Sign In to the Console
Amazon Simple Email Service
Developer Guide

AWS Documentation » Amazon SES Documentation » Developer Guide » Receiving Email with Amazon SES » Setting Up Amazon SES Email Receiving » Giving Permissions to Amazon SES for Email Receiving

Giving Permissions to Amazon SES for Email Receiving

To enable Amazon SES to write emails to your Amazon S3 bucket, use an AWS KMS key to encrypt your emails, call your Lambda function, or publish to an Amazon SNS topic of another account, Amazon SES must have permission to access those resources. You give permission by attaching a policy to the resource. This topic provides example policies.

Give Amazon SES Permission to Write to Your Amazon S3 Bucket

When applied to an Amazon S3 bucket, the following policy gives Amazon SES permission to write to that bucket. For more information about creating receipt rules that transfer incoming email to Amazon S3, see S3 Action. For more information about attaching policies to Amazon S3 buckets, see the Amazon Simple Storage Service Developer Guide. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::BUCKET-NAME/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "AWSACCOUNTID"
                }
            }
        }
    ]
}

Give Amazon SES Permission to Use Your AWS KMS Master Key

For Amazon SES to encrypt your emails, it must have permission to use the AWS KMS key that you specified when you set up your receipt rule. You can either use the default master key (aws/ses) in your account or a custom master key you create. If you use the default master key, you don't need to perform any steps to give Amazon SES permission to use it. If you use a custom master key, you need to give Amazon SES permission to use it by adding a statement to the key's policy. The policy statement includes conditions that are designed to ensure that Amazon SES can only use your custom master key when certain values are present in the request to AWS KMS; specifically:

  • aws:ses:source-account—The AWS account ID on behalf of which Amazon SES received the email.

  • aws:ses:message-id—The Amazon SES message ID of the received email.

  • aws:ses:rule-name—The name of the receipt rule that was used to encrypt the email.

Paste the following policy statement into the key policy to permit Amazon SES to use your custom master key when Amazon SES receives email on behalf of your AWS account. Replace AWSACCOUNTID with your 12-digit AWS account ID. 

{
   "Sid": "AllowSESToEncryptMessagesBelongingToThisAccount",
   "Effect": "Allow",
   "Principal": {"Service":"ses.amazonaws.com"},
   "Action": ["kms:Encrypt", "kms:GenerateDataKey*"],
   "Resource": "*",
   "Condition": {
       "Null": {
            "kms:EncryptionContext:aws:ses:rule-name": "false",
            "kms:EncryptionContext:aws:ses:message-id": "false"
        },
        "StringEquals": {
              "kms:EncryptionContext:aws:ses:source-account": "AWSACCOUNTID"
        }
   }
}

For more information about attaching policies to AWS KMS keys, see the AWS Key Management Service Developer Guide.

Give Amazon SES Permission to Invoke Your Lambda Function

To enable Amazon SES to call your Lambda function, you can either configure the Lambda function using the Amazon SES console during receipt-rule setup (in which case Amazon SES automatically adds the necessary permissions to the function) or you can use the AWS Lambda AddPermission API to attach a policy to the function. The following AddPermission API call gives Amazon SES permission to invoke your Lambda function. Replace AWSACCOUNTID with your 12-digit AWS account ID. For more information about attaching policies to Lambda functions, see the AWS Lambda Developer Guide. 

{
     "Action": "lambda:InvokeFunction",
     "Principal": "ses.amazonaws.com",
     "SourceAccount": "AWSACCOUNTID",
     "StatementId": "GiveSESPermissionToInvokeFunction"
}

Give Amazon SES Permission to Publish to an Amazon SNS Topic of Another Account

If the Amazon SNS topic you want to use is owned by the same AWS account you are using for Amazon SES, no setup is required to allow Amazon SES to publish to the topic. However, if you want to publish notifications to a topic that you do not own, use the Amazon SNS console or API to attach a policy to the Amazon SNS topic. The following policy gives Amazon SES permission to publish to an Amazon SNS topic. Replace AWSACCOUNTID with your 12-digit AWS account ID, and TOPIC-NAME with the name of the Amazon SNS topic. For more information about writing policies for Amazon SNS topics, see the Amazon Simple Notification Service Developer Guide. 

{
    "Version": "2008-10-17",
    "Statement": [
     {
          "Effect": "Allow",
          "Principal": {
              "Service": "ses.amazonaws.com"
           },
           "Action": "SNS:Publish",
           "Resource": "arn:aws:sns:us-east-1:AWSACCOUNTID:TOPIC-NAME"
      }
   ]
}