- Newest
- Most votes
- Most comments
To address your questions regarding using Amazon SES across different AWS accounts:
Question 1: No, enabling SES for your AWS MP1 account will not automatically allow email notifications to be sent from the stack created using account AWS MP2, even if the domain is the same. Each AWS account is treated separately, and SES permissions do not automatically extend across accounts.
Question 2: Yes, you can set up cross-account access to allow AWS MP2 to send emails using the SES configuration in AWS MP1. This process is called "sending authorization" in Amazon SES. Here's what you need to do:
-
In the AWS MP1 account (the identity owner):
- Verify the domain or email address you want to use for sending.
- Create a sending authorization policy that explicitly grants permission to the AWS MP2 account.
- This policy should specify the AWS MP2 account ID as the Principal and grant the necessary SES sending permissions.
-
In the AWS MP2 account (the delegate sender):
- Create an IAM role that can be assumed to send emails through SES in the AWS MP1 account.
- Configure your application or service to use this role when sending emails.
By following these steps, you can allow the AWS MP2 account to send emails using the SES configuration and verified identities in the AWS MP1 account. This approach maintains control over your email sending identities while allowing delegated access to another account.
Remember that all emails sent this way will be billed to the delegate sender (AWS MP2 in this case), and they must be sent from the same AWS Region where the identity is verified in AWS MP1. Also, the delegate sender is responsible for managing bounce and complaint notifications for the emails they send.
Sources
Using sending authorization with Amazon SES - Amazon Simple Email Service
Amazon SES Sending Authorization Policies - Amazon Simple Email Service
Overview of Amazon SES Sending Authorization - Amazon Simple Email Service
