Yes, you need to attach a policy to the identity that will be used in account B.
The sending authorization process consists of the following steps:
- The identity owner verifies an identity with Amazon SES by using the Amazon SES console or the Amazon SES API. For information about the verification procedure, see Verified identities.
- The delegate sender lets the identity owner know which AWS account ID or IAM user ARN they want to use for sending.
- If the identity owner agrees to allow the delegate sender to send from one of his accounts, he creates a sending authorization policy and attaches the policy to the chosen identity by using the Amazon SES console or the Amazon SES API.
- The identity owner gives the delegate sender the ARN of the authorized identity so that the delegate sender can provide the ARN to Amazon SES at the time of email sending.
- The delegate sender can set up bounce and complaint notifications through event publishing enabled in a configuration set specified during delegate sending. The identity owner can also set up email feedback notifications for bounce and complaint events to be sent to the delegate sender's Amazon SNS topics.
Note If the identity owner disables sending event notifications, the delegate sender must set up event publishing to publish bounce and complaint events to an Amazon SNS topic or a Kinesis Data Firehose stream. The sender must also apply the configuration set that contains the event publishing rule to each email they send. If neither the identity owner nor the delegate sender sets up a method of sending notifications for bounce and complaint events, then Amazon SES automatically sends event notifications by email to the address in the Return-Path field of the email (or the address in the Source field, if you didn't specify a Return-Path address), even if the identity owner disabled email feedback forwarding.
- The delegate sender attempts to send an email through Amazon SES on behalf of the identity owner by passing the ARN of the identity owner's identity in the request or in the header of the email. The delegate sender can send the email by using either the Amazon SES SMTP interface or the Amazon SES API. Upon receiving the request, Amazon SES examines any policies that are attached to the identity, and accepts the email if the delegate sender is authorized to use the specified "From" address and "Return Path" address; otherwise, Amazon SES returns an error and does not accept the message.
Important The AWS accounts of both the identity owner and the delegate sender have to be removed from the sandbox before either account can send email to non-verified addresses.
- If the identity owner needs to de-authorize the delegate sender, the identity owner edits the sending authorization policy or deletes the policy entirely. The identity owner can perform either action by using the Amazon SES console or the Amazon SES API.
For more about sending authorization, please check this link from the documentation https://docs.aws.amazon.com/ses/latest/dg/sending-authorization-overview.html
Sending 60k emails on the Amazon Simple Email serviceasked 6 months ago
Migrating AWS ses email identities from one aws account to another aws accountasked 6 months ago
Can I send email without an email address using Simple Email Service?Accepted Answerasked 3 months ago
AWS Simple Email Service - Cross account emailasked 5 months ago
Can I use SES to send marketing emails for my users using my AWS account?asked 6 months ago
Cognito/SES giving error that Email is not verified despite being verifiedasked 9 months ago
SES refuses to send email from own domain even though domain and email address are verified + no sandboxAccepted Answerasked 7 months ago
AWS WorkMail can't send emails!asked 8 months ago
Simple Email Service limit increaseasked 3 years ago
Amazon SES - Domain Identity vs Email IdentityAccepted Answerasked 4 months ago