AWS Simple Email Service - Cross account email


The AWS documentation states that 'Amazon SES now enables you to authorize other AWS accounts and IAM users to send emails from your identities'. We have a scenario where we have two AWS accounts that do not belong to the same organization - Account A and Account B. We want to be able to send emails from Account A programmatically through AWS SES API, to Account B. If I set up the AWS SES with verified identities in Account B, create a role for Account A to assume in Account B, is that all I need to do? Do I also need to attach a custom policy to the identities in Account B? I was reading up on sender authorization and wasn't quite sure how this will work. Any help is greatly appreciated.

asked 2 years ago234 views
1 Answer

Yes, you need to attach a policy to the identity that will be used in account B.

The sending authorization process consists of the following steps:

  1. The identity owner verifies an identity with Amazon SES by using the Amazon SES console or the Amazon SES API. For information about the verification procedure, see Verified identities.
  2. The delegate sender lets the identity owner know which AWS account ID or IAM user ARN they want to use for sending.
  3. If the identity owner agrees to allow the delegate sender to send from one of his accounts, he creates a sending authorization policy and attaches the policy to the chosen identity by using the Amazon SES console or the Amazon SES API.
  4. The identity owner gives the delegate sender the ARN of the authorized identity so that the delegate sender can provide the ARN to Amazon SES at the time of email sending.
  5. The delegate sender can set up bounce and complaint notifications through event publishing enabled in a configuration set specified during delegate sending. The identity owner can also set up email feedback notifications for bounce and complaint events to be sent to the delegate sender's Amazon SNS topics.

Note If the identity owner disables sending event notifications, the delegate sender must set up event publishing to publish bounce and complaint events to an Amazon SNS topic or a Kinesis Data Firehose stream. The sender must also apply the configuration set that contains the event publishing rule to each email they send. If neither the identity owner nor the delegate sender sets up a method of sending notifications for bounce and complaint events, then Amazon SES automatically sends event notifications by email to the address in the Return-Path field of the email (or the address in the Source field, if you didn't specify a Return-Path address), even if the identity owner disabled email feedback forwarding.

  1. The delegate sender attempts to send an email through Amazon SES on behalf of the identity owner by passing the ARN of the identity owner's identity in the request or in the header of the email. The delegate sender can send the email by using either the Amazon SES SMTP interface or the Amazon SES API. Upon receiving the request, Amazon SES examines any policies that are attached to the identity, and accepts the email if the delegate sender is authorized to use the specified "From" address and "Return Path" address; otherwise, Amazon SES returns an error and does not accept the message.

Important The AWS accounts of both the identity owner and the delegate sender have to be removed from the sandbox before either account can send email to non-verified addresses.

  1. If the identity owner needs to de-authorize the delegate sender, the identity owner edits the sending authorization policy or deletes the policy entirely. The identity owner can perform either action by using the Amazon SES console or the Amazon SES API.

For more about sending authorization, please check this link from the documentation

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions