本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
郵件管理員的權限原則
本章中的原則是作為使用郵件管理員所有不同功能所需原則的單一參考點提供。
在郵件管理器功能頁面中,提供的鏈接將帶您到此頁面上的相應部分,其中包含使用該功能所需的策略。選取您需要之原則的複製圖示,然後依照相應功能說明的指示貼上它。
以下政策授予您透過資源許可政策和 AWS Secrets Manager 政策使用 Amazon SES Mail 管理員中包含的不同功能的權限。如果您是權限原則的新手,請參閱Amazon SES 政策結構和權限原則 AWS Secrets Manager。
入口端點的權限原則
建立入口端點都需要本節中的兩個原則。若要瞭解如何建立入口端點以及使用這些原則的位置,請參閱在主控台中建立入口端點 SES。
Secrets Manager 密碼入口端點的資源權限原則
若要允許SES使用輸入端點資源存取密碼,需要下列 Secrets Manager 密碼資源權限原則。
{ "Version": "2012-10-17", "Id": "Id", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "secretsmanager:GetSecretValue", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "000000000000" }, "ArnLike": { "aws:SourceArn": "arn:aws:ses:us-east-1:000000000000:mailmanager-ingress-point/*" } } } ] }
KMS入口端點的客戶管理金鑰 (CMK) 金鑰政策
要允許在使用密鑰時使用您的密鑰,需SES要以下KMS客戶託管密鑰(CMK)密鑰策略。
{ "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "kms:Decrypt", "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com", "aws:SourceAccount": "000000000000" }, "ArnLike": { "aws:SourceArn": "arn:aws:ses:us-east-1:000000000000:mailmanager-ingress-point/*" } } }
SMTP轉送的權限原則
本節中的兩個原則都需要建立SMTP轉送。若要瞭解如何建立SMTP轉送以及在何處使用這些原則,請參閱在SES主控台中建立SMTP轉送。
Secrets Manager 密碼SMTP轉送的資源權限原則
若要允許SES使用SMTP轉送資源存取密碼,需要下列 Secrets Manager 密碼資源權限原則。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Principal": { "Service": [ "ses.amazonaws.com" ] }, "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "888888888888" }, "ArnLike": { "aws:SourceArn": "arn:aws:ses:us-east-1:888888888888:mailmanager-smtp-relay/*" } } } ] }
KMS用於SMTP轉送的客戶管理金鑰 (CMK) 金鑰政策
要允許在使用密鑰時使用您的密鑰,需SES要以下KMS客戶託管密鑰(CMK)密鑰策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Principal": { "Service": "ses.amazonaws.com" }, "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com", "aws:SourceAccount": "000000000000" }, "ArnLike": { "aws:SourceArn": "arn:aws:ses:us-east-1:000000000000:mailmanager-smtp-relay/*" } } } ] }
電子郵件封存的權限原則
基本封存IAM身分原則
這些是授權封存作業的IAM身分識別原則。單獨這些原則可能不足以執行某些作業 (請參閱使用靜態加密封存檔KMSCMK和封存匯出)。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ses:CreateArchive", "ses:TagResource" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/*" ], "Condition": { "ForAnyValue:StringEquals": { "aws:RequestTag/key-name": [ "value1", "value2" ] } } }, { "Effect": "Allow", "Action": [ "ses:ListArchives" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/*" ] }, { "Effect": "Allow", "Action": [ "ses:GetArchive", "ses:DeleteArchive", "ses:UpdateArchive" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/MyArchiveID" ] }, { "Effect": "Allow", "Action": [ "ses:ListArchiveSearches" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/*" ] }, { "Effect": "Allow", "Action": [ "ses:GetArchiveSearch", "ses:GetArchiveSearchResults", "ses:StartArchiveSearch", "ses:StopArchiveSearch" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/MyArchiveID" ] }, { "Effect": "Allow", "Action": [ "ses:GetArchiveMessage", "ses:GetArchiveMessageContent" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/MyArchiveID" ] }, { "Effect": "Allow", "Action": [ "ses:ListArchiveExports" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/*" ] }, { "Effect": "Allow", "Action": [ "ses:GetArchiveExport", "ses:StartArchiveExport", "ses:StopArchiveExport" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/MyArchiveID" ] }, { "Effect": "Allow", "Action": [ "ses:ListTagsForResource", "ses:UntagResource" ], "Resource": [ "arn:aws:ses:us-east-1:000000000000:mailmanager-archive/MyArchiveID" ] } ] }
存檔導出
這些是所需的IAM身分識別原則 (除了上述基本封存原則之外) StartArchiveExport。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::MyDestinationBucketName" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "s3:GetObject" ], "Resource": "arn:aws:s3:::MyDestinationBucketName/*" } ] }
這是目的地值區的政策。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::MyDestinationBucketName" }, { "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging", "s3:GetObject" ], "Resource": "arn:aws:s3:::MyDestinationBucketName/*" } ] }
注意
將靜態加密封存在 KMS CMK
這些是使用KMS客戶管理金鑰 (CMK) 原則 (除了上述基本封存原則之外) 建立和使用歸檔 (呼叫任何封存APIs) 所需的靜態加密。
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/MyKmsKeyArnID" } }
這是電子郵件封存所需的KMS金鑰原則。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/MyUserRoleOrGroupName" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ "ses.us-east-1.amazonaws.com" ] } } }, { "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] }
執行規則動作的權限和信任原則
SES規則執行角色是授與規則執行權限以存取 AWS 服務和資源的 AWS Identity and Access Management (IAM) 角色。在規則集中建立規則之前,您必須建立具有允許存取所需 AWS 資源之策略的IAM角色。SES執行規則動作時會擔任此角色。例如,您可以建立規則執行角色,該角色具有將電子郵件訊息寫入 S3 儲存貯體的權限,作為規則動作,在符合規則條件時要採取的規則動作。
因此,除了執行「寫入至 S3」、「傳送至信箱」和「傳送至網際網路」規則動作所需的個別權限原則之外,還需要下列信任原則。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "888888888888" }, "ArnLike": { "aws:SourceArn": "arn:aws:ses:us-east-1:888888888888:mailmanager-rule-set/*" } } } ] }
寫入 S3 規則動作的權限政策
若要使用將接收到的電子郵件傳送到 S3 儲存貯體的寫入 S3 規則動作,必須遵循下列政策。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutObject", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::MyDestinationBucketName/*" ] }, { "Sid": "AllowListBucket", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::MyDestinationBucketName" ] } ] }
如果您針對已啟用伺服器端加密的 S3 儲存貯體使用 AWS KMS 客戶管理金鑰,則需要新增IAM角色政策動作"kms:GenerateDataKey*"。使用上述範例,將此動作新增至您的角色原則會顯示如下:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowKMSKeyAccess", "Effect": "Allow", "Action": "kms:GenerateDataKey*", "Resource": "arn:aws:kms:us-east-1:888888888888:key/*", "Condition": { "ForAnyValue:StringEquals": { "kms:ResourceAliases": [ "alias/MyKeyAlias" ] } } } ] }
如需有關將原則附加至 AWS KMS 金鑰的詳細資訊,請參閱AWS Key Management Service 開發人員指南 AWS KMS中的使用金鑰原則。
傳遞至信箱規則動作的權限原則
若要使用將接收到的電子郵件傳送至 Amazon WorkMail 帳戶的「傳遞至信箱」規則動作,必須遵循下列政策。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["workmail:DeliverToMailbox"], "Resource": "arn:aws:workmail:us-east-1:888888888888:organization/MyWorkMailOrganizationID>" } ] }
傳送至網際網路規則動作的權限原則
若要使用將接收的電子郵件傳送至外部網域的「傳送至網際網路」規則動作,需要下列原則。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["ses:SendEmail", "ses:SendRawEmail"], "Resource": "arn:aws:ses:us-east-1:888888888888:identity/example.com" } ] }
您的瀏覽器已停用或無法使用 Javascript。
您必須啟用 Javascript,才能使用 AWS 文件。請參閱您的瀏覽器說明頁以取得說明。