How Amazon Simple Email Service (Amazon SES) Uses AWS KMS

You can use Amazon Simple Email Service (Amazon SES) to receive email, and (optionally) to encrypt the received email messages before storing them in an Amazon Simple Storage Service (Amazon S3) bucket that you choose. When you configure Amazon SES to encrypt email messages, you must choose the KMS customer master key (CMK) under which Amazon SES encrypts the messages. You can choose the default CMK in your account for Amazon SES with the alias aws/ses, or you can choose a custom CMK that you created separately in AWS KMS.

For more information about receiving email using Amazon SES, go to Receiving Email with Amazon SES in the Amazon Simple Email Service Developer Guide.

Topics

Overview of Amazon SES Encryption Using AWS KMS
Amazon SES Encryption Context
Giving Amazon SES Permission to Use Your AWS KMS Customer Master Key (CMK)
Retrieving and Decrypting Email Messages

Overview of Amazon SES Encryption Using AWS KMS

When you configure Amazon SES to receive email and encrypt the email messages before saving them to your S3 bucket, the process works like this:

You create a receipt rule for Amazon SES, specifying the S3 action, an S3 bucket for storage, and a KMS customer master key (CMK) for encryption.
Amazon SES receives an email message that matches your receipt rule.
Amazon SES requests a unique data key encrypted with the KMS CMK that you specified in the applicable receipt rule.
AWS KMS creates a new data key, encrypts it with the specified CMK, and then sends the encrypted and plaintext copies of the data key to Amazon SES.
Amazon SES uses the plaintext data key to encrypt the email message and then removes the plaintext data key from memory as soon as possible after use.
Amazon SES puts the encrypted email message and the encrypted data key in the specified S3 bucket. The encrypted data key is stored as metadata with the encrypted email message.

To accomplish Step 3 through Step 6, Amazon SES uses the AWS–provided Amazon S3 encryption client. Use the same client to retrieve your encrypted email messages from Amazon S3 and decrypt them. For more information, see Retrieving and Decrypting Email Messages.

Amazon SES Encryption Context

When Amazon SES requests a data key to encrypt your received email messages (Step 3 in the Overview of Amazon SES Encryption Using AWS KMS), it includes encryption context in the request. The encryption context provides additional authenticated information that AWS KMS uses to ensure data integrity. The encryption context is also written to your AWS CloudTrail log files, which can help you understand why a given customer master key (CMK) was used. Amazon SES uses the following for the encryption context:

The ID of the AWS account in which you've configured Amazon SES to receive email messages
The rule name of the Amazon SES receipt rule that invoked the S3 action on the email message
The Amazon SES message ID for the email message

The following example shows a JSON representation of the encryption context that Amazon SES uses:


{
  "aws:ses:source-account": "111122223333",
  "aws:ses:rule-name": "example-receipt-rule-name",
  "aws:ses:message-id": "d6iitobk75ur44p8kdnnp7g2n800"
}

For more information about encryption context, go to Encryption Context.

Giving Amazon SES Permission to Use Your AWS KMS Customer Master Key (CMK)

You can use the default customer master key (CMK) in your account for Amazon SES with the alias aws/ses, or you can use a custom CMK you create. If you use the default CMK for Amazon SES, you don't need to perform any steps to give Amazon SES permission to use it. However, to specify a custom CMK when you add the S3 action to your Amazon SES receipt rule, you must ensure that Amazon SES has permission to use the CMK to encrypt your email messages. To give Amazon SES permission to use your custom CMK, add the following statement to your CMK's key policy:


{
  "Sid": "Allow SES to encrypt messages using this master key",
  "Effect": "Allow",
  "Principal": {"Service": "ses.amazonaws.com"},
  "Action": [
    "kms:Encrypt",
    "kms:GenerateDataKey*"
  ],
  "Resource": "*",
  "Condition": {
    "Null": {
      "kms:EncryptionContext:aws:ses:rule-name": false,
      "kms:EncryptionContext:aws:ses:message-id": false
    },
    "StringEquals": {"kms:EncryptionContext:aws:ses:source-account": "ACCOUNT-ID-WITHOUT-HYPHENS"}
  }
}

Replace ACCOUNT-ID-WITHOUT-HYPHENS with the 12-digit ID of the AWS account in which you've configured Amazon SES to receive email messages. This policy statement allows Amazon SES to encrypt data with this CMK only under these conditions:

Amazon SES must specify aws:ses:rule-name and aws:ses:message-id in the EncryptionContext of their AWS KMS API requests.
Amazon SES must specify aws:ses:source-account in the EncryptionContext of their AWS KMS API requests, and the value for aws:ses:source-account must match the AWS account ID specified in the key policy.

For more information about the encryption context that Amazon SES uses when encrypting your email messages, go to Amazon SES Encryption Context. For general information about encryption context, go to Encryption Context.

Retrieving and Decrypting Email Messages

Amazon SES does not have permission to decrypt your encrypted email messages and cannot decrypt them for you. You must write code to retrieve your email messages from Amazon S3 and decrypt them. To make this easier, use the Amazon S3 encryption client. The following AWS SDKs include the Amazon S3 encryption client:

AWS SDK for Java – See AmazonS3EncryptionClient in the AWS SDK for Java API Reference.
AWS SDK for Ruby – See Aws::S3::Encryption::Client in the AWS SDK for Ruby API Reference.
AWS SDK for .NET – See AmazonS3EncryptionClient in the AWS SDK for .NET API Reference.
AWS SDK for Go – See s3crypto in the AWS SDK for Go API Reference.

The Amazon S3 encryption client simplifies the work of constructing the necessary requests to Amazon S3 to retrieve the encrypted email message and to AWS KMS to decrypt the message's encrypted data key, and of decrypting the email message. For example, to successfully decrypt the encrypted data key you must pass the same encryption context that Amazon SES passed when requesting the data key from AWS KMS (Step 3 in the Overview of Amazon SES Encryption Using AWS KMS). The Amazon S3 encryption client handles this, and much of the other work, for you.

For sample code that uses the Amazon S3 encryption client in the AWS SDK for Java to do client-side decryption, see the following:

Example: Client-Side Encryption (Option 1: Using an AWS KMS–Managed Customer Master Key (AWS SDK for Java)) in the Amazon Simple Storage Service Developer Guide.
Amazon S3 Encryption with AWS Key Management Service on the AWS Developer Blog.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

« Previous Next »