How to Give Amazon SES Permission to Write to Your Amazon S3 Bucket

6
votes

I want my SES(AWS) can receive emails, so I follow the following tutorial, http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-getting-started-receipt-rule.html

When I am at last step - creating rule, it comes with following error, Could not write to bucket: "email-receiving"

I google and found this information on (http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html) can fix the issue.

However, when adding my policy statement, it comes with an error - This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.

My policy statement is,

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GiveSESPermissionToWriteEmail", "Effect": "Allow", "Principal": { "Service": [ "ses.amazonaws.com" ] }, "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::mybulketname/*", "Condition": { "StringEquals": { "aws:Referer": "my12accountId" } } } ] }

If I take off

"Principal": { "Service": [ "ses.amazonaws.com" ] }

Validate policy will pass.

Thanks

5
amazon-web-servicesamazon-s3amazon-ses
Where are you trying to create this policy?Michael - sqlbot
In the IAM. The problem has been fixed. The policy should be created on the bucket on S3 not in the IAM.Yun

5 Answers

10
votes

Find bucket->permission->bucketPolicy

{
    "Version": "2012-10-17",
    "Statement": [
       {
           "Sid": "AllowSESPuts",
           "Effect": "Allow",
           "Principal": {
               "Service": "ses.amazonaws.com"
           },
           "Action": "s3:PutObject",
           "Resource": "arn:aws:s3:::BUCKEN_NAME/*",
           "Condition": {
            "StringEquals": {
                   "aws:Referer": "YOUR ID"
                }
           }
       }
   ]
}

Read more here https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html

To find your AWS account ID number on the AWS Management Console, choose Support on the navigation bar on the upper-right, and then choose Support Center. Your currently signed-in account ID appears in the upper-right corner below the Support menu.

Read more here https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html

5
votes

I follow this advice but I was still having the issue. After much debugging, I realized that SES was failing to write because I had default server-side encryption (on the bucket) set to "AWS-KMS"

I did a 5 minute google search and couldn't find this incompatibility documented anywhere.

You can work around this by updating your default encryption setting on the target bucket to either "AES-256" or "None".

1
votes

This problem has been resolved.
Create the policy on the bucket you want to grant the SES permission, not in the IAM

0
votes

Note, I continued to have this error even after correctly specifying permissions. If you are using cross-region (e.g. SES is in N Virginia and S3 Bucket is in Africa) then you either need to specify the bucket name with the region or else just make the bucket in the same region.

-2
votes

I have the same problem, if I only delete the "Condition" the policy passes and the "RuleSet" is Ok:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveSESPermissionToWriteEmail",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybulketname/*"
        }
    ]
}