 +111 @@ To enable logging for Mail Manager resources using the CloudWatch Logs API, you
-  3. Create a delivery by pairing exactly one delivery source and one delivery destination by using [`CreateDelivery`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html).
+  3. Create a Delivery by pairing exactly one delivery source and one delivery destination by using [`CreateDelivery`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html).
@@ -120 +120,8 @@ You can view examples of IAM role and permissions policies with all the required
-When creating a DeliverySource, the [`resourceArn`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html#API_PutDeliverySource_RequestSyntax) should be an Ingress endpoint ARN or a Rule set ARN, and the [`logType`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html#API_PutDeliverySource_RequestSyntax) for SES Mail Manager logs must be set to `APPLICATION_LOGS`.
+When creating a DeliverySource, the [`resourceArn`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html#API_PutDeliverySource_RequestSyntax) can be an Ingress endpoint ARN or a Rule set ARN. Depending on the DeliverySource, the [`logType`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html#API_PutDeliverySource_RequestSyntax) can be as follows:
+
+  * **Ingress endpoint ARN** – `APPLICATION_LOGS` or `TRAFFIC_POLICY_DEBUG_LOGS`
+
+  * **Rule set ARN** – `APPLICATION_LOGS`
+
+
+
@@ -126 +133,7 @@ The logs can be used to gain additional insight into the flow of your received m
-The following section details the different fields of the logs for each resource.
+The following examples detail the different fields of the logs for each resource and log type:
+
+###### Log examples
+
+  * Ingress endpoint logs – APPLICATION_LOGS
+
+  * Ingress endpoint logs – TRAFFIC_POLICY_DEBUG_LOGS
@@ -128 +141,6 @@ The following section details the different fields of the logs for each resource
-### Ingress endpoint logs
+  * Rule set logs – APPLICATION_LOGS
+
+
+
+
+### Ingress endpoint logs – `APPLICATION_LOGS`
@@ -155 +173 @@ The logs are generated per message.
-Logs are created only for messages that are accepted by the ingress endpoint. An ingress endpoint that rejects all the incoming messages will not publish any logs.
+Logs are created only for messages that are accepted by the ingress endpoint. An ingress endpoint that rejects all the incoming messages will not publish any application logs.
@@ -175 +193,82 @@ Query messages with size greater than 5000 bytes:
-### Rule set logs
+### Ingress endpoint logs – `TRAFFIC_POLICY_DEBUG_LOGS`
+
+The logs are generated per recipient.
+    
+    
+    {
+        "resource_arn": "arn:aws:ses:us-east-1:1234567890:mailmanager-ingress-point/inp-xxxxx" CPY,
+        "event_timestamp": 1728562395042,
+        "ingress_point_type": "OPEN" | "AUTH",
+        "ingress_point_id": "inp-xxxx",
+        "ingress_point_session_id": "xxxx",
+        "traffic_policy_id": "tp-xxxx",
+        "traffic_policy_evaluation": [
+               // Array of policy evaluations
+               {
+                    "action": "ALLOW" | "DENY",
+                    "conditions": [
+                    // Array of conditions
+                    {
+                        "expression": {
+                            "attribute": "RECIPIENT",
+                            "operator": "CONTAINS",
+                            "value": ["@domain.com", "@mydomain.com"]
+                        },
+                        "expressionResult": true | false
+                    }],
+                    "policyStatementMatched": true | false
+                },
+                // If no policy statement match then default action will be applied
+                {
+                    "action": "ALLOW" | "DENY",
+                    "policyStatementMatched": true,
+                    "type": "DefaultAction"
+                }
+        ],
+        "traffic_policy_verdict": "REJECT" | "ACCEPT",
+        "sender_ip_address": "1.2.3.4",
+        "smtp_mail_from": "[email protected]",
+        "smtp_helo": "domain.com",
+        "tls_protocol": "TLSv1.2",
+        "recipient": "[email protected]",
+        "tls_cipher_suite": "TLS_AES_256_GCM_SHA384"
+    }
+
+###### Note
+
+  * Logs are created for all messages that are evaluated by the traffic policy at the ingress endpoint regardless of whether they're accepted or rejected.
+
+  * All recipient traffic policy evaluations belonging to the same message (within the same SMTP conversation) share a common `ingress_point_session_id`. This ID serves as a correlation identifier since the `message_id` isn't available until after message acceptance.
+
+  * The `traffic_policy_evaluation` content varies based on your configuration and may terminate early once a verdict is determined.
+
+
+
+
+#### Example CloudWatch Logs Insights queries
+
+Query messages from [email protected]:
+    
+    
+    fields @timestamp, @message, @logStream, @log
+    | filter smtp_mail_from like /[email protected]/
+    | sort @timestamp desc
+    | limit 10000
+
+Query messages belonging to a specific `ingress_point_session_id`:
+    
+    
+    fields @timestamp, @message, @logStream, @log
+    | filter ingress_point_session_id = 'xxx'
+    | sort @timestamp desc
+    | limit 10000
+
+Query messages that were rejected:
+    
+    
+    fields @timestamp, @message, @logStream, @log
+    | filter traffic_policy_verdict = 'REJECT'
+    | sort @timestamp desc
+    | limit 10000
+
+### Rule set logs – `APPLICATION_LOGS`