AWS ses documentation change
Summary
Added documentation for mutual TLS (mTLS) authentication on Mail Manager ingress endpoints, including how to use customer managed keys to encrypt trust store contents and example IAM/KMS policies.
Security assessment
The change adds documentation for a security feature (mTLS authentication) and provides example policies for encrypting trust store contents with customer managed keys. There is no evidence of addressing a specific security vulnerability; rather, it's documenting enhanced security capabilities.
Diff
diff --git a/ses/latest/dg/encryption-rest.md b/ses/latest/dg/encryption-rest.md index 99389ffbe..acabb1e78 100644 --- a//ses/latest/dg/encryption-rest.md +++ b//ses/latest/dg/encryption-rest.md @@ -5 +5 @@ -Step 1: Create a customer managed keyStep 2: Specify a customer managed keyEncryption contextArchive creation policiesMonitoring your encryption keysLearn more +Step 1: Create a customer managed keyStep 2: Specify a customer managed keyEncryption contextArchive creation policiesIngress endpoint mTLS policiesMonitoring your encryption keysLearn more @@ -101 +101 @@ For more information about troubleshooting, see [troubleshooting key access](htt -## Specifying a customer managed key for Mail Manager archiving +## Specifying a customer managed key for Mail Manager @@ -103 +103 @@ For more information about troubleshooting, see [troubleshooting key access](htt -You can specify a customer managed key as an alternative to using AWS owned keys. When you create an archive, you can specify the data key by entering a **KMS key ARN** , which Mail Manager archiving uses to encrypt all customer data in the archive. +You can specify a customer managed key as an alternative to using AWS owned keys. When you create an archive or configure an ingress endpoint with mutual TLS (mTLS) authentication, you can specify the data key by entering a **KMS key ARN**. For archiving, Mail Manager uses the key to encrypt all customer data in the archive. For mTLS ingress endpoints, Mail Manager uses the key to encrypt the trust store contents at rest. @@ -105 +105 @@ You can specify a customer managed key as an alternative to using AWS owned keys - * **KMS key ARN** – A [key identifier](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) for an AWS KMS customer managed key. Enter a key ID, key ARN, alias name, or alias ARN. + * **KMS key ARN** – A [key identifier](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) for a AWS KMS customer managed key. Enter a key ID, key ARN, alias name, or alias ARN. @@ -217,0 +218,87 @@ The following example policies show how to enable archive creation. The policies +## Ingress endpoint mTLS policies + +The following example policies enable using a customer managed key to encrypt trust store contents for mutual TLS (mTLS) authentication on Mail Manager ingress endpoints. + +To scope the example policies to a specific ingress endpoint, replace the wildcard in the condition with an exact resource ARN (for example, `arn:aws:ses:us-east-1:111122223333:mailmanager-ingress-point/inp-ab1c2defgh3ij4klmno5pq6rs`). + +**IAM policy** + + + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/rolename" + }, + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "ses.us-east-1.amazonaws.com" + }, + "StringLike": { + "kms:EncryptionContext:aws:ses:arn": [ + "arn:aws:ses:us-east-1:111122223333:mailmanager-ingress-point/*" + ] + } + } + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/rolename" + }, + "Action": [ + "kms:DescribeKey" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "ses.us-east-1.amazonaws.com" + } + } + } + +**AWS KMS policy** + + + { + "Effect": "Allow", + "Principal": { + "Service": "ses.amazonaws.com" + }, + "Action": [ + "kms:Decrypt" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:SourceArn": [ + "arn:aws:ses:us-east-1:111122223333:mailmanager-ingress-point/*" + ], + "kms:EncryptionContext:aws:ses:arn": [ + "arn:aws:ses:us-east-1:111122223333:mailmanager-ingress-point/*" + ] + } + } + }, + { + "Effect": "Allow", + "Principal": { + "Service": "ses.amazonaws.com" + }, + "Action": [ + "kms:DescribeKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:SourceArn": [ + "arn:aws:ses:us-east-1:111122223333:mailmanager-ingress-point/*" + ] + } + } + } +