This guide provides detailed troubleshooting steps for resolving email delivery issues with the Security Hub Compliance Analyzer.
Before troubleshooting, ensure you have:
- AWS CLI configured with appropriate credentials
- Verified sender email address in Amazon SES
- Appropriate SES permissions configured
- Lambda function deployed with proper IAM permissions
-
SES Verification Issues
- Ensure sender email is verified in SES
- In AWS SES sandbox mode, recipient emails must also be verified
- Run
./check_ses_status.shto verify email status
-
IAM Permission Issues
- Lambda function must have
ses:SendEmailandses:SendRawEmailpermissions - Check Lambda execution role in the AWS Console
- Add missing permissions if needed:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ses:SendEmail", "ses:SendRawEmail" ], "Resource": "*" } ] } - Lambda function must have
-
Environment Variables
SENDER_EMAILmust be set in Lambda environment- Ensure it matches a verified email address in SES
-
SPF/DKIM Setup
- Configure SPF and DKIM for your domain if using a custom domain
- DKIM signing is available in the SES console
-
Email Content
- Avoid spam trigger words in subject and content
- Ensure proper HTML formatting
-
Reputation
- SES account might have reputation issues
- Check SES dashboard for reputation metrics
Use the provided testing script to isolate where the issue is occurring:
# Set the sender and recipient emails
export SENDER_EMAIL="your-verified-sender@example.com"
export RECIPIENT_EMAIL="recipient@example.com"
# Run the test script
./test_ses_delivery.shThis script tests email delivery through:
- Basic SES API
- Direct Python scripts
- Lambda function
If some tests succeed while others fail, this helps pinpoint the issue.
For testing the more complex NIST 800-53 control status emails:
# Option 1: Generate HTML locally and view in browser
./debug_email_output.py
# Open debug_email.html in your browser to verify formatting
# Option 2: Send debug email directly
./send_debug_email.py --sender your-verified@email.com --recipient your-verified@email.com
# Option 3: Test through Lambda
./test_nist_direct_controls.shThese specialized debug scripts help isolate whether the issue is with:
- Email delivery in general
- Complex HTML rendering
- Lambda configuration
- Control status data retrieval
-
Check SES Configuration
CHECK_EMAIL=your-verified-email@example.com ./check_ses_status.sh
-
Test Direct SES Delivery
aws ses send-email \ --profile sandbox \ --from your-verified-email@example.com \ --destination "ToAddresses=recipient@example.com" \ --message "Subject={Data=Test Email,Charset=UTF-8},Body={Text={Data=Test content,Charset=UTF-8}}"
-
Check Lambda Configuration
- Verify
SENDER_EMAILenvironment variable - Check Lambda execution role permissions
- Review CloudWatch logs for errors
- Verify
-
Test Lambda Email Function
RECIPIENT_EMAIL=recipient@example.com ./trigger_test_email.sh
Look for these specific error patterns in Lambda logs:
-
SES Verification Errors
Email address is not verified. The following identities failed the check... -
Permission Denied
User: arn:aws:sts::... is not authorized to perform: ses:SendRawEmail -
Rate Limiting
Throttling Exception: Rate exceeded
If you're in the SES sandbox, you're limited to sending to verified email addresses only. To move out of the sandbox:
- Request production access through the SES console
- Provide business case and sending patterns
- Once approved, you can send to any recipient
If you're still experiencing issues after following this guide, check the AWS SES documentation or contact AWS Support for further assistance.