Amazon Simple Email Service
Developer Guide

Part 4: Create AWS Identity and Access Management Policies and Roles

To ensure the security of your AWS account, you must create an AWS Identity and Access Management (IAM) policy and role. The policy and role define the ways that the components of this solution can interact with each other. This procedure describes how to configure these policies and roles.

To create a new IAM policy and role

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the column on the left side of the screen, choose Policies.

  3. Choose Create policy.

  4. On the Create Policy window, next to Create Your Own Policy, choose Select.

  5. On the Review Policy window, complete the following sections:

    • For Policy Name, type a name for the policy.

    • For Description, type a brief description of the policy.

    • For Policy Document, paste the following code:

      { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSendEmail", "Effect": "Allow", "Action": [ "ses:SendEmail" ], "Resource": [ "*" ] }, { "Sid": "s3allow", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::BUCKET_NAME/*" ] }, { "Sid": "AllowQueuePermissions", "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:ChangeMessageVisibilityBatch", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ReceiveMessage" ], "Resource": [ "SQS_QUEUE_ARN" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }

      In the pasted code, change the following attributes:

  6. Choose Create Policy.

  7. In the column on the left side of the screen, choose Roles.

  8. Choose Create new role.

  9. Under Select role type, choose AWS Service Role, and then choose AWS Lambda.

  10. On the Attach Policy screen, check the box next to the name of the policy you created earlier, and then choose Next Step.

  11. On the Set role name and review screen, for Role name, type a name for the role, and then choose Create role.

  12. Proceed to Part 5: Configure Bounce and Complaint Notifications in Amazon SES.