So I have My project running on server on ec2 instance, and it uses SES to send emails. I was able to send the emails when the SES was accessible by public, but when I tried to implement security, it started giving problems. I have attached the following identity policies to the SES email address, one blocks the access publicly and another one allows the ec2 to access the SES email address. But I'm always getting blocked with the error:
The email was not sent.Error message: User `arn_of_ec2_role' is not authorized to perform
`ses:SendEmail' on resource `arn_of_email_address' (Service: AmazonSimpleEmailService;
Status Code: 403; Error Code: AccessDenied;
Request ID: b92h2a02-4502-32g8-8334-9504941fdefd4e35)
My policies are:
To allow ec2:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "stmt8473824324",
"Effect": "Allow",
"Principal": {
"AWS": "arn_of_role_used_by_ec2"
},
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn_of_email"
}
]
}
To deny public:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn_of_email"
}
]
}
Edit 1: Turns out I just had to add the encasing {} to "AWS": "arn_of_role_used_by_ec2". But even then I'm not getting permissions. I'm still getting the same error. To verify, I even used an user policy and tried to access it using that user, but even then I get the same error, just with different arn being denied now. My policy is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn_of_role_used_by_ec2"
},
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn_of_email"
}
]
}
Edit2:
Sorry for the late reply, following is what I did to as per Your update:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "stmt1476011587135",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn_of_email",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn_of_ecs_instance"
}
}
}
]
}
and
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "stmt1476011639899",
"Effect": "Deny",
"Principal": "*",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn_of_email",
"Condition": {
"StringNotEquals": {
"aws:SourceArn": "arn_of_ecs_instance"
}
}
}
]
}
Used arn_of_ecs_instance since I was just verifying with the IAM user and needed the access for only the ec2 instance. But still I'm able to send the email address via java API while sending mail with My IAM user credentials.
*
. – Matt Houser