AWS: How to attach a policy to an IAM user that grants him the privilege to create a verified identity and not access root identities?


In the root account, I have a verified domain identity that I used to create an email identity for transactional emails.
Image 1

Now, I created a new IAM account.

I would like to attach a policy to this IAM account that allows it to create a verified email identity using that verified domain identity in the root account.

And he must not be able to list nor use the verified email identity in the root account.

Should I use an inline policy for this (which I know should be avoided and left as a last resort) or normal permission configuration?
Image 2

If so how should I write or pick such a policy?

EDIT 1: When I tried to create an email using the IAM account, just to see what AWS would say, this is what's written in the notification:

You do not have sufficient access to perform this action.

User: arn:aws:iam::122443365328:user/iam-user-name is not authorized to perform: ses:CreateEmailIdentity on resource:

arn:aws:ses:us-region:122443365328:identity/ because no identity-based policy allows the ses:CreateEmailIdentity action

And when I searched for the CreateEmailIdentity in the inline policy creation dashboard, it was not found:

Image 3


I have actually found it when I picked SES-v2 as a service:

Image 4

I have granted the IAM user these privileges:

Image 5

And in resources section:
Image 6

I added the ARN of the verified domain name:

Image 7

This is the result:

Image 8

But, still when I try to create an email identity using the IAM account, I still get this:

You do not have sufficient access to perform this action. User: arn:aws:iam::12xxxxxx5328:user/iam-user-name is not authorized to perform: ses:CreateEmailIdentity on resource: arn:aws:ses:us-west-2:122443365328:identity/ because no identity-based policy allows the ses:CreateEmailIdentity action

What I don't understand here is the meaning of not being authorized to perform ses:CreateEmailIdentity on the resource that I am trying to create which is the new email.

How can I be authorized to do that on an email identity that still doesn't exist.

Even after created an email using the root user and granted the IAM user the privilege of sending emails using that email using this policy:

[![Image 9][9]][9]

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "stmt1643366831422",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::12xxxxxx328:user/iam-user-name"
      "Action": [
      "Resource": "arn:aws:ses:us-west-2:12xxxxxxxx28:identity/",
      "Condition": {}

When I send email in the backend, this is what gets logged:

🚀 ~ file: emailServices.js ~ line 297 ~ .then ~ error AccessDenied: User arn:aws:iam::12xxxxx5328:user/iam-user-name' is not authorized to perform ses:SendEmail' on resource `arn:aws:ses:us-west-2:1xxxxx28:identity/'

Then I authorized the iam user to send email on the Domain Identity using the same policy but applied on the Domain Identity.

Now, sending emails using the IAM user credentials works.
The problem is that he can send emails using all verified email idenitities.
But, I want him to be able to do so by only using the corresponding email identity that was created specifically for that IAM user.

I am aware that I should not use the root account and should instead only use IAM accounts.

1 Answer


From the above use case, I understand that you need an IAM policy that can verify the identity but not able to list all the identities in the account. Please let me know if I misunderstood the query.

For this use case, as you specified create Identity is available in SES v2. With the following set, you can verify and create but not list the identities.

[ "ses:SendEmail", "ses:TagResource", "ses:CreateEmailIdentity", "ses:SendBulkEmail" ]

SES v2 supports authorization based on tags. Customer engagement services - So if tags are supported for the resource (meaning you can create tags) then you can use "aws:ResourceTag" condition key as that condition key checks the tag of the resource

Controlling access to AWS resources using tags - AWS global condition context keys - aws:ResourceTag/<em>tag-key</em> - >>

Using tags, you can control on the IAM side and whichever IAM creates the resource should be able to send using that IAM policy. You can give specific verified identity permissions using the following:

The following policy permits a user to call the Amazon SES email-sending APIs, but only if the "From" address is

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ses:SendEmail", "ses:SendRawEmail" ], "Resource":"*", "Condition":{ "StringEquals":{ "ses:FromAddress":"" } } } ] }

Reference :

Please let me know if there are any questions or concerns.

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions