Giving permissions to Amazon SES for email receiving - Amazon Simple Email Service Classic

This is the user guide for Amazon SES Classic. Updates and new features are only being documented in the new Amazon SES Developer Guide which we recommend to use.

Giving permissions to Amazon SES for email receiving

Some of the tasks that you can perform when you receive email in Amazon SES, such as sending email to an Amazon S3 bucket or calling a Lambda function, require special permissions. This section includes example policies for several common use cases.

Give Amazon SES permission to write to an Amazon S3 bucket

When you apply the following policy to an Amazon S3 bucket, it gives Amazon SES permission to write to that bucket. For more information about creating receipt rules that transfer incoming email to Amazon S3, see S3 action.

For more information about attaching policies to Amazon S3 buckets, see Using Bucket Policies and User Policies in the Amazon Simple Storage Service User Guide.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowSESPuts", "Effect":"Allow", "Principal":{ "Service":"ses.amazonaws.com" }, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::myBucket/*", "Condition":{ "StringEquals":{ "AWS:SourceAccount":"111122223333", "AWS:SourceArn": "arn:aws:ses:us-west-2:111122223333:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name" } } } ] }

Make the following changes to the preceding policy example:

  • If you're located in a special partition such as China or AWS GovCloud (US), replace aws with the corresponding AWS partition, see Amazon Resource Names (ARNs) in the AWS General Reference.

  • Replace myBucket with the name of the S3 bucket that you want to write to.

  • Replace us-west-2 with the AWS Region where you created the receipt rule.

  • Replace 111122223333 with your AWS account ID.

  • Replace rule_set_name with the name of the rule set that contains the receipt rule that contains the deliver to Amazon S3 bucket action.

  • Replace receipt_rule_name with the name of the receipt rule that contains the deliver to Amazon S3 bucket action.

Give Amazon SES permission to use your AWS KMS key

In order for Amazon SES to encrypt your emails, it must have permission to use the AWS KMS key that you specified when you set up your receipt rule. You can either use the default KMS key (aws/ses) in your account, or use a customer managed key that you create. If you use the default KMS key, you don't need to perform any additional steps to give Amazon SES permission to use it. If you use a customer managed key, you need to give Amazon SES permission to use it by adding a statement to the key's policy.

Use the following policy statement as the key policy to allow Amazon SES to use your customer managed key when it receives email on your domain.

{ "Sid": "AllowSESToEncryptMessagesBelongingToThisAccount", "Effect": "Allow", "Principal": { "Service":"ses.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*" ], "Resource": "*", "Condition":{ "StringEquals":{ "AWS:SourceAccount":"111122223333", "AWS:SourceArn": "arn:aws:ses:us-west-2:111122223333:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name" } } }

Make the following changes to the preceding policy example:

  • If you're located in a special partition such as China or AWS GovCloud (US), replace aws with the corresponding AWS partition, see Amazon Resource Names (ARNs) in the AWS General Reference.

  • Replace us-west-2 with the AWS Region where you created the receipt rule.

  • Replace 111122223333 with your AWS account ID.

  • Replace rule_set_name with the name of the rule set that contains the receipt rule that you've associated with email receiving.

  • Replace receipt_rule_name with the name of the receipt rule that you've associated with email receiving.

For more information about attaching policies to AWS KMS keys, see Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.

Give Amazon SES permission to invoke a Lambda function

To enable Amazon SES to call a Lambda function, you can choose the function when you create a receipt rule in the Amazon SES console. When you do, Amazon SES automatically adds the necessary permissions to the function.

Alternatively, you can use the AddPermission operation in the AWS Lambda API to attach a policy to a function. The following call to the AddPermission API gives Amazon SES permission to invoke your Lambda function. For more information about attaching policies to Lambda functions, see AWS Lambda Permissions in the AWS Lambda Developer Guide.

{ "Action": "lambda:InvokeFunction", "Principal": "ses.amazonaws.com", "SourceAccount": "111122223333", "SourceArn": "arn:aws:ses:us-west-2:111122223333:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name" "StatementId": "GiveSESPermissionToInvokeFunction" }

Make the following changes to the preceding policy example:

  • If you're located in a special partition such as China or AWS GovCloud (US), replace aws with the corresponding AWS partition, see Amazon Resource Names (ARNs) in the AWS General Reference.

  • Replace us-west-2 with the AWS Region where you created the receipt rule.

  • Replace 111122223333 with your AWS account ID.

  • Replace rule_set_name with the name of the rule set that contains the receipt rule where you created your Lambda function.

  • Replace receipt_rule_name with the name of the receipt rule containing your Lambda function.

Give Amazon SES permission to publish to an Amazon SNS topic that belongs to a different AWS account

If you want to publish notifications to a topic in a separate AWS account, then you have to attach a policy to the Amazon SNS topic.

The following policy gives Amazon SES permission to publish to an Amazon SNS topic in a separate AWS account.

{ "Version":"2008-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"ses.amazonaws.com" }, "Action":"SNS:Publish", "Resource":"arn:aws:sns:topic_region:sns_topic_account_id:topic_name", "Condition":{ "StringEquals":{ "AWS:SourceAccount":"aws_account_id", "AWS:SourceArn": "arn:aws:ses:receipt_region:aws_account_id:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name" } } } ] }

Make the following changes to the preceding policy example:

  • If you're located in a special partition such as China or AWS GovCloud (US), replace aws with the corresponding AWS partition, see Amazon Resource Names (ARNs) in the AWS General Reference.

  • Replace topic_region with the AWS Region that the Amazon SNS topic was created in.

  • Replace sns_topic_account_id with the ID of the AWS account that owns the Amazon SNS topic.

  • Replace topic_name with the name of the Amazon SNS topic that you want to publish notifications to.

  • Replace aws_account_id with the ID of the AWS account that is configured to receive email.

  • Replace receipt_region with the AWS Region where you created the receipt rule.

  • Replace rule_set_name with the name of the rule set that contains the receipt rule where you created your publish to Amazon SNS topic action.

  • Replace receipt_rule_name with the name of the receipt rule containing the publish to Amazon SNS topic action.