Authorizing Amazon Cognito to Send Amazon SES Email on Your Behalf (from a Custom FROM Email Address)

If you want to send email from a custom FROM email address instead of the default, Amazon Cognito needs your permission to send email messages to your users on behalf of your Amazon SES verified identity. To grant that permission for most cases, create a sending authorization policy. For more information, see Using Sending Authorization with Amazon SES in the Amazon Simple Email Service Developer Guide.

In some cases. Amazon SES might create the AWSServiceRoleForAmazonCognitoIdpEmailService role in your account, and Amazon Cognito uses that role to access Amazon SES. In that case, Amazon Cognito does not need these permissions.

The following is an example of an Amazon SES sending authorization policy for Amazon Cognito user pools. For more examples, see Amazon SES Sending Authorization Policy Examples in the Amazon Simple Email Service Developer Guide.

Note

In this example, the "Sid" value is an arbitrary string that uniquely identifies the statement. For more information about policy syntax, see Amazon SES Sending Authorization Policies in the Amazon Simple Email Service Developer Guide.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "stmnt1234567891234",
            "Effect": "Allow",
            "Principal": {
                "Service": "cognito-idp.amazonaws.com"
            },
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "<your SES identity ARN>"
        }
    ]
}

The Amazon Cognito console adds this policy for you when you select an Amazon SES identity from the drop-down menu. If you use the CLI or API to configure the user pool, you must attach this policy to your Amazon SES Identity.