Problem with Giving SES Permission to Publish to Kinesis Data Firehose Delivery Stream

Hi! Good question,

From the page you've linked as well, the SES section covers the following under Create an Amazon SES Configuration Set:

• (Part of Step 7): For IAM role, select Let SES make a new role. Enter a name for the role, and then choose Create Role. (As you've mentioned, this is where the guidance stops).
• The role will need 2 specific things: 1. The Trust Relationship configured to allow SES to use the role. 2. The Permissions for the Role to write to Firehose.
• The Trust Relationship should look like the following (Note the Conditions for SourceAccount and SourceArn to limit the usage for your specific purpose):

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ses.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "123456789012",
          "AWS:SourceArn": "arn:aws:ses:us-east-1:123456789012:configuration-set/configuration-set-name"
        }
      }
    }
  ]
}

And the policy with permissions (either Inline or Managed Policy) should look like the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "firehose:PutRecordBatch"
      ],
      "Resource": [
        "arn:aws:firehose:us-east-1:123456789012:deliverystream/delivery-stream-name"              
      ]
    }
  ]
}

Keep in mind you'll need to replace the region, account number, delivery-stream-name and configuration-set-name in your ARNs with what you're using.

For more information, check out: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/event-publishing-add-event-destination-firehose.html