[FOLIO-3037] Handle AWS "notification regarding Simple Email Service (SIGv2 Utilization)" Created: 23/Feb/21  Updated: 27/Apr/21  Resolved: 27/Apr/21

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P3
Reporter: Peter Murray Assignee: Peter Murray
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint: DevOps Sprint 110, DevOps Sprint 111, DevOps Sprint 112
Development Team: FOLIO DevOps

 Description   

Received from AWS:

If you have already migrated your credentials from Signature Version 2 to Signature Version 4, you can ignore this communication.

We have observed Signature Version 2 requests (on an Amazon SES SMTP endpoint) originating from your account over the last week. Please note that Amazon Simple Email Service (SES) is working on an infrastructure upgrade with improved security controls. As a result, Signature Version 2 is being deprecated in favor of Signature Version 4 which offers enhanced security for authentication and authorization of Amazon SES customers by using a signing key instead of your secret access key.

Amazon SES customers who are currently using Signature Version 2 must migrate to Signature Version 4 by March 26, 2021. Beginning March 27 2021, requests using Signature Version 2 will be progressively throttled in Amazon SES.

To migrate to Signature Version 4, please replace your existing SMTP credentials using the appropriate procedure relative to your setup:

  • If you generated your SMTP credentials using the SES Console, simply create new credentials and replace your existing credentials with the new ones.
  • If you derived your SMTP credentials from your AWS credentials, make sure you are using the Signature Version 4 algorithm. If you rely on a library to do this conversion, check if the library has a newer release that uses Signature Version 4 algorithm and migrate to it. Otherwise, you will need to either derive the credentials from another library that uses Signature Version 4 algorithm or generate credentials using the SES console.

To learn more about how to generate your Amazon SES SMTP credentials, please refer[1].

If you have any questions, please contact AWS Premium Support [2].

[1] https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html
[2] https://aws.amazon.com/support

cc: John Malconian, Ian Hardy, Wayne Schneider



 Comments   
Comment by Peter Murray [ 23/Feb/21 ]

I don't think this impacts any FOLIO services. I did update the Discuss.folio.org SMTP credentials last month, and there are other IAM user accounts that have ses:SendEmail and ses:SendRawEmail permissions (I see ses-smtp-folio, noreply-folio-org-sender,and jenkins-ses-access as likely candidates). Unfortunately, it doesn't seem like AWS gives one a way to figure out which accounts are using V2 signatures. You'd think that Viewing Events with CloudTrail Event History might help, but there don't seem to be SES events there. (There is documentation for Identifying Amazon S3 signature v2 requests using CloudTrail.) There is an AWS Forum post where an AWS tech says that they have been sending these messages in error.

I'm going to leave this issue open for a while in case we start seeing problems on or about the March 27th date.

Comment by Peter Murray [ 27/Apr/21 ]

None found.

Generated at Thu Feb 08 23:25:08 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.