Actions, resources, and condition keys for Amazon SES - Service Authorization Reference

Actions, resources, and condition keys for Amazon SES

Amazon SES (service prefix: ses) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon SES

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CloneReceiptRuleSet Grants permission to create a receipt rule set by cloning an existing one Write

ses:ApiVersion

CreateConfigurationSet Grants permission to create a new configuration set Write

ses:ApiVersion

CreateConfigurationSetEventDestination Grants permission to create a configuration set event destination Write

ses:ApiVersion

CreateConfigurationSetTrackingOptions Grants permission to creates an association between a configuration set and a custom domain for open and click event tracking Write

ses:ApiVersion

CreateCustomVerificationEmailTemplate Grants permission to create a new custom verification email template Write

ses:ApiVersion

CreateReceiptFilter Grants permission to create a new IP address filter Write

ses:ApiVersion

CreateReceiptRule Grants permission to create a receipt rule Write

ses:ApiVersion

CreateReceiptRuleSet Grants permission to create an empty receipt rule set Write

ses:ApiVersion

CreateTemplate Grants permission to creates an email template Write

ses:ApiVersion

DeleteConfigurationSet Grants permission to delete an existing configuration set Write

ses:ApiVersion

DeleteConfigurationSetEventDestination Grants permission to delete an event destination Write

ses:ApiVersion

DeleteConfigurationSetTrackingOptions Grants permission to delete an association between a configuration set and a custom domain for open and click event tracking Write

ses:ApiVersion

DeleteCustomVerificationEmailTemplate Grants permission to delete an existing custom verification email template Write

ses:ApiVersion

DeleteIdentity Grants permission to delete the specified identity Write

ses:ApiVersion

DeleteIdentityPolicy Grants permission to delete the specified sending authorization policy for the given identity (an email address or a domain) Permissions management

ses:ApiVersion

DeleteReceiptFilter Grants permission to delete the specified IP address filter Write

ses:ApiVersion

DeleteReceiptRule Grants permission to delete the specified receipt rule Write

ses:ApiVersion

DeleteReceiptRuleSet Grants permission to delete the specified receipt rule set and all of the receipt rules it contains Write

ses:ApiVersion

DeleteTemplate Grants permission to delete an email template Write

ses:ApiVersion

DeleteVerifiedEmailAddress Grants permission to delete the specified email address from the list of verified addresses Write

ses:ApiVersion

DescribeActiveReceiptRuleSet Grants permission to return the metadata and receipt rules for the receipt rule set that is currently active Read

ses:ApiVersion

DescribeConfigurationSet Grants permission to return the details of the specified configuration set Read

ses:ApiVersion

DescribeReceiptRule Grants permission to return the details of the specified receipt rule Read

ses:ApiVersion

DescribeReceiptRuleSet Grants permission to return the details of the specified receipt rule set Read

ses:ApiVersion

GetAccountSendingEnabled Grants permission to return the email sending status of your account Read

ses:ApiVersion

GetCustomVerificationEmailTemplate Grants permission to return the custom email verification template for the template name you specify Read

ses:ApiVersion

GetIdentityDkimAttributes Grants permission to return the current status of Easy DKIM signing for an entity Read

ses:ApiVersion

GetIdentityMailFromDomainAttributes Grants permission to return the custom MAIL FROM attributes for a list of identities (email addresses and/or domains) Read

ses:ApiVersion

GetIdentityNotificationAttributes Grants permission to return a structure describing identity notification attributes for a list of verified identities (email addresses and/or domains), Read

ses:ApiVersion

GetIdentityPolicies Grants permission to return the requested sending authorization policies for the given identity (an email address or a domain) Read

ses:ApiVersion

GetIdentityVerificationAttributes Grants permission to return the verification status and (for domain identities) the verification token for a list of identities Read

ses:ApiVersion

GetSendQuota Grants permission to return the user's current sending limits Read

ses:ApiVersion

GetSendStatistics Grants permission to returns the user's sending statistics Read

ses:ApiVersion

GetTemplate Grants permission to return the template object, which includes the subject line, HTML par, and text part for the template you specify Read

ses:ApiVersion

ListConfigurationSets Grants permission to list all of the configuration sets for your account List

ses:ApiVersion

ListCustomVerificationEmailTemplates Grants permission to list all of the existing custom verification email templates for your account List

ses:ApiVersion

ListIdentities Grants permission to list the email identities for your account List

ses:ApiVersion

ListIdentityPolicies Grants permission to list all of the email templates for your account List

ses:ApiVersion

ListReceiptFilters Grants permission to list the IP address filters associated with your account Read

ses:ApiVersion

ListReceiptRuleSets Grants permission to list the receipt rule sets that exist under your account Read

ses:ApiVersion

ListTemplates Grants permission to list the email templates present in your account List

ses:ApiVersion

ListVerifiedEmailAddresses Grants permission to list all of the email addresses that have been verified in your account Read

ses:ApiVersion

PutConfigurationSetDeliveryOptions Grants permission to add or update the delivery options for a configuration set Write

ses:ApiVersion

PutIdentityPolicy Grants permission to add or update a sending authorization policy for the specified identity (an email address or a domain) Permissions management

ses:ApiVersion

ReorderReceiptRuleSet Grants permission to reorder the receipt rules within a receipt rule set Write

ses:ApiVersion

SendBounce Grants permission to generate and send a bounce message to the sender of an email you received through Amazon SES Write

identity*

ses:ApiVersion

ses:FromAddress

SendBulkTemplatedEmail Grants permission to compose an email message to multiple destinations Write

identity*

template*

configuration-set

ses:ApiVersion

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

SendCustomVerificationEmail Grants permission to add an email address to the list of identities and attempts to verify it for your account Write

identity*

ses:ApiVersion

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

SendEmail Grants permission to send an email message Write

identity*

configuration-set

ses:ApiVersion

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

SendRawEmail Grants permission to send an email message, with header and content specified by the client Write

identity*

configuration-set

ses:ApiVersion

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

SendTemplatedEmail Grants permission to compose an email message using an email template Write

identity*

template*

configuration-set

ses:ApiVersion

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

SetActiveReceiptRuleSet Grants permission to set the specified receipt rule set as the active receipt rule set Write

ses:ApiVersion

SetIdentityDkimEnabled Grants permission to enable or disable Easy DKIM signing of email sent from an identity Write

ses:ApiVersion

SetIdentityFeedbackForwardingEnabled Grants permission to enable or disable whether Amazon SES forwards bounce and complaint notifications for an identity (an email address or a domain) Write

ses:ApiVersion

SetIdentityHeadersInNotificationsEnabled Grants permission to set whether Amazon SES includes the original email headers in the Amazon Simple Notification Service (Amazon SNS) notifications of a specified type for a given identity (an email address or a domain) Write

ses:ApiVersion

SetIdentityMailFromDomain Grants permission to enable or disable the custom MAIL FROM domain setup for a verified identity Write

ses:ApiVersion

SetIdentityNotificationTopic Grants permission to set an Amazon Simple Notification Service (Amazon SNS) topic to use when delivering notifications for a verified identity Write

ses:ApiVersion

SetReceiptRulePosition Grants permission to set the position of the specified receipt rule in the receipt rule set Write

ses:ApiVersion

TestRenderTemplate Grants permission to create a preview of the MIME content of an email when provided with a template and a set of replacement data Write

ses:ApiVersion

UpdateAccountSendingEnabled Grants permission to enable or disable email sending for your account Write

ses:ApiVersion

UpdateConfigurationSetEventDestination Grants permission to update the event destination of a configuration set Write

ses:ApiVersion

UpdateConfigurationSetReputationMetricsEnabled Grants permission to enable or disable the publishing of reputation metrics for emails sent using a specific configuration set Write

ses:ApiVersion

UpdateConfigurationSetSendingEnabled Grants permission to enable or disable email sending for messages sent using a specific configuration set Write

ses:ApiVersion

UpdateConfigurationSetTrackingOptions Grants permission to modify an association between a configuration set and a custom domain for open and click event tracking Write

ses:ApiVersion

UpdateCustomVerificationEmailTemplate Grants permission to update an existing custom verification email template Write

ses:ApiVersion

UpdateReceiptRule Grants permission to update a receipt rule Write

ses:ApiVersion

UpdateTemplate Grants permission to update an email template Write

ses:ApiVersion

VerifyDomainDkim Grants permission to return a set of DKIM tokens for a domain Write

ses:ApiVersion

VerifyDomainIdentity Grants permission to verify a domain Write

ses:ApiVersion

VerifyEmailAddress Grants permission to verify an email address Write

ses:ApiVersion

VerifyEmailIdentity Grants permission to verify an email identity Write

ses:ApiVersion

Resource types defined by Amazon SES

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
configuration-set arn:${Partition}:ses:${Region}:${Account}:configuration-set/${ConfigurationSetName}
custom-verification-email-template arn:${Partition}:ses:${Region}:${Account}:custom-verification-email-template/${TemplateName}
identity arn:${Partition}:ses:${Region}:${Account}:identity/${IdentityName}
template arn:${Partition}:ses:${Region}:${Account}:template/${TemplateName}

Condition keys for Amazon SES

Amazon SES defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
ses:ApiVersion Filters actions based on the SES API version String
ses:FeedbackAddress Filters actions based on the "Return-Path" address, which specifies where bounces and complaints are sent by email feedback forwarding String
ses:FromAddress Filters actions based on the "From" address of a message String
ses:FromDisplayName Filters actions based on the "From" address that is used as the display name of a message String
ses:Recipients Filters actions based on the recipient addresses of a message, which include the "To", "CC", and "BCC" addresses ArrayOfString