Policy structure Policy elements Policy requirements

Amazon SES policy anatomy

Policies adhere to a specific structure, contain elements, and must meet certain requirements.

Policy structure

Each authorization policy is a JSON document that is attached to an identity. Each policy includes the following sections:

Policy-wide information at the top of the document.
One or more individual statements, each of which describes a set of permissions.

The following example policy grants AWS account ID 123456789012 permissions specified in the Action section for the verified domain example.com.


{
  "Id":"ExampleAuthorizationPolicy",
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AuthorizeAccount",
      "Effect":"Allow",
      "Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com",
      "Principal":{
        "AWS":[
          "123456789012"
        ]
      },
      "Action":[
        "ses:GetEmailIdentity",
        "ses:UpdateEmailIdentityPolicy",
        "ses:ListRecommendations",
        "ses:CreateEmailIdentityPolicy",
        "ses:DeleteEmailIdentity"
      ]
    }
  ]
}

You can find more authorization policy examples at Identity policy examples.

Policy elements

This section describes the elements contained in identity authorization policies. First we describe policy-wide elements, and then we describe elements that apply only to the statement in which they are included. We follow with a discussion of how to add conditions to your statements.

For specific information about the syntax of the elements, see Grammar of the IAM Policy Language in the IAM User Guide.

Policy-wide information

There are two policy-wide elements: Id and Version. The following table provides information about these elements.

Name	Description	Required	Valid values
`Id`	Uniquely identifies the policy.	No	Any string
`Version`	Specifies the policy access language version.	No	Any string. As a best practice, we recommend that you include this field with a value of "2012-10-17".

Statements specific to the policy

Identity authorization policies require at least one statement. Each statement can include the elements described in the following table.

Name	Description	Required	Valid values
`Sid`	Uniquely identifies the statement.	No	Any string.
`Effect`	Specifies the result that you want the policy statement to return at evaluation time.	Yes	"Allow" or "Deny".
`Resource`	Specifies the identity to which the policy applies. (For sending authorization, this is the email address or domain that the identity owner is authorizing the delegate sender to use.)	Yes	The Amazon Resource Name (ARN) of the identity.
`Principal`	Specifies the AWS account, user, or AWS service that receives the permission in the statement.	Yes	A valid AWS account ID, user ARN, or AWS service. AWS account IDs and user ARNs are specified using `"AWS"` (for example, `"AWS": ["123456789012"]` or `"AWS": ["arn:aws:iam::123456789012:root"]`). AWS service names are specified using `"Service"` (for example, `"Service": ["cognito-idp.amazonaws.com"]`). For examples of the format of user ARNs, see the AWS General Reference.
`Action`	Specifies the action that the statement applies to.	Yes	"ses:BatchGetMetricData", "ses:CancelExportJob", "ses:CreateDeliverabilityTestReport", "ses:CreateEmailIdentityPolicy", "ses:CreateExportJob", "ses:DeleteEmailIdentity", "ses:DeleteEmailIdentityPolicy", "ses:GetDomainStatisticsReport", "ses:GetEmailIdentity","ses:GetEmailIdentityPolicies", "ses:GetExportJob", "ses:ListExportJobs", "ses:ListRecommendations", "ses:PutEmailIdentityConfigurationSetAttributes", "ses:PutEmailIdentityDkimAttributes", "ses:PutEmailIdentityDkimSigningAttributes", "ses:PutEmailIdentityFeedbackAttributes", "ses:PutEmailIdentityMailFromAttributes", "ses:TagResource", "ses:UntagResource", "ses:UpdateEmailIdentityPolicy" (Sending authorization actions: "ses:SendEmail", "ses:SendRawEmail", "ses:SendTemplatedEmail", "ses:SendBulkTemplatedEmail") You can specify one or more of these operations.
`Condition`	Specifies any restrictions or details about the permission.	No	See the information about conditions following this table.

Conditions

A condition is any restriction about the permission in the statement. The part of the statement that specifies the conditions can be the most detailed of all the parts. A key is the specific characteristic that's the basis for access restriction, such as the date and time of the request.

You use both conditions and keys together to express the restriction. For example, if you want to restrict the delegate sender from making requests to Amazon SES on your behalf after July 30, 2019, you use the condition called DateLessThan. You use the key called aws:CurrentTime and set it to the value 2019-07-30T00:00:00Z.

SES implements only the following AWS-wide policy keys:

aws:CurrentTime
aws:EpochTime
aws:SecureTransport
aws:SourceIp
aws:SourceVpc
aws:SourceVpce
aws:UserAgent
aws:VpcSourceIp

For more information about these keys, see the IAM User Guide.

Policy requirements

Policies must meet all of the following requirements:

Each policy has to include at least one statement.
Each policy has to include at least one valid principal.
Each policy has to specify one resource, and that resource has to be the ARN of the identity that the policy is attached to.
Identity owners can associate up to 20 policies with each unique identity.
Policies can't exceed 4 kilobytes (KB) in size.
Policy names can't exceed 64 characters. Additionally, they can only include alphanumeric characters, dashes, and underscores.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using identity authorization

Creating an identity authorization policy