The IAM user has the right permission to send emails. For example, to permit the user to perform email-sending APIs, you must include the related actions (ses:SendEmail, ses:SendRawEmail, ses:SendTemplatedEmail, ses:SendBulkTemplatedEmail).
The IAM user has the right access to send email from the identity. If you set the IAM user policy's Resource element to *, then the user has access to send email from all identities. If the Resource element is restricted, then check that the user has two policies, or two statements in a policy. The Action element of the first policy or statement must be set to one or more of the non-email-sending APIs. The Resource element must be set to *. The Action element of the second policy or statement must be set to one or more of the email-sending APIs. The Resource element must be set to the identity's ARN.
The following is an example IAM policy with two statements. The policy permits the user to perform GetSendStatistics and GetSendQuota non-email-sending APIs, and restricts SendEmail and SendRawEmail email-sending APIs to send only from the domain.
5. Check if there's an Organizations SCP policy that the user inherited. SCPs can prevent the user from sending emails. For example, the user inherited a Deny statement to use Amazon SES, or the user has access to only certain AWS or Amazon SES Regions.