Custom IAM Policy for Amazon SES

Last updated February 15, 2021

If you’re familiar with AWS IAM policies and wish to restrict access to SES for the AWS User who’s Access Keys are being used by WP Offload SES, here are the basic actions required for WP Offload SES to work properly.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ses:VerifyEmailIdentity",
                "ses:GetSendQuota",
                "ses:SendRawEmail",
                "ses:DeleteIdentity",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities",
                "ses:VerifyDomainIdentity"
            ],
            "Resource": "*"
        }
    ]
}

This policy allows the user to verify email addresses and domains, send emails, and access the SES send quota. This is the basic level of permissions the plugin requires to function.

Resource Restrictions

This policy can be further tightened to restrict the user’s access to a specific region and/or account. Simply replace the “Resource” section with the following:

"Resource": "arn:aws:ses:YOUR_REGION_HERE:YOUR_ACCOUNT_NUMBER_HERE:identity/*"

Where YOUR_REGION_HERE is one of the available SES regions, and YOUR_ACCOUNT_NUMBER_HERE is your AWS account number. You may find the “Visual Editor” in the AWS IAM Policy console helpful when setting more granular access permissions as it will help fill this information out for you.

You can read more about IAM policies here.

WP Offload SES

Documentation

Categories

Custom IAM Policy for Amazon SES

Resource Restrictions