AWS SES- debug email events which are not part of AWS CloudTrial
Find out how to implement a solution which will allow you to see what is still sending emails through AWS SES in a given region.
Problem statment
We are trying to migrate away from AWS SES region eu-west-1 (Ireland) to region eu-west-2 (London). However, after investigating CloudTrail logs, we can see that certain actions are not tracked.
As per official docs https://docs.aws.amazon.com/ses/latest/dg/logging-using-cloudtrail.html because Amazon SES only delivers management events to CloudTrail, the following events aren’t recorded in CloudTrail:
- SendEmail
- SendRawEmail
- SendTemplatedEmail
- SendBulkTemplatedEmailThis means that if any AWS IAM User/IAM Role or any other identity performs an action such as ses:SendEmail, you won’t be able to find it in the logs.
In case of a migration to a different region, this can cause problem to figure out what is still using the legacy region. This article will detail how to get more information about SES actions that are not tracked by CloudTrail.
Solution
The solution to get details logs around untracked SES actions needs the following:
- SES configuration set
- Event destination associated with configuration set
- EventBridge- bus rule with custom event pattern
- CloudWatch LogGroup which is a target for log/event delivery
- Updating existing SES domain/identity with default configuration set
Implementation Details
To make this simple for majority of my audience, I will use UI and provide screenshots navigating through all the steps.
SES configuration set (part 1)
- create configuration set
2. Add event destination for your configuration set
With the above you can see the full configuration for the event bridge destination.
3. Update SES Identity to use the configuration set
EventBridge (part 2)
- EventBridge Rule setup
This concludes the setup. Now you will be receiving SES event logs into your Cloudwatch LogGroup.
Example log delivered looks as follows:
"version": "0",
"id": "21f975e4-3874-d134-43c8-f8430",
"detail-type": "Email Sent",
"source": "aws.ses",
"account": "000000000000",
"time": "2025-01-23T14:00:25Z",
"region": "eu-west-1",
"resources": [
"arn:aws:ses:eu-west-1:000000000000:configuration-set/event-bridge"
],
"detail": {
"eventType": "Send",
"mail": {
"timestamp": "2025-01-23T14:00:25.828Z",
"source": "test@email",
"sourceArn": "arn:aws:ses:eu-west-1:000000000000:identity/internal.dare.global",
"sendingAccountId": "000000000000",
"messageId": "0102019493-6e111c98-cb81-4596-9f15-9d4daade12f3-000000",
"destination": [
"test@email"
],
"headersTruncated": false,
"headers": [
{
"name": "Content-Type",
"value": "multipart/mixed; boundary=\"===============4560240242818155080==\""
},
{
"name": "MIME-Version",
"value": "1.0"
},
{
"name": "From",
"value": "test@email"
},
{
"name": "To",
"value": "test2@email"
},
{
"name": "Cc",
"value": ""
},
{
"name": "Bcc",
"value": ""
},
{
"name": "Subject",
"value": "Custom"
}
],
"commonHeaders": {
"from": [
"test@email"
],
"to": [
"test2@email"
],
"subject": "Custom"
},
"tags": {
"ses:source-tls-version": [
"TLSv1.3"
],
"ses:operation": [
"SendRawEmail"
],
"ses:configuration-set": [
"event-bridge"
],
"ses:source-ip": [
"111.11.111.111"
],
"ses:caller-identity": [
"emailer"
]
}
},
"send": {}
}
}In the tags section of the event log above, I found the most useful things I needed to investigate SES Ireland usage further.
- ses:caller-identity- this is the field with the name of the IAM User or IAM Role and its credentials used to execute SendRawEmail operation. This will quickly allow you to narrow down to things like Lambda function which sends out emails using SES client.
- ses:source-ip- another useful field in case you are sending out automated emails from an EC2 instance. This will quickly indicate which EC2 instance still utilises SES.
