Documentation

Custom IAM Policy for Amazon SES

If you’re familiar with AWS IAM policies and wish to restrict access to SES for the AWS User who’s Access Keys are being used by WP Offload SES, here are the basic actions required for WP Offload SES to work properly.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ses:VerifyEmailIdentity",
                "ses:GetSendQuota",
                "ses:DeleteIdentity",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities",
                "ses:VerifyDomainIdentity",
                "ses:SendRawEmail"
            ],
            "Resource": "arn:aws:ses:::*"
        }
    ]
}

This policy allows the user to verify email addresses and domains, send emails, and access the SES send quota. This is the basic level of permissions the plugin requires to function.

Region Restrictions

This policy can be further tightened to restrict the user’s access to a specific region. Simply replace the “Resource” section with the following:

"Resource": "arn:aws:ses:YOUR_REGION_HERE::*"

Where YOUR_REGION_HERE is one of the available SES regions.

You can read more about IAM policies here.