How Amazon Simple Email Service (Amazon SES) uses AWS KMS
You can use Amazon Simple Email Service (Amazon SES) to receive email, and (optionally) to encrypt the received email messages before storing them in an Amazon Simple Storage Service (Amazon S3) bucket that you choose. When you configure Amazon SES to encrypt email messages, you must choose the AWS KMS customer master key (CMK) under which Amazon SES encrypts the messages. You can choose the AWS managed CMK for Amazon SES (its alias is aws/ses), or you can choose a symmetric customer managed CMK that you created in AWS KMS.
Amazon SES supports only symmetric CMKs. You cannot use an asymmetric CMK to encrypt your Amazon SES email messages. For help determining whether a CMK is symmetric or asymmetric, see Identifying symmetric and asymmetric CMKs.
For more information about receiving email using Amazon SES, go to Receiving Email with Amazon SES in the Amazon Simple Email Service Developer Guide.
Topics
Overview of Amazon SES encryption using AWS KMS
When you configure Amazon SES to receive email and encrypt the email messages before saving them to your S3 bucket, the process works like this:
-
You create a receipt rule for Amazon SES, specifying the S3 action, an S3 bucket for storage, and a KMS customer master key (CMK) for encryption.
-
Amazon SES receives an email message that matches your receipt rule.
-
Amazon SES requests a unique data key encrypted with the KMS CMK that you specified in the applicable receipt rule.
-
AWS KMS creates a new data key, encrypts it with the specified CMK, and then sends the encrypted and plaintext copies of the data key to Amazon SES.
-
Amazon SES uses the plaintext data key to encrypt the email message and then removes the plaintext data key from memory as soon as possible after use.
-
Amazon SES puts the encrypted email message and the encrypted data key in the specified S3 bucket. The encrypted data key is stored as metadata with the encrypted email message.
To accomplish Step 3 through Step 6, Amazon SES uses the AWS–provided Amazon S3 encryption client. Use the same client to retrieve your encrypted email messages from Amazon S3 and decrypt them. For more information, see Getting and decrypting email messages.
Amazon SES encryption context
When Amazon SES requests a data key to encrypt your received email messages (Step 3 in the Overview of Amazon SES encryption using AWS KMS), it includes an encryption context in the request. The encryption context provides additional authenticated data (AAD) that AWS KMS uses to ensure data integrity. The encryption context is also written to your AWS CloudTrail log files, which can help you understand why a given customer master key (CMK) was used. Amazon SES uses the following encryption context:
-
The ID of the AWS account in which you've configured Amazon SES to receive email messages
-
The rule name of the Amazon SES receipt rule that invoked the S3 action on the email message
-
The Amazon SES message ID for the email message
The following example shows a JSON representation of the encryption context that Amazon SES uses:
{
"aws:ses:source-account": "111122223333
",
"aws:ses:rule-name": "example-receipt-rule-name
",
"aws:ses:message-id": "d6iitobk75ur44p8kdnnp7g2n800
"
}
Giving Amazon SES permission to use your AWS KMS customer master key (CMK)
To encrypt your email messages, you can use the AWS managed customer master key (CMK) in your account for Amazon SES (aws/ses), or you can use a customer managed CMK that you create. Amazon SES already has permission to use the AWS managed CMK on your behalf. However, if you specify a customer managed CMK when you add the S3 action to your Amazon SES receipt rule, you must give Amazon SES permission to use the CMK to encrypt your email messages.
To give Amazon SES permission to use your customer managed CMK, add the following statement to that CMK's key policy:
{ "Sid": "Allow SES to encrypt messages using this CMK", "Effect": "Allow", "Principal": {"Service": "ses.amazonaws.com"}, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*" ], "Resource": "*", "Condition": { "Null": { "kms:EncryptionContext:aws:ses:rule-name": false, "kms:EncryptionContext:aws:ses:message-id": false }, "StringEquals": {"kms:EncryptionContext:aws:ses:source-account": "
ACCOUNT-ID-WITHOUT-HYPHENS
"} } }
Replace
with the
12-digit ID of the AWS account in which you've configured Amazon SES to receive email
messages.
This policy statement allows Amazon SES to encrypt data with this CMK only under these
conditions:
ACCOUNT-ID-WITHOUT-HYPHENS
-
Amazon SES must specify
aws:ses:rule-name
andaws:ses:message-id
in theEncryptionContext
of their AWS KMS API requests. -
Amazon SES must specify
aws:ses:source-account
in theEncryptionContext
of their AWS KMS API requests, and the value foraws:ses:source-account
must match the AWS account ID specified in the key policy.
For more information about the encryption context that Amazon SES uses when encrypting your email messages, see Amazon SES encryption context. For general information about how AWS KMS uses the encryption context, see encryption context.
Getting and decrypting email messages
Amazon SES does not have permission to decrypt your encrypted email messages and cannot decrypt them for you. You must write code to get your email messages from Amazon S3 and decrypt them. To make this easier, use the Amazon S3 encryption client. The following AWS SDKs include the Amazon S3 encryption client:
-
AWS SDK for Java
– See AmazonS3EncryptionClient in the AWS SDK for Java API Reference. -
AWS SDK for Ruby
– See Aws::S3::Encryption::Client in the AWS SDK for Ruby API Reference. -
AWS SDK for .NET
– See AmazonS3EncryptionClient in the AWS SDK for .NET API Reference. -
AWS SDK for Go
– See s3crypto in the AWS SDK for Go API Reference.
The Amazon S3 encryption client simplifies the work of constructing the necessary requests to Amazon S3 to retrieve the encrypted email message and to AWS KMS to decrypt the message's encrypted data key, and of decrypting the email message. For example, to successfully decrypt the encrypted data key you must pass the same encryption context that Amazon SES passed when requesting the data key from AWS KMS (Step 3 in the Overview of Amazon SES encryption using AWS KMS). The Amazon S3 encryption client handles this, and much of the other work, for you.
For sample code that uses the Amazon S3 encryption client in the AWS SDK for Java to do client-side decryption, see the following:
-
Using a CMK stored in AWS KMS in the Amazon Simple Storage Service Developer Guide.
-
Amazon S3 Encryption with AWS Key Management Service
on the AWS Developer Blog.