Documentation

Custom IAM Policy for Amazon SES

Last updated September 4, 2023

If you’re familiar with AWS IAM policies and wish to restrict access to SES for the AWS User who’s Access Keys are being used by WP Offload SES, here are the basic actions required for WP Offload SES to work properly.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IdentityManagement",
            "Effect": "Allow",
            "Action": [
                "ses:CreateEmailIdentity",
                "ses:DeleteEmailIdentity"
            ],
            "Resource": "*"
        },
        {
            "Sid": "SendEmail",
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "*"
        },
        {
            "Sid": "AccountLevel",
            "Effect": "Allow",
            "Action": [
                "ses:GetAccount",
                "ses:ListEmailIdentities"
            ],
            "Resource": "*"
        }
    ]
}

This policy allows the user to verify email addresses and domains, send emails, and access the SES send quota. This is the basic level of permissions the plugin requires to function.

Resource Restrictions

This policy can be further tightened to restrict the user’s access to a specific region and/or account for identities. Simply replace the Resource statement in the “IdentityManagement” and “SendEmail” sections with the following:

"Resource": "arn:aws:ses:YOUR_REGION_HERE:YOUR_ACCOUNT_NUMBER_HERE:identity/*"

Where YOUR_REGION_HERE is one of the available SES regions, and YOUR_ACCOUNT_NUMBER_HERE is your AWS account number. You may find the “Visual Editor” in the AWS IAM Policy console helpful when setting more granular access permissions as it will help fill this information out for you.

You can further restrict the email identity by replacing the .../* in the Resource statement with a specific identity, e.g. .../example.com for a domain identity, or .../[email protected] for an email identity. The following example restricts a site to only send emails from the “example.com” domain via the London region:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "IdentityManagement",
            "Effect": "Allow",
            "Action": [
                "ses:CreateEmailIdentity",
                "ses:DeleteEmailIdentity"
            ],
            "Resource": "arn:aws:ses:eu-west-2:123456789012:identity/example.com"
        },
        {
            "Sid": "SendEmail",
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "arn:aws:ses:eu-west-2:123456789012:identity/example.com"
        },
        {
            "Sid": "AccountLevel",
            "Effect": "Allow",
            "Action": [
                "ses:GetAccount",
                "ses:ListEmailIdentities"
            ],
            "Resource": "*"
        }
    ]
}

NOTE: The separation of the “IdentityManagement” and “SendEmail” sections is important when using a specific Resource.

You can read more about IAM policies here.