This guide reflects the Classic Console (V1) for Amazon SES. For information about the New Console (V2) for Amazon SES, see the new Amazon Simple Email Service Developer Guide.
Giving permissions to Amazon SES for email receiving
Some of the tasks that you can perform when you receive email in Amazon SES, such as sending email to an Amazon S3 bucket or calling a Lambda function, require special permissions. This section includes example policies for several common use cases.
Topics in this section:
Give Amazon SES permission to write to an Amazon S3 bucket
When you apply the following policy to an Amazon S3 bucket, it gives Amazon SES permission to write to that bucket. For more information about creating receipt rules that transfer incoming email to Amazon S3, see S3 action.
For more information about attaching policies to Amazon S3 buckets, see Using Bucket Policies and User Policies in the Amazon Simple Storage Service Developer Guide.
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowSESPuts", "Effect":"Allow", "Principal":{ "Service":"ses.amazonaws.com" }, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::myBucket/*", "Condition":{ "StringEquals":{ "aws:Referer":"111122223333" } } } ] }
Make the following changes to the preceding policy example:
-
Replace
myBucketwith the name of the Amazon S3 bucket that you want to write to. -
Replace
111122223333with your AWS account ID.
Give Amazon SES permission to use your AWS KMS master key
In order for Amazon SES to encrypt your emails, it must have permission to use the AWS KMS key that you specified when you set up your receipt rule. You can either use the default master key (aws/ses) in your account, or use a custom master key that you create. If you use the default master key, you don't need to perform any additional steps to give Amazon SES permission to use it. If you use a custom master key, you need to give Amazon SES permission to use it by adding a statement to the key's policy.
Use the following policy statement as the key policy to allow Amazon SES to use your custom master key when it receives email on your domain.
{ "Sid": "AllowSESToEncryptMessagesBelongingToThisAccount", "Effect": "Allow", "Principal": { "Service":"ses.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:GenerateDataKey*" ], "Resource": "*" }
Amazon SES uses the Amazon S3 multipart upload API to send large messages (5 MB or larger) to Amazon S3 buckets. If you're using AWS KMS to send encrypted messages to an Amazon S3 bucket, and you plan to receive messages that are larger than 5 MB, then you should use the following policy statement instead of the statement in the preceding example:
{ "Sid": "AllowSESToEncryptMessagesBelongingToThisAccount", "Effect": "Allow", "Principal": { "Service":"ses.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }
For more information about multipart uploads in Amazon S3, see Multipart Upload API and Permissions in the Amazon Simple Storage Service Developer Guide. For more information about attaching policies to AWS KMS keys, see Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.
Give Amazon SES permission to invoke a Lambda function
To enable Amazon SES to call a Lambda function, you can choose the function when you create a receipt rule in the Amazon SES console. When you do, Amazon SES automatically adds the necessary permissions to the function.
Alternatively, you can use the AddPermission operation in the AWS Lambda
API to attach a policy to a function. The following call to the
AddPermission API gives Amazon SES permission to invoke your Lambda function.
In the following example, replace 111122223333 with
your AWS account ID. For more information about attaching policies to Lambda functions,
see AWS Lambda Permissions
in the AWS Lambda Developer Guide.
{ "Action": "lambda:InvokeFunction", "Principal": "ses.amazonaws.com", "SourceAccount": "111122223333", "StatementId": "GiveSESPermissionToInvokeFunction" }
Give Amazon SES permission to publish to an Amazon SNS topic that belongs to a different AWS account
If the Amazon SNS topic you want to use is owned by the same AWS account that you use for Amazon SES, then Amazon SES can publish to that topic without any extra setup steps. If you want to publish notifications to a topic in a separate AWS account, then you have to attach a policy to the Amazon SNS topic.
The following policy gives Amazon SES permission to publish to an Amazon SNS topic in a separate AWS account.
{ "Version":"2008-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"ses.amazonaws.com" }, "Action":"SNS:Publish", "Resource":"arn:aws:sns:us-west-2:SNS-TOPIC-ACCOUNT-ID:myTopic", "Condition":{ "StringEquals":{ "AWS:SourceOwner":"SES-RECEIVING-ACCOUNT-ID" } } } ] }
Make the following changes to the preceding policy example:
-
Replace
us-west-2with the AWS Region that the Amazon SNS topic is located in. -
Replace
SNS-TOPIC-ACCOUNT-IDwith the ID of the AWS account that the Amazon SNS topic is located in. -
Replace
myTopicwith the name of the Amazon SNS topic that you want to publish notifications to. -
Replace
SES-RECEIVING-ACCOUNT-IDwith the ID of the AWS account that is configured to receive email.
