Menu
Amazon Simple Email Service
Developer Guide

Set Up a Kinesis Firehose Event Destination for Amazon SES Event Publishing

An Amazon Kinesis Firehose event destination represents an entity that publishes specific Amazon SES email sending events to Kinesis Firehose. Because a Kinesis Firehose event destination exists within a configuration set only, you must first create a configuration set and then add the event destination to the configuration set.

You can use the Amazon SES console or the UpdateConfigurationSetEventDestination API to add a Kinesis Firehose event destination.

To add a Kinesis Firehose event destination to a configuration set (console)

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/.

  2. In the left navigation pane, choose Configuration Sets.

  3. Choose a configuration set from the configuration set list. If the list is empty, you must first create a configuration set.

  4. For Add Destination, choose Select a destination type, and then choose Kinesis Firehose.

  5. For Name, type a name for the event destination.

  6. For Event types, select at least one event type to publish to the event destination:

    • Send – Your API call to Amazon SES was successful and Amazon SES will attempt to deliver the email.

    • Reject – Amazon SES initially accepted the email, but later rejected it because the email contained a virus.

    • Bounce – The recipient's mail server permanently rejected the email. This event corresponds to hard bounces. Soft bounces are only included when Amazon SES fails to deliver the email after retrying for a period of time.

    • Complaint – The recipient marked the email as spam.

    • Delivery – Amazon SES successfully delivered the email to the recipient's mail server.

  7. Select Enabled.

  8. For Stream, choose an existing Kinesis Firehose delivery stream, or choose Create new stream to create a new one using the Kinesis Firehose console.

    For information about creating a stream using the Kinesis Firehose console, see Creating an Amazon Kinesis Firehose Delivery Stream in the Amazon Kinesis Firehose Developer Guide.

  9. For IAM role, choose an IAM role for which Amazon SES has permission to publish to Kinesis Firehose on your behalf. You can choose an existing role, have Amazon SES create a role for you, or create your own role.

    If you choose an existing role or create your own role, you must manually modify the role's policies to give the role permission to access the Kinesis Firehose delivery stream, and to give Amazon SES permission to assume the role. For example policies, see Giving Amazon SES Permission to Publish to Your Kinesis Firehose Delivery Stream.

  10. Choose Save.

  11. To exit the Edit Configuration Set page, use the back button of your browser.

For information about how to use the UpdateConfigurationSetEventDestination API to add a Kinesis Firehose event destination, see the Amazon Simple Email Service API Reference.

Giving Amazon SES Permission to Publish to Your Kinesis Firehose Delivery Stream

To enable Amazon SES to publish records to your Kinesis Firehose delivery stream, you must use an AWS Identity and Access Management (IAM) role and attach or modify the role's permissions policy and trust policy. The permissions policy enables the role to publish records to your Kinesis Firehose delivery stream, and the trust policy enables Amazon SES to assume the role.

This section provides examples of both policies. For information about attaching policies to IAM roles, see Modifying a Role in the IAM User Guide.

Permissions Policy

The following permissions policy enables the role to publish data records to your Kinesis Firehose delivery stream.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "firehose:PutRecordBatch" ], "Resource": [ "arn:aws:firehose:region:ACCOUNT-ID:deliverystream/DELIVERY-STREAM-NAME " ] }, ] }

Trust Policy

The following trust policy enables Amazon SES to assume the role.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "ACCOUNT-ID" } } } ] }