AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I resolve the “554 Access denied" error when I send an email from my IAM user in Amazon SES?

2 minute read

I sent an email from an AWS Identity and Access Management (IAM) user in Amazon Simple Email Service (Amazon SES). However, I received an “554 Access denied" error.

Resolution

To resolve the "554 Access denied" error, complete the following steps:

Open the IAM console.
In the navigation pane, choose Policies.
Choose the arrow next to each policy name associated with the IAM user to expand the policy details view.

Make sure that the IAM policy has permissions for the ses:SendEmail and ses:SendRawEmail actions.
The following example IAM policy allows the IAM user to send emails for the verified email address and domain identity:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "*"
        }
    ]
}

In the preceding example policy, the IAM user has access to send email from all identities because the Resource element is set to "*". The Resource element can also specify an Amazon Resource Name (ARN) to restrict access to an AWS Region, domain, or email address.
Note: If an IAM policy doesn't exist, then create an IAM policy to grant you access to send emails.

Confirm there isn't a sending authorization policy attached to the email address or domain that prevents the IAM user from sending emails. If you verified the email address identity separately from the domain identity, then the authorization policy must allow the IAM user to send email. For more information, see Creating and verifying identities in Amazon SES.
If you use AWS Organizations, then review the service control policies (SCPs). Make sure that the SCPs don't contain any statements that explicitly deny the ses:SendEmail and ses:SendRawEmail actions or any other Amazon SES actions. Delete the SCPs that explicitly deny Amazon SES actions in accordance with your organization's security policies.
The following example policy denies access to all Amazon SES actions:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ses:*",
            "Resource": "*"
        }
    ]
}
```
Note: Amazon SES Simple Mail Transfer Protocol (SMTP) credentials are unique to each AWS account, and specific to one Region.

Related information

Identity and access management in Amazon SES

How do I resolve Amazon SES 554 or 400 "Message rejected" errors?

Amazon SES SMTP issues

Topics: Front-End Web & Mobile Business Applications
Tags: Amazon Simple Email Service
Language: English

AWS OFFICIALUpdated 2 months ago

No comments

Relevant content

IAM user getting access deny error when trying to send SES emails on CLI
Accepted Answer
rePost-User-4008751
asked 3 years ago
AWS SES user API configuration error
Akash
asked 2 years ago
[Q&A] Service SES error smtp; 5.1.0 - Unknown address error 554-'5.7.1
papungkorn
asked 3 years ago
SES not sending remote emails from server but working from website
sz
asked a year ago
SES to S3 Bucket access denied
Nir Harel
asked 2 years ago
How do I resolve Amazon SES 554 or 400 "Message rejected" errors?
AWS OFFICIALUpdated 9 months ago
How do I resolve an "Unauthorized" error when I send emails in Amazon SES?
AWS OFFICIALUpdated 2 months ago
How do I resolve Access denied errors for IAM users and roles in EMR Serverless?
AWS OFFICIALUpdated 2 years ago
How do I resolve the "Access Denied" error when I try to create a user pool in Amazon Cognito?
AWS OFFICIALUpdated 4 months ago
How do I configure Amazon SES to send SQL Server backup notification emails from Amazon WorkSpaces while keeping existing email hosting?
EXPERT
Gayathri Krishnamoorthy
published 4 months ago