Menu
Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)

Amazon SES Sending Authorization Policy Examples

Sending authorization enables you to specify the fine-grained conditions under which you allow delegate senders to send on your behalf. The following examples show you how to write policies to control different aspects of sending:

Specifying the Delegate Sender

The principal, which is the entity to which you are granting permission, can be an AWS account, an AWS Identity and Access Management (IAM) user, or an AWS service. The following example policy grants AWS account ID 123456789012 permission to send from identity example.com.

Copy
{ "Id": "ExampleAuthorizationPolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AuthorizeAccount", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal": {"AWS": ["123456789012"]}, "Action": ["SES:SendEmail", "SES:SendRawEmail"] } ] }

The following example policy grants permission to two IAM users to send from identity example.com. IAM users are specified by their Amazon Resource Name (ARN).

Copy
{ "Id": "ExampleAuthorizationPolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AuthorizeIAMUser", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal": {"AWS": [ "arn:aws:iam::111122223333:user/John", "arn:aws:iam::444455556666:user/Jane" ]}, "Action": ["SES:SendEmail", "SES:SendRawEmail"] } ] }

The following example policy grants permission to Amazon Cognito to send from identity example.com.

Copy
{ "Id": "ExampleAuthorizationPolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AuthorizeService", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal": {"Service": ["cognito-idp.amazonaws.com"]}, "Action": ["SES:SendEmail", "SES:SendRawEmail"] } ] }

Restricting the "From" Address

Even if you have verified a whole domain, you might want to restrict the "From" address so that the delegate sender can send from a specified email address only. To restrict the "From" address, you set a condition on the key called ses:FromAddress. The following policy enables AWS account ID 123456789012 to send from identity example.com, but only from email address sender@example.com.

Copy
{ "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AuthorizeFromAddress", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal": {"AWS": ["123456789012"]}, "Action": ["SES:SendEmail", "SES:SendRawEmail"], "Condition": { "StringEquals": { "ses:FromAddress": "sender@example.com" } } } ] }

Restricting the Destination of Bounce and Complaint Feedback

If a delegate sender is sending on your behalf and you want to ensure that bounce and complaint notifications are forwarded to you by email, you need to do two things: you must enable email feedback forwarding for the identity by using the procedure in Amazon SES Notifications Through Email, and you must restrict the "Return Path" of the emails to an email address that you own by setting a condition on the ses:FeedbackAddress key.

The following sending authorization policy enables AWS account ID 123456789012 to send from the identity example.com as long as the "Return Path" of the email is set to feedback@example.com.

Copy
{ "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "ControlReturnPath", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal": {"AWS": ["123456789012"]}, "Action": ["SES:SendEmail", "SES:SendRawEmail"], "Condition": { "StringEquals": { "ses:FeedbackAddress": "feedback@example.com" } } } ] }

Restricting the Time Period of Sending

You might want to constrain the date and time during which the delegate sender can send on your behalf. For example, if your email campaign is scheduled for the month of September 2015, the following policy enables the delegate sender to send emails on your behalf during that month only.

Copy
{ "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "ControlTimePeriod", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal": {"AWS": ["123456789012"]}, "Action": ["SES:SendEmail", "SES:SendRawEmail"], "Condition": { "DateGreaterThan": { "aws:CurrentTime":"2015-08-31T12:00Z" }, "DateLessThan": { "aws:CurrentTime":"2015-10-01T12:00Z" } } } ] }

Restricting the Email-Sending Action

There are two actions that senders can use to send an email with Amazon SES: SendEmail and SendRawEmail, depending on how much control the sender wants over the format of the email. Sending authorization policies enable you to restrict the delegate sender to one of those two actions. However, many identity owners leave the details of the email-sending calls up to the delegate sender by enabling both actions in their policies.

Note

If you want to enable the delegate sender to access Amazon SES through the SMTP interface, you must choose SendRawEmail at a minimum.

If your use case is such that you want to restrict the action, you can do so by including only one of the actions in your sending authorization policy. The following example shows you how to restrict the action to SendRawEmail.

Copy
{ "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "ControlAction", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal": {"AWS": ["123456789012"]}, "Action": ["SES:SendRawEmail"] } ] }

Restricting the Display Name of the Email Sender

Some email clients display the "friendly" name of the email sender (if the email header provides it), rather than the actual "From" address. For example, the display name of "John Doe <johndoe@example.com>" is John Doe. For instance, you might send emails from user@example.com, but you prefer that recipients see that the email is from Marketing rather than from user@example.com. The following policy enables AWS account ID 123456789012 to send from identity example.com, but only if the display name of the "From" address includes Marketing.

Copy
{ "Id": "ExamplePolicy", "Version": "2012-10-17", "Statement": [ { "Sid": "AuthorizeFromAddress", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal": {"AWS": ["123456789012"]}, "Action": ["SES:SendEmail", "SES:SendRawEmail"], "Condition": { "StringLike": { "ses:FromDisplayName": "Marketing" } } } ] }

Using Multiple Statements

You can use multiple statements for fine-grained control. The following example policy has two statements. The first statement authorizes two individual AWS accounts to send from sender@example.com using the SendEmail API as long as the "From" address and the feedback address are both under the domain example.com. The second statement authorizes an IAM user to send email from sender@example.com as long as the email is sent to an email address under the domain example.com.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Sid": "AuthorizeAWS", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:999999999999:identity/sender@example.com", "Principal": { "AWS": ["111111111111", "222222222222"] }, "Action": ["SES:SendEmail", "SES:SendRawEmail"], "Condition": { "StringLike": { "ses:FromAddress": "*@example.com", "ses:FeedbackAddress": "*@example.com" } } }, { "Sid": "AuthorizeInternal", "Effect": "Allow", "Resource": "arn:aws:ses:us-east-1:999999999999:identity/sender@example.com", "Principal": { "AWS": "arn:aws:iam::333333333333:user/Jane" }, "Action": ["SES:SendEmail", "SES:SendRawEmail"], "Condition": { "ForAllValues:StringLike": { "ses:Recipients": "*@example.com" } } }] }