SES rule created via CloudFormation failing with `Could not write to bucket` despite bucket policy

Question

Here are the resources I'm attempting to add to my stack:

```
  ForwardAdminEmailBucket:
    Type: AWS::S3::Bucket

ForwardAdminEmailBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref ForwardAdminEmailBucket
      PolicyDocument:
        Statement:
          -
            Action:
              - s3:PutObject
            Effect: Allow
            Resource: !Sub ${ForwardAdminEmailBucket.Arn}/*
            Principal:
              Service: ses.amazonaws.com
            Condition:
              StringEquals:
                'aws:Referer': !Ref AWS::AccountId

ForwardAdminEmailRuleSet:
    Type: AWS::SES::ReceiptRuleSet
    Properties:
      RuleSetName: forward-admin-emails-ruleset

ForwardAdminEmailRule:
    Type: AWS::SES::ReceiptRule
    DependsOn: ForwardAdminEmailBucketPolicy
    Properties:
      RuleSetName: !Ref ForwardAdminEmailRuleSet
      Rule:
        Name: save-to-s3-and-forward
        Enabled: true
        Recipients:
          - !Sub admin@${DomainName}
        Actions:
          - S3Action:
              BucketName: !Ref ForwardAdminEmailBucket
              KmsKeyArn: !Sub arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/aws/ses
```

When I attempt to deploy it, I see the following message:

```
Could not write to bucket: ***BucketName*** (Service: AmazonSimpleEmailService; Status Code: 400; Error Code: InvalidS3Configuration; Request ID: 0d922147-9b7c-4f4c-8d71-cc86bff50cc3; Proxy: null)
```

When I add the rule manually, the succeeds. Any suggestions?

Clarification: I deployed everything above *except* the `AWS::SES::ReceiptRule` before attempting to create the rule manually inside the rule set.

Update: I added `s3:*` to my Cloudformation deployment role to rule out that role needing to be able to write to the bucket, but it still fails.

Accepted Answer

The issue appears to be that the KMS key I specified doesn't exist. After creating a KMS key in my template and attaching it to the rule, the deployment succeeds.

Answer

The error message `Could not write to bucket` suggests that the SES service is unable to write to the specified S3 bucket. This could be due to the bucket policy not allowing the necessary permissions. However, looking at your CloudFormation template, the bucket policy seems to be correctly configured to allow SES to put objects into the bucket.

One potential issue might be the condition in your bucket policy:

```yaml
Condition:
  StringEquals:
    'aws:Referer': !Ref AWS::AccountId
```

This condition requires that the request must include a Referer header matching the AWS account ID. However, SES might not include this header when writing to the S3 bucket. You can try removing this condition to see if that resolves the issue:

```yaml
ForwardAdminEmailBucketPolicy:
  Type: AWS::S3::BucketPolicy
  Properties:
    Bucket: !Ref ForwardAdminEmailBucket
    PolicyDocument:
      Statement:
        -
          Action:
            - s3:PutObject
          Effect: Allow
          Resource: !Sub ${ForwardAdminEmailBucket.Arn}/*
          Principal:
            Service: ses.amazonaws.com
```

Another thing to check is the permissions of the IAM role that CloudFormation is using to create the resources. Make sure that this role has permissions to create SES receipt rules and to put objects in the S3 bucket.

If the issue persists, you can also try deploying the SES receipt rule separately after the S3 bucket and bucket policy have been successfully created and propagated. Sometimes, resource dependencies can cause timing issues in CloudFormation deployments.

SES rule created via CloudFormation failing with `Could not write to bucket` despite bucket policy

Relevant content