Menu
Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)

Set Up a Firehose Event Destination for Amazon SES Event Publishing

An Amazon Kinesis Firehose event destination represents an entity that publishes specific Amazon SES email sending events to Firehose. Because a Firehose event destination exists within a configuration set only, you must first create a configuration set and then add the event destination to the configuration set.

You can use the Amazon SES console or the UpdateConfigurationSetEventDestination API to add a Firehose event destination.

To add a Firehose event destination to a configuration set (console)

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/.

  2. In the left navigation pane, choose Configuration Sets.

  3. Choose a configuration set from the configuration set list. If the list is empty, you must first create a configuration set.

  4. For Add Destination, choose Select a destination type, and then choose Firehose.

  5. For Name, type a name for the event destination.

  6. For Event types, select at least one event type to publish to the event destination:

    • Send – Your API call to Amazon SES was successful and Amazon SES will attempt to deliver the email.

    • Reject – Amazon SES initially accepted the email, but later rejected it because the email contained a virus.

    • Bounce – The recipient's mail server permanently rejected the email. This event corresponds to hard bounces. Soft bounces are only included when Amazon SES fails to deliver the email after retrying for a period of time.

    • Complaint – The recipient marked the email as spam.

    • Delivery – Amazon SES successfully delivered the email to the recipient's mail server.

  7. Select Enabled.

  8. For Stream, choose an existing Firehose delivery stream, or choose Create new stream to create a new one using the Firehose console.

    For information about creating a stream using the Firehose console, see Creating an Amazon Kinesis Firehose Delivery Stream in the Amazon Kinesis Firehose Developer Guide.

  9. For IAM role, choose an IAM role for which Amazon SES has permission to publish to Firehose on your behalf. You can choose an existing role, have Amazon SES create a role for you, or create your own role.

    If you choose an existing role or create your own role, you must manually modify the role's policies to give the role permission to access the Firehose delivery stream, and to give Amazon SES permission to assume the role. For example policies, see Giving Amazon SES Permission to Publish to Your Firehose Delivery Stream.

  10. Choose Save.

  11. To exit the Edit Configuration Set page, use the back button of your browser.

For information about how to use the UpdateConfigurationSetEventDestination API to add a Firehose event destination, see the Amazon Simple Email Service API Reference.

Giving Amazon SES Permission to Publish to Your Firehose Delivery Stream

To enable Amazon SES to publish records to your Firehose delivery stream, you must use an AWS Identity and Access Management (IAM) role and attach or modify the role's permissions policy and trust policy. The permissions policy enables the role to publish records to your Firehose delivery stream, and the trust policy enables Amazon SES to assume the role.

This section provides examples of both policies. For information about attaching policies to IAM roles, see Modifying a Role in the IAM User Guide.

Permissions Policy

The following permissions policy enables the role to publish data records to your Firehose delivery stream.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "firehose:PutRecordBatch" ], "Resource": [ "arn:aws:firehose:region:ACCOUNT-ID:deliverystream/DELIVERY-STREAM-NAME " ] }, ] }

Trust Policy

The following trust policy enables Amazon SES to assume the role.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "ACCOUNT-ID" } } } ] }