Deliver to S3 bucket action - Amazon Simple Email Service

Deliver to S3 bucket action

The S3 action delivers the mail to an Amazon S3 bucket and, optionally, notifies you through Amazon SNS. This action has the following options.

  • S3 Bucket—The name of the Amazon S3 bucket to which to save received emails. You can also create a new Amazon S3 bucket when you set up your action by choosing Create S3 Bucket. Amazon SES provides you the raw, unmodified email, which is typically in Multipurpose Internet Mail Extensions (MIME) format. For more information about MIME format, see RFC 2045.

    Important
    • When you save your emails to an Amazon S3 bucket, the default maximum email size (including headers) is 40 MB.

    • SES does not support receipt rules that upload to S3 buckets enabled with object lock configured with a default retention period.

    • If applying encryption on your S3 bucket by specifying your own KMS key, be sure to use the fully qualified KMS key ARN, and not the KMS key alias; using the alias can result in data encrypted with a KMS key that belongs to the requester, and not the bucket administrator. See Using encryption for cross-account operations.

    • SES does not support S3 buckets in Opt-in regions as a destination for inbound emails.

  • Object Key Prefix—A key name prefix to use within the Amazon S3 bucket. Key name prefixes enable you to organize your Amazon S3 bucket in a folder structure. For example, if you use Email as your Object Key Prefix, your emails will appear in your Amazon S3 bucket in a folder named Email.

  • KMS Key (if "Encrypt Message" is selected in the Amazon SES console)—The AWS KMS key that Amazon SES should use to encrypt your emails before saving them to the Amazon S3 bucket. You can use the default KMS key or a customer managed key that you created in AWS KMS.

    Note

    The KMS key you choose must be in the same AWS region as the Amazon SES endpoint you use to receive email.

    • To use the default KMS key, choose aws/ses when you set up the receipt rule in the Amazon SES console. If you use the Amazon SES API, you can specify the default KMS key by providing an ARN in the form of arn:aws:kms:REGION:AWSACCOUNTID:alias/aws/ses. For example, if your AWS account ID is 123456789012 and you want to use the default KMS key in the us-east-1 region, the ARN of the default KMS key would be arn:aws:kms:us-east-1:123456789012:alias/aws/ses. If you use the default KMS key, you don't need to perform any extra steps to give Amazon SES permission to use the key.

    • To use a custom managed key that you created in AWS KMS, provide the ARN of the KMS key and ensure that you add a statement to your key's policy to give Amazon SES permission to use it. For more information about giving permissions, see Giving permissions to Amazon SES for email receiving.

    For more information about using AWS KMS with Amazon SES, see the AWS Key Management Service Developer Guide. If you do not specify a KMS key in the console or API, Amazon SES will not encrypt your emails.

    Important

    Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side encryption. This means that you must use the Amazon S3 encryption client to decrypt the email after retrieving it from Amazon S3, as the service has no access to use your AWS KMS keys for decryption. This encryption client is available in the AWS SDK for Java and the AWS SDK for Ruby. For more information, see the Amazon Simple Storage Service User Guide.

  • SNS Topic—The name or ARN of the Amazon SNS topic to notify when an email is saved to the Amazon S3 bucket. An example of an Amazon SNS topic ARN is arn:aws:sns:us-east-1:123456789012:MyTopic. You can also create an Amazon SNS topic when you set up your action by choosing Create SNS Topic. For more information about Amazon SNS topics, see the Amazon Simple Notification Service Developer Guide.

    Note

    The Amazon SNS topic you choose must be in the same AWS region as the Amazon SES endpoint you use to receive email.