AWS ses documentation change
Summary
Expanded logging documentation with new TRAFFIC_POLICY_DEBUG_LOGS type and detailed debug log structure
Security assessment
Adds documentation for enhanced logging capabilities including traffic policy debugging, which improves security monitoring but does not address a specific vulnerability.
Diff
diff --git a/ses/latest/dg/eb-logging.md b/ses/latest/dg/eb-logging.md index 4ada07598..9b562af74 100644 --- a//ses/latest/dg/eb-logging.md +++ b//ses/latest/dg/eb-logging.md @@ -107 +107 @@ To enable logging for Mail Manager resources using the CloudWatch Logs API, you - 1. Create a delivery source with [`PutDeliverySource`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html). + 1. Create a DeliverySource with [`PutDeliverySource`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html). @@ -109 +109 @@ To enable logging for Mail Manager resources using the CloudWatch Logs API, you - 2. Create a delivery destination with [`PutDeliveryDestination`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html). + 2. Create a DeliveryDestination with [`PutDeliveryDestination`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html). @@ -111 +111 @@ To enable logging for Mail Manager resources using the CloudWatch Logs API, you - 3. Create a delivery by pairing exactly one delivery source and one delivery destination by using [`CreateDelivery`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html). + 3. Create a Delivery by pairing exactly one delivery source and one delivery destination by using [`CreateDelivery`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html). @@ -120 +120,8 @@ You can view examples of IAM role and permissions policies with all the required -When creating a DeliverySource, the [`resourceArn`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html#API_PutDeliverySource_RequestSyntax) should be an Ingress endpoint ARN or a Rule set ARN, and the [`logType`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html#API_PutDeliverySource_RequestSyntax) for SES Mail Manager logs must be set to `APPLICATION_LOGS`. +When creating a DeliverySource, the [`resourceArn`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html#API_PutDeliverySource_RequestSyntax) can be an Ingress endpoint ARN or a Rule set ARN. Depending on the DeliverySource, the [`logType`](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html#API_PutDeliverySource_RequestSyntax) can be as follows: + + * **Ingress endpoint ARN** – `APPLICATION_LOGS` or `TRAFFIC_POLICY_DEBUG_LOGS` + + * **Rule set ARN** – `APPLICATION_LOGS` + + + @@ -126 +133,7 @@ The logs can be used to gain additional insight into the flow of your received m -The following section details the different fields of the logs for each resource. +The following examples detail the different fields of the logs for each resource and log type: + +###### Log examples + + * Ingress endpoint logs – APPLICATION_LOGS + + * Ingress endpoint logs – TRAFFIC_POLICY_DEBUG_LOGS @@ -128 +141,6 @@ The following section details the different fields of the logs for each resource -### Ingress endpoint logs + * Rule set logs – APPLICATION_LOGS + + + + +### Ingress endpoint logs – `APPLICATION_LOGS` @@ -155 +173 @@ The logs are generated per message. -Logs are created only for messages that are accepted by the ingress endpoint. An ingress endpoint that rejects all the incoming messages will not publish any logs. +Logs are created only for messages that are accepted by the ingress endpoint. An ingress endpoint that rejects all the incoming messages will not publish any application logs. @@ -175 +193,82 @@ Query messages with size greater than 5000 bytes: -### Rule set logs +### Ingress endpoint logs – `TRAFFIC_POLICY_DEBUG_LOGS` + +The logs are generated per recipient. + + + { + "resource_arn": "arn:aws:ses:us-east-1:1234567890:mailmanager-ingress-point/inp-xxxxx" CPY, + "event_timestamp": 1728562395042, + "ingress_point_type": "OPEN" | "AUTH", + "ingress_point_id": "inp-xxxx", + "ingress_point_session_id": "xxxx", + "traffic_policy_id": "tp-xxxx", + "traffic_policy_evaluation": [ + // Array of policy evaluations + { + "action": "ALLOW" | "DENY", + "conditions": [ + // Array of conditions + { + "expression": { + "attribute": "RECIPIENT", + "operator": "CONTAINS", + "value": ["@domain.com", "@mydomain.com"] + }, + "expressionResult": true | false + }], + "policyStatementMatched": true | false + }, + // If no policy statement match then default action will be applied + { + "action": "ALLOW" | "DENY", + "policyStatementMatched": true, + "type": "DefaultAction" + } + ], + "traffic_policy_verdict": "REJECT" | "ACCEPT", + "sender_ip_address": "1.2.3.4", + "smtp_mail_from": "[email protected]", + "smtp_helo": "domain.com", + "tls_protocol": "TLSv1.2", + "recipient": "[email protected]", + "tls_cipher_suite": "TLS_AES_256_GCM_SHA384" + } + +###### Note + + * Logs are created for all messages that are evaluated by the traffic policy at the ingress endpoint regardless of whether they're accepted or rejected. + + * All recipient traffic policy evaluations belonging to the same message (within the same SMTP conversation) share a common `ingress_point_session_id`. This ID serves as a correlation identifier since the `message_id` isn't available until after message acceptance. + + * The `traffic_policy_evaluation` content varies based on your configuration and may terminate early once a verdict is determined. + + + + +#### Example CloudWatch Logs Insights queries + +Query messages from [email protected]: + + + fields @timestamp, @message, @logStream, @log + | filter smtp_mail_from like /[email protected]/ + | sort @timestamp desc + | limit 10000 + +Query messages belonging to a specific `ingress_point_session_id`: + + + fields @timestamp, @message, @logStream, @log + | filter ingress_point_session_id = 'xxx' + | sort @timestamp desc + | limit 10000 + +Query messages that were rejected: + + + fields @timestamp, @message, @logStream, @log + | filter traffic_policy_verdict = 'REJECT' + | sort @timestamp desc + | limit 10000 + +### Rule set logs – `APPLICATION_LOGS`