With Amazon SES is it possible to restrict SMTP credentials to specific sender email addresses in one AWS account?

Question

I am planning to transition some email SMTP use to Amazon's SES. I have several domains and sender email addresses verified with SES and am testing in the sandbox.

From what I can tell, SES SMTP credentials are not tied to any specific domain or sender email address within my AWS account.

Is this correct?

There is no mention of a domain or email address when generating the SMTP credentials, and in my initial testing I can use any of my SMTP credentials with any of my verified sending email addresses.

Is there a way to have a set of SES SMTP credentials that only work with one domain, or only with one sending email address? It would seem that the alternative is to segregate your sending email addresses out to separate AWS accounts if you want to have SMTP credentials that only work with some email addresses and not others. Why would that be the design? It feels so odd that I suspect I am not understanding something around the intentions behind the relationship between the SES SMTP credentials and sender email addresses and domains.

score 8 · Answer 1 · answered Nov 17 '15 at 04:04

8

Setting a custom Inline Policy on your IAM user can accomplish this:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ses:SendRawEmail"
            ],
            "Condition": {
                "StringEquals": {
                    "ses:FromAddress": "do-not-reply@example.com"
                }
            },
            "Resource": [
                "*"
            ]
        }
    ]
}

I think you can do wildcards as well (*.example.com).

answered Nov 17 '15 at 04:04

potato123

81
1
2

1

Worked for me to restrict an iam user to send emails through amazon SES SMTP credentials with only 1 email address. – valkalon Jan 27 '18 at 18:39
2

If you want to use a wildcard, you need to use `StringLike` instead of `StringEquals` – jonny May 25 '18 at 23:14

score 1 · Answer 2 · answered Apr 27 '14 at 04:42

From what I can tell, SES SMTP credentials are not tied to any specific domain or sender email address within my AWS account.

That's correct.

http://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html

You can't specify a particular Amazon SES resource in an IAM policy. You only control access to Amazon SES actions. Therefore, Amazon SES does not use Amazon Resource Names (ARNs), which identify resources in a policy. When you write a policy to control access to Amazon SES actions, you use * as the resource.

score 0 · Accepted Answer · answered Apr 17 '14 at 18:31

0

Currently AWS does not support the above separate SMTP credentials for particular domains. Depending on the amount of domains you are planning to use you can create separate AWS accounts and tie the SMTP credentials to those domains.

answered Apr 17 '14 at 18:31

user2040074

130
2

1

This does not seem to be the correct answer – jdog Feb 18 '21 at 21:40

With Amazon SES is it possible to restrict SMTP credentials to specific sender email addresses in one AWS account?

3 Answers3