How do I resolve an "Unauthorized" error when I send emails in Amazon SES?

4 minute read
0

I'm trying to send an email using Amazon Simple Email Service (Amazon SES), but I keep receiving an "Unauthorized" error.

Short description

The "Unauthorized" error can occur due to the following reasons:

  • You're using the incorrect AWS Identity and Access Management (IAM) user or role to send emails.
  • The IAM identity that you're using doesn't have ses:SendEmail or ses:SendRawEmail permissions.
  • The IAM policy or authorization policy denies your IAM identity permission for the ses:SendEmail or ses:SendRawEmail actions.
  • The IAM permissions boundaries don't allow access to Amazon SES.
  • AWS Organizations service control policies (SCPs) don't allow Amazon SES access.
  • For cross-account sending: The authorization policy for the sending identity doesn't allow the IAM identity to send emails.

To troubleshoot authorization errors, follow these steps:

  • Verify that you're using the correct IAM identity to send emails.
  • Make sure that the IAM identity has ses:SendEmail and ses:SendRawEmail permissions to send email.
  • Check if there are any deny statements in the IAM policy or authorization policy that are blocking access.
  • Check whether an action that's allowed in your IAM policy isn't allowed in the permissions boundary.
  • Include all required actions in the permissions boundary using the IAM console.
  • If you use AWS Organizations, then verify that you don't have any SCPs that explicitly deny Amazon SES actions.
  • For cross-account sending, check that the authorization policy for the sending identity grants the required permissions to the IAM identity.

Resolution

Check that the IAM identity has ses:SendEmail and ses:SendRawEmail permissions

Make sure that your IAM identity has the correct permissions to send emails.

Follow these steps:

  1. Open the IAM console.
  2. Select the IAM user or role that's used to send emails.
  3. Select the IAM identity name that you're using to send emails.
  4. In the Permissions tab of your IAM identity, expand each policy to view its JSON policy document.
  5. Search for policies that are related to Amazon SES access. Then, confirm that you have permissions for the ses:SendEmail or ses:SendRawEmail actions.

The following example IAM policy allows the IAM identity to send emails:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Resource": "*"
    }
  ]
}

Note: Review SendEmail and SendRawEmail for information on what sending actions you can take with each one. If an IAM policy doesn't exist, then create an IAM policy to grant you access to send emails.

Check whether there are any deny statements that block access

Check the IAM policies for any deny statements that might be denying access to send emails.

If there are deny statements, then check for conditions that block access based on the following:

  • ses:Recipients
  • ses:FromAddress
  • ses:FromDisplayName
  • ses:FeedbackAddress
  • aws:CurrentTime
  • aws:EpochTime
  • aws:SecureTransport
  • aws:SourceIp
  • aws:UserAgent

Confirm that IAM permissions boundaries allow access to Amazon SES

Review the IAM permissions boundaries that are set on the IAM identity that's trying to access Amazon SES. Confirm that the IAM permissions boundaries allow access to Amazon SES. For more information, see Delegating responsibility to others using permissions boundaries.

Check if there are any AWS Organizations SCPs that don't allow Amazon SES access

If you're using AWS Organizations, then check the SPCs for any statements that explicitly deny the ses:SendEmail and ses:SendRawEmail or any other Amazon SES action. Delete the service control policies that explicitly deny Amazon SES actions in accordance with your organization's security policies.

For example, the following policy denies access to all Amazon SES actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": “ses:*”,
      "Resource": "*"
    }
  ]
}

Check that the sending authorization policy in Amazon SES grants permissions to the delegate sender

When you authorize other users to send emails from the identities that you own, check that the authorization policy has the correct permissions. Also, check for any explicit deny statements. Make sure that the sender uses the same Amazon SES endpoint in the AWS Region that you verified the identity in. You must remove yourself (identity owner) and the delegate sender from the sandbox to send emails to unverified addresses. To view, edit, or remove a policy, see Managing your sending authorization policies.


AWS OFFICIAL
AWS OFFICIALUpdated a year ago