Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to make AWS Pinpoint to use AWS SES from another account?

0

We have AWS Organization with shared account, Development account, and Staging account. Our aws shared account have been configured to use SES and S3. My question is: is it possible for aws pinpoint email channel in Development account and staging account to use SES in shared account?

Thank you

Topics
Front-End Web & MobileManagement & GovernanceBusiness Applications
Tags
Amazon PinpointAmazon Simple Email ServiceAWS Organizations
Language
English
asked 2 years ago804 views
1 Answer
2

Step 1: Configure SES in the Shared Account Create an IAM Role in the Shared Account:

Go to the IAM console in the shared account.

Create a new role and select Another AWS account as the trusted entity.

Enter the account IDs of your Development and Staging accounts.

Attach the following policy to the role to allow sending emails through SES:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Resource": "arn:aws:ses:<region>:<shared-account-id>:identity/*"
    }
  ]
}

Update SES Sending Authorization Policy:

Go to the SES console in the shared account.

Navigate to Email Addresses or Domains under Verified Identities.

Select the identity you want to use (email address or domain) and go to its Authorization tab.

{
  "Version": "2012-10-17",
  "Id": "ExamplePolicy",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<dev-account-id>:root",
          "arn:aws:iam::<staging-account-id>:root"
        ]
      },
      "Action": "ses:SendEmail",
      "Resource": "arn:aws:ses:<region>:<shared-account-id>:identity/<domain-or-email>"
    }
  ]
}

Step 2: Configure IAM Policies in Development and Staging Accounts Create an IAM Role in Development and Staging Accounts: Go to the IAM console in each of the Development and Staging accounts.

Create a new role for Pinpoint to assume and select AWS service as the trusted entity and Pinpoint as the service.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::<shared-account-id>:role/<role-created-in-shared-account>"
    }
  ]
}

Step 3: Configure Pinpoint to Use SES Set Up Email Channel in Pinpoint:

Go to the Pinpoint console in the Development or Staging account.

Choose the project you want to configure.

In the left navigation pane, under Settings, choose Email.

For the Email identity, enter the verified email address or domain that was configured in the shared account.

For Sending authorization, enter the ARN of the role created in the shared account (from Step 1).

Shared Account IAM Role Trust Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<dev-account-id>:root",
          "arn:aws:iam::<staging-account-id>:root"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


Development/Staging Account IAM Role Policy:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::<shared-account-id>:role/<role-created-in-shared-account>"
    }
  ]
}
EXPERT
answered 2 years ago
  • Sumar
    2 years ago

    Thank you for answerin my question. Is it AI generated answer? because as we know, pinpoint email setting don't have form "Sending authorization > enter the ARN of the role" that you mention in step 3.

    Anyway, I have been tried that steps, but when test it with "Test messaging" the pinpoint still use it's ses not the one in shared account.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content