Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I resolve an "Unauthorized" error when I send emails in Amazon SES?

3 minute read
0

I used Amazon Simple Email Service (Amazon SES) to try to send an email and receive an "Unauthorized" error.

Resolution

Verify IAM permissions

To verify that your AWS Identity and Access Management (IAM) identity has the correct permissions to send emails, complete the following steps:

  1. Open the IAM console.

  2. Select the IAM user or role that's used to send emails.

  3. Select the IAM identity name that you use to send emails.

  4. In the Permissions tab of your IAM identity, expand each policy to view its JSON policy document.

  5. Search for policies that are related to Amazon SES access. Then, confirm that you have permissions for the ses:SendEmail or ses:SendRawEmail actions.
    The following example IAM policy allows the IAM identity to send emails:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "*"
        }
    ]
}

    Note: If an IAM policy doesn't exist, then create an IAM policy to grant you access to send emails with the preceding example policy.

Check whether there are any deny statements that block access

Check the IAM policies for any deny statements that might be deny access to send emails.

If there are deny statements, then remove or modify the following conditions that restrict access:

  • ses:Recipients
  • ses:FromAddress
  • ses:FromDisplayName
  • ses:FeedbackAddress
  • aws:CurrentTime
  • aws:EpochTime
  • aws:SecureTransport
  • aws:SourceIp
  • aws:UserAgent

Confirm that IAM permissions boundaries allow access to Amazon SES

Review the IAM permissions boundaries that are set on the IAM identity that tried to access Amazon SES. Make sure that the IAM permissions boundaries allow access to Amazon SES. For more information, see Delegating responsibility to others using permissions boundaries.

Verify that AWS Organizations SCPs don't deny Amazon SES access

If you use AWS Organizations, then check the service control policy (SCP) for any statements that explicitly deny the ses:SendEmail and ses:SendRawEmail actions. Delete the SCPs that explicitly deny Amazon SES actions in accordance with your organization's security policies.

The following example policy denies access to all Amazon SES actions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ses:*",
            "Resource": "*"
        }
    ]
}

Verify that the sender authorization policy in Amazon SES grants permissions to the delegate sender

When you authorize other users to send emails from the identities that you own, verify that the authorization policy has the correct permissions. Make sure that the sender uses the same Amazon SES endpoint in the AWS Region that you verified the identity in. You must remove the delegate sender's AWS account from the sandbox before it can send emails to unverified addresses. To view, edit, or remove a policy, see Managing your identity authorization policies in Amazon SES.

Topics
Front-End Web & MobileBusiness Applications
Tags
Amazon Simple Email Service
Language
English
AWS OFFICIALUpdated 2 months ago
No comments

Relevant content