Menu
Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)

Amazon SES Sending Authorization Policies

To enable another AWS account, Identity Access and Management (IAM) user, or AWS service to send email through Amazon SES on your behalf, you create a sending authorization policy, which is a JSON document that you attach to an identity that you own. The policy explicitly lists who you are allowing to send for that identity, and under which conditions. All senders but you and the entities you explicitly grant permissions to in the policies are denied. An identity can have no policy, one policy, or multiple policies attached to it. You can also have one policy with multiple statements to achieve the effect of multiple policies.

Policies can be very simple or very detailed for fine-grained control. For example, if you owned example.com, you could write a simple policy to grant AWS ID 123456789012 permission to send from that domain. A more detailed policy could specify that AWS ID 123456789012 can send email only from user@example.com and only within a specified date range.

Amazon SES sending authorization policies apply to email-sending APIs (SendEmail and SendRawEmail) only. They do not enable a user to access your AWS account in any other way.

Policy Structure

Each sending authorization policy is a JSON document that is attached to an identity. A policy includes:

  • Optional policy-wide information at the top of the document.

  • One or more individual statements, each of which describes one set of permissions.

Each statement includes the core information about a single permission. If a policy includes multiple statements, Amazon SES applies a logical OR across the statements at evaluation time. Similarly, if an identity has multiple policies attached to it, Amazon SES applies a logical OR across the policies at evaluation time.

The following example shows a simple policy that allows AWS ID 123456789012 to send email from the identity example.com (which is under account 888888888888) but only if the "From" address is marketing+.*@example.com, where .* is any string that the sender wants to add after marketing+.

Copy
{ "Id": "SampleAuthorizationPolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AuthorizeMarketer", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal": {"AWS": ["123456789012"]}, "Action": ["SES:SendEmail", "SES:SendRawEmail"], "Condition": { "StringLike": { "ses:FromAddress": "marketing+.*@example.com" } } } ] }

You can find more sending authorization policy examples at Sending Authorization Policy Examples.

Policy Elements

This section describes the elements contained in sending authorization policies. First we describe policy-wide elements, and then we describe elements that apply only to the statement in which they are included. We follow with a discussion of how to add conditions to your statements.

For specific information about the syntax of the elements, see Grammar of the IAM Policy Language in the IAM User Guide.

Policy-Wide

There are two policy-wide elements: Id and Version. The following table provides information about these elements.

Name

Description

Required

Valid Values

Id

Uniquely identifies the policy.

No.

Any string

Version

Specifies the policy access language version.

No, but as a best practice, we recommend that you include this field with a value of "2012-10-17".

Any string

Statements

Sending authorization policies require at least one statement. Each statement can include the elements described in the following table.

Name

Description

Required

Valid Values

Sid

Uniquely identifies the statement.

No.

Any string.

Effect

Specifies the result that you want the policy statement to return at evaluation time.

No, although a statement without an effect is useless.

"Allow" or "Deny".

Resource

Specifies the identity to which the policy applies. This is the email address or domain that the identity owner is authorizing the delegate sender to use.

Yes.

An identity's ARN, as specified in the Amazon SES console.

Principal

Specifies the AWS account, IAM user, or AWS service that receives the permission in the statement.

Yes.

A valid AWS account ID, IAM user ARN, or AWS service. AWS account IDs and IAM user ARNs are specified using "AWS" (for example, "AWS": ["123456789012"] or "AWS": ["arn:aws:iam::123456789012:root"]). AWS service names are specified using "Service" (for example, "Service": ["cognito-idp.amazonaws.com"]).

For examples of the format of IAM user ARNs, see the AWS General Reference.

Action

Specifies the email-sending action to which the statement applies.

Yes.

"ses:SendEmail", "ses:SendRawEmail" (one or both). If you use the custom policy editor, you can also set the action to "ses:*" to encompass both APIs. If your sender will access Amazon SES through the SMTP interface, you must select "ses:SendRawEmail" at a minimum (or use "ses:*").

Condition

Specifies any restrictions or details about the permission.

No.

See the information about conditions following this table.

Conditions

A condition is any restriction about the permission in the statement. The part of the statement that specifies the conditions can be the most detailed of all the parts. A key is the specific characteristic that is the basis for access restriction, such as the date and time of the request.

You use both conditions and keys together to express the restriction. For example, if you want to restrict the delegate sender from making requests to Amazon SES on your behalf after July 30, 2015, you use the condition called DateLessThan. You use the key called aws:CurrentTime and set it to the value 2015-07-30T00:00:00Z.

You can use any of the AWS-wide keys listed at Available Keys in the IAM User Guide, or you can use one of the following keys specific to Amazon SES:

Condition Key

Description

ses:Recipients

Restricts the recipient addresses, which include the To:, "CC", and "BCC" addresses.

ses:FromAddress

Restricts the "From" address.

ses:FromDisplayName

Restricts the contents of the string that is used as the "From" display name (sometimes called "friendly from"). For example, the display name of "John Doe <johndoe@example.com>" is John Doe.

ses:FeedbackAddress

Restricts the "Return Path" address, which is the address where bounce and complaints can be sent to you by email feedback forwarding. For information about email feedback forwarding, see Amazon SES Notifications Through Email.

It is common to use the StringEquals and StringLike conditions with the Amazon SES keys. These conditions are for case-sensitive string matching. For StringLike, the values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. For example, the following condition specifies that the delegate sender can only send from a "From" address that starts with invoicing and ends with example.com:

Copy
"Condition": { "StringLike": { "ses:FromAddress": "invoicing+.*@example.com" } }

Note

When you want to disallow access to an email address, use wildcards to ensure that you are completely preventing access to all forms of that address. For example, to disallow sending from admin@example.com, you can prevent access to alternatives such as "admin"@example.com and admin+1@example.com by specifying the following condition:

Copy
"Condition": { "StringNotLike": { "ses:FromAddress": "*admin*.example.com" } }

For more information about how to specify conditions, see Condition in the IAM User Guide.

Policy Requirements

Each policy must adhere to the following requirements:

  • Each policy must include at least one statement.

  • Each policy must include at least one valid principal.

  • Each policy must specify one resource, and that resource must be the ARN of the identity to which the policy is attached.

  • Identity owners can associate up to 20 policies with each unique identity.

  • Policies must not exceed 4 kilobytes (KB).

  • Policy names cannot exceed 64 characters and can only include alphanumeric characters, dashes, and underscores.