AWS ses documentation change
Summary
Added MTLS as a new ingress point type and expanded logging documentation to include client certificate details and trust store monitoring for MTLS ingress endpoints
Security assessment
This change documents new logging capabilities for MTLS (Mutual TLS) ingress endpoints, which is a security feature that provides certificate-based authentication. The addition of client certificate details and trust store monitoring helps administrators track certificate validity and expiration, improving security monitoring. However, there's no evidence this addresses a specific security vulnerability or incident.
Diff
diff --git a/ses/latest/dg/eb-logging.md b/ses/latest/dg/eb-logging.md index 4cf9316ec..02db2c316 100644 --- a//ses/latest/dg/eb-logging.md +++ b//ses/latest/dg/eb-logging.md @@ -161 +161 @@ The logs are generated per message. - "ingress_point_type": "OPEN" | "AUTH", + "ingress_point_type": "OPEN" | "AUTH" | "MTLS", @@ -172 +172,2 @@ The logs are generated per message. - "ingress_point_metadata": { // only applies to AUTH Ingress Endpoint + "ingress_point_metadata": { + // Only applies to AUTH Ingress endpoint @@ -174 +175,28 @@ The logs are generated per message. - "secrets_manager_arn": "" + "secrets_manager_arn": "", + // Only applies to MTLS Ingress endpoint + "client_certificate_details": { + "common_names": ["mail.example.com"], + "serial_number": "0A:DE:EB:89:42:FB:1C:67", + "subject_alternative_names": ["mail.example.com", "smtp.example.com"], + "issuer": "CN=Example CA,O=Example Corp,C=US", + "not_before": "2025-01-15T00:00:00Z", + "not_after": "2026-01-15T23:59:59Z" + }, + "trust_store_monitoring": { + "ca_invalid_or_near_expiry": [ + { + "subject": "CN=Example CA,O=Example Corp,C=US", + "not_before": "2023-06-01T00:00:00Z", + "not_after": "2025-05-15T23:59:59Z" + }, + ... + ], + "crl_invalid_or_near_expiry": [ + { + "issuer": "CN=Example CA,O=Example Corp,C=US", + "this_update": "2025-03-01T00:00:00Z", + "next_update": "2025-04-01T00:00:00Z" + }, + ... + ] + } @@ -181,0 +210,4 @@ Logs are created only for messages that are accepted by the ingress endpoint. An +###### Note + +The `trust_store_monitoring` lists (`ca_invalid_or_near_expiry` and `crl_invalid_or_near_expiry`) each return a maximum of 10 entries. “Near expiry” means the certificate or CRL expires within 90 days. +