Set up a Firehose event destination for Amazon SES event publishing - Amazon Simple Email Service
Giving Amazon SES Permission to Publish to Your Firehose Delivery Stream

Set up a Firehose event destination for Amazon SES event publishing

An Amazon Data Firehose event destination represents an entity that publishes specific Amazon SES email sending events to Firehose. Because a Firehose event destination exists within a configuration set only, you first have to create a configuration set. Next, you add the event destination to the configuration set.

The procedure in this section shows how to add Firehose event destination details to a configuration set and assumes you have completed steps 1 through 6 in Creating an event destination.

You can also use the UpdateConfigurationSetEventDestination operation in the Amazon SES API V2 destination to create and update event destinations.

To add Firehose event destination details to a configuration set using the console

  1. These are the detailed instructions for selecting Firehose as your event destination type in Step 7 and assumes you have completed all the previous steps in Creating an event destination. After selecting the Firehose Destination type and enabling Event publishing, the Amazon Data Firehose delivery stream panel will appear - its fields are addressed in the following steps.

  2. For Delivery stream, choose an existing Firehose delivery stream, or choose Create new stream to create a new one using the Firehose console.

    For information about creating a stream using the Firehose console, see Creating an Amazon Kinesis Firehose Delivery Stream in the Amazon Data Firehose Developer Guide.

  3. For Identity and Access Management (IAM) Role, choose an IAM role for which Amazon SES has permission to publish to Firehose on your behalf. You can choose an existing role, have Amazon SES create a role for you, or create your own role.

    If you choose an existing role or create your own role, you must manually modify the role's policies to give the role permission to access the Firehose delivery stream, and to give Amazon SES permission to assume the role. For example policies, see Giving Amazon SES Permission to Publish to Your Firehose Delivery Stream.

  4. Choose Next.

  5. On the review screen, if you're satisfied with how you defined your event destination, choose Add destination.

For information about how to use the UpdateConfigurationSetEventDestination API to add a Firehose event destination, see the Amazon Simple Email Service API Reference.

Giving Amazon SES Permission to Publish to Your Firehose Delivery Stream

To enable Amazon SES to publish records to your Firehose delivery stream, you must use an AWS Identity and Access Management (IAM) role and attach or modify the role's permissions policy and trust policy. The permissions policy enables the role to publish records to your Firehose delivery stream, and the trust policy enables Amazon SES to assume the role.

This section provides examples of both policies. For information about attaching policies to IAM roles, see Modifying a Role in the IAM User Guide.

Permissions Policy

The following permissions policy enables the role to publish data records to your Firehose delivery stream.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "firehose:PutRecordBatch"
      ],
      "Resource": [
        "arn:aws:firehose:delivery-region:111122223333:deliverystream/delivery-stream-name"              
      ]
    }
  ]
}

Make the following changes to the preceding policy example:

  • Replace delivery-region with the AWS Region where you created the Firehose delivery stream.

  • Replace 111122223333 with your AWS account ID.

  • Replace delivery-stream-name with the name of the Firehose delivery stream.

Trust Policy

The following trust policy enables Amazon SES to assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ses.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "111122223333",
          "AWS:SourceArn": "arn:aws:ses:delivery-region:111122223333:configuration-set/configuration-set-name"
        }
      }
    }
  ]
}

Make the following changes to the preceding policy example:

  • Replace delivery-region with the AWS Region where you created the Firehose delivery stream.

  • Replace 111122223333 with your AWS account ID.

  • Replace configuration-set-name with the name of your configuration set associated with the Firehose delivery stream.