Permission policies for Mail Manager
The policies in this chapter are provided as a single point of reference for the policies necessary to utilize all the different features of Mail Manager.
In the Mail Manager feature pages, links are provide that will take you to the respective section on this page that contains the policies you need to utilize the feature. Select the copy icon of the policy you need and paste it as directed in the respective feature narrative.
The following policies give you permission to use the different features contained in Amazon SES Mail Manager through resource permission policies and AWS Secrets Manager policies. If you're new to permission policies, see Amazon SES policy anatomy and Permissions policies for AWS Secrets Manager.
Permission policies for Ingress endpoint
Both of the polices in this section are required to create an ingress endpoint. To learn how to create an ingress endpoint and where to use these policies, see Creating an ingress endpoint in the SES console.
Secrets Manager secrets resource permission policy for ingress endpoint
The following Secrets Manager secrets resource permission policy is required to allow SES to access the secret using the ingress endpoint resource.
{ "Version": "2012-10-17", "Id": "Id", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "secretsmanager:GetSecretValue", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "000000000000" }, "ArnLike": { "aws:SourceArn": "arn:aws:ses:us-east-1:000000000000:mailmanager-ingress-point/*" } } } ] }
KMS customer managed key (CMK) key policy for ingress endpoint
The following KMS customer managed key (CMK) key policy is required to allow SES to use your key while using your secret.
{ "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com", "aws:SourceAccount": "000000000000" }, "ArnLike": { "aws:SourceArn": "arn:aws:ses:us-east-1:000000000000:mailmanager-ingress-point/*" } } }
Permission policies for SMTP relay
Both of the polices in this section are required to create an SMTP relay. To learn how to create an SMTP relay and where to use these policies, see Creating an SMTP relay in the SES console.
Secrets Manager secrets resource permission policy for SMTP relay
The following Secrets Manager secrets resource permission policy is required to allow SES to access the secret using the SMTP relay resource.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Principal": { "Service": [ "ses.amazonaws.com" ] }, "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "888888888888" }, "ArnLike": { "aws:SourceArn": "arn:aws:ses:us-east-1:888888888888:mailmanager-smtp-relay/*" } } } ] }
KMS customer managed key (CMK) key policy for SMTP relay
The following KMS customer managed key (CMK) key policy is required to allow SES to use your key while using your secret.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Principal": { "Service": "ses.amazonaws.com" }, "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com", "aws:SourceAccount": "000000000000" }, "ArnLike": { "aws:SourceArn": "arn:aws:ses:us-east-1:000000000000:mailmanager-smtp-relay/*" } } } ] }
Permission policies for Email archiving
Basic Archiving IAM identity policies
These are the IAM identity policies for authorizing archiving operations. These policies alone may not be sufficient for some operations (see Archiving encryption at rest with KMS CMK and Archiving export).
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ses:CreateArchive", "ses:TagResource" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:RequestTag/key-name": [ "value1", "value2" ] } } }, { "Effect": "Allow", "Action": [ "ses:ListArchives" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/*" ] }, { "Effect": "Allow", "Action": [ "ses:GetArchive", "ses:DeleteArchive", "ses:UpdateArchive" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/MyArchiveID" ] }, { "Effect": "Allow", "Action": [ "ses:ListArchiveSearches" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/*" ] }, { "Effect": "Allow", "Action": [ "ses:GetArchiveSearch", "ses:GetArchiveSearchResults", "ses:StartArchiveSearch", "ses:StopArchiveSearch" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/MyArchiveID" ] }, { "Effect": "Allow", "Action": [ "ses:GetArchiveMessage", "ses:GetArchiveMessageContent" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/MyArchiveID" ] }, { "Effect": "Allow", "Action": [ "ses:ListArchiveExports" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/*" ] }, { "Effect": "Allow", "Action": [ "ses:GetArchiveExport", "ses:StartArchiveExport", "ses:StopArchiveExport" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/MyArchiveID" ] }, { "Effect": "Allow", "Action": [ "ses:ListTagsForResource", "ses:UntagResource" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/MyArchiveID" ] } ] }
Archiving export
These are the IAM identity policies (in addition to the Basic Archiving policies above) required for
StartArchiveExport.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::MyDestinationBucketName" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "s3:GetObject" ], "Resource": "arn:aws:s3:::MyDestinationBucketName/*" } ] }
This is the policy for the destination bucket.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::MyDestinationBucketName" }, { "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "s3:GetObject" ], "Resource": "arn:aws:s3:::MyDestinationBucketName/*" } ] }
Note
Archiving doesn’t support confused deputy condition keys (aws:SourceArn, aws:SourceAccount, aws:SourceOrgID, or aws:SourceOrgPaths). This is because Mail Manager's email archiving prevents the confused deputy problem by testing if the calling identity has write permissions to the export destination bucket using Forward Access Sessions before starting the actual export.
Archiving encryption at rest with KMS CMK
These are the encryption at rest with KMS Customer Managed Keys (CMK) polices (in addition to the Basic Archiving policies above) required for creating and working with archives (calling any Archiving APIs).
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/MyKmsKeyArnID" } }
This is the KMS key policy required for email archiving.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/MyUserRoleOrGroupName" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ "ses.us-east-1.amazonaws.com" ] } } }, { "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] }
Permission and trust polices to execute rule actions
The SES rules execution role is an AWS Identity and Access Management (IAM) role that grants the rules execution permission to access AWS services and resources. Before you create a rule in a rule set, you must create an IAM role with a policy that allows access to the required AWS resources. SES assumes this role when executing a rule action. For example, you might create a rules execution role that has permission to write an email message to a S3 bucket as a rule action to take when your rule's conditions are met.
Thus, the following trust policy is required in addition to the individual permission policies in this section required to execute the Write to S3, Deliver to mailbox, and Send to internet rule actions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "888888888888" }, "ArnLike": { "aws:SourceArn": "arn:aws:ses:us-east-1:888888888888:mailmanager-rule-set/*" } } } ] }
Permission policy for Write to S3 rule action
The following policy is required to use the Write to S3 rule action which delivers the received email to an S3 bucket.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutObject", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::MyDestinationBucketName/*" ] }, { "Sid": "AllowListBucket", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::MyDestinationBucketName" ] } ] }
If you're using AWS KMS customer managed key for an S3 bucket with
server-side encryption enabled, then you'll need to add the IAM role policy action,
"kms:GenerateDataKey*". Using the preceding example, adding this
action to your role policy would appear as follows:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowKMSKeyAccess", "Effect": "Allow", "Action": "kms:GenerateDataKey*", "Resource": "arn:aws:kms:us-east-1:888888888888:key/*", "Condition": { "ForAnyValue:StringEquals": { "kms:ResourceAliases": [ "alias/MyKeyAlias" ] } } } ] }
For more information about attaching policies to AWS KMS keys, see Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.
Permission policy for Deliver to mailbox rule action
The following policy is required to use the Deliver to mailbox rule action which delivers the received email to an Amazon WorkMail account.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["workmail:DeliverToMailbox"], "Resource": "arn:aws:workmail:us-east-1:888888888888:organization/MyWorkMailOrganizationID>" } ] }
Permission policy for Send to internet rule action
The following policy is required to use the Send to internet rule action which sends the received email to an external domain.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["ses:SendEmail", "ses:SendRawEmail"], "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com" } ] }
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.