- Newest
- Most votes
- Most comments
Step 1: Check S3 Bucket Policy
Ensure that your S3 bucket policy allows Amazon SES to write objects to the bucket. Here is an example policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"StringEquals": {
"aws:Referer": "your-aws-account-id"
}
}
}
]
}
Step 2: Verify IAM Role Permissions
Make sure that the IAM role or user that SES is using has the necessary permissions to access the S3 bucket. Attach a policy like the following to the IAM role or user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
Step 3: SES Configuration
Ensure that the SES configuration for the action to deliver emails to the S3 bucket is set up correctly. Verify the following:
Rule Set: Confirm that you have the correct rule set active. Rule: Within the rule set, ensure that you have created a rule with an action to deliver to the specified S3 bucket.
Step 4: Test the Configuration After applying the correct policies, test the configuration by sending a test email to your domain to see if it gets delivered to the S3 bucket without the "Access Denied" error.
Example S3 Bucket Policy and IAM Role Policy Here’s a more concrete example if you need further clarification:
S3 Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-ses-emails-bucket/*",
"Condition": {
"StringEquals": {
"aws:Referer": "123456789012"
}
}
}
]
}
IAM Role Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-ses-emails-bucket/*"
}
]
}
Hi Nir Harel,
Please go through the below steps i hope it will helps to resolve your issue.
Create an IAM Role for SES:
- Create an IAM role that allows SES to write to your S3 bucket.
- Attach a policy to this role that grants the necessary permissions.
Here is an example of an IAM role trust policy that allows SES to assume the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Attach a policy to this role that allows SES to write to your S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
Configure Your S3 Bucket Policy:
- Ensure that your S3 bucket policy allows SES to write to it. You need to specify the actions and the resources (bucket and objects).
Here is an example of an S3 bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-bucket-name/*",
"Condition": {
"StringEquals": {
"aws:Referer": "AWS-Account-ID"
}
}
}
]
}
Replace your-bucket-name with the name of your S3 bucket and AWS-Account-ID with your AWS account ID.
Configure SES to Deliver Emails to the S3 Bucket:
- When setting up the rule in SES to deliver emails to the S3 bucket, ensure you specify the IAM role you created.
In the SES console:
- Go to "Email Receiving" and create or edit a rule set.
- Add an action to "S3".
- Specify the bucket name and select the IAM role you created.
Verify Permissions:
- Double-check all ARNs (Amazon Resource Names) are correct.
- Ensure there are no typos in the bucket name, IAM role, or policy documents.
I've created SES (and the bucket) - using my root user - should I have done it differently - how can I set which user Runs SES ? which user should I use ?
also, Configure SES to Deliver Emails to the S3 Bucket: When setting up the rule in SES to deliver emails to the S3 bucket, ensure you specify the IAM role you created. I don't see where I can specify the IAM role - from what I see S3 gets only my accound ID ( "aws:Referer": "AWS-Account-ID" ) and in SES I don't see where to define which user it uses
Never use
aws:Refereranywhere related to security. The policy example won't work. The correct one is in AWS's documentation.
Hello
=>The "AccessDenied" error when using SES with S3 is likely due to IAM permission issues. Here’s a simplified troubleshooting guide:
Check Bucket Policy:
Ensure the S3 bucket policy allows SES to put objects (emails) in the bucket. Check IAM User/Role Policy:
=>Verify that the IAM user or role used by SES has the s3:PutObject permission for the bucket. Service Configuration:
=>Confirm you are using the correct service (S3, SQS, or SNS) for your notifications. If using S3, ensure permissions are correctly configured. =>Update S3 Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
=>Update IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
=>Troubleshooting Guide: AWS S3 Access Denied Errors =>SES Documentation: Amazon SES Documentation
SES doesn't use an IAM user, IAM role, or IAM policy to access the bucket. Please read my earlier advice in this discussion,
Hello,
The "AccessDenied" error likely stems from IAM permission issues. Check:
- Bucket Policy: Does it allow SES to put objects (emails) in the bucket?
- IAM User/Role Policy: Does your SES user have "s3:PutObject" permission on the bucket?
SES can't store emails in your S3 bucket. Double-check if you meant to use a different service like SQS or SNS for notifications. If it absolutely must be S3, ensure IAM permissions for SES to "PutObject" in the bucket.
Troubleshoot Access Denied Errors:
- The official AWS documentation offers a detailed guide on troubleshooting access denied errors in S3, which can be helpful in pinpointing the exact issue https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshoot-403-errors.html.
SES Documentation: Refer to the SES documentation for specific instructions on setting up email notifications and configuring permissions https://docs.aws.amazon.com/ses/.
The other replies are incorrectly talking about SES using IAM roles and configuring permissions for the IAM roles, or SES using an IAM user. Both are wrong. SES doesn't use IAM roles, and it doesn't use an IAM user to access your bucket. You may be using an IAM user with static access keys to send email over SMTP to SES, but SES doesn't access your bucket with that user.
SES uses an AWS service principal, ses.amazonaws.com, to access the bucket. You can find the example S3 bucket policy for granting access to SES's service principal (not related to any IAM role) in this documentation article: https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html
The same article also shows the proper KMS key policy statements to allow SES to write to the bucket if it's using SSE-KMS encryption, but it sounds very unlikely that it is. Therefore, all you need is the bucket policy statement at the beginning of the documentation page, adjusted to reflect your account ID and receive rule ARN, and you can disregard the rest of the document regarding KMS keys, Lambda access, etc.
Thanks, I've used the S3 bucket policy from the link (I think that the default bucket policy provided when I created a new bucket from SES also seems ok) but in both cases I still get the access denied messages. I've added a prefix - so the SES process created a folder - (doesn't it means that it has access) still I get a AMAZON_SES_SETUP_NOTIFICATION inside it with the access denied value
Yes, if SES created the folder-like object in your bucket, it's able to write to your S3 bucket. Did you have your DNS records, including the MX records, DKIM, SPF, and DMARC set up the way the SES setup wizard instructed? SES won't allow you to receive emails without proving that you own the domain or email address, which you do by verifying the identity of your domain like this: https://docs.aws.amazon.com/ses/latest/dg/creating-identities.html Note that identities have to be verified also for receiving emails, even though documentation mostly discusses sending them.
I think I've did I have a verified domain and DKIM is Successful, Mail from configuration is Successful (MX and SPF) (I have 2 MX records the feedback-smtp.... included in Mail from and inbound-smtp.us-west-2.amazonaws.com) and I have a basic Dmarc record, also every time I send an email I get an error file on S3 - so it seems like the email sort of make it through
If the domain is properly validated, and since SES has all the permissions needed to write in the bucket, as you observed, there's no obvious reason why the access denied error would be delivered instead of the email. I suggest you simply raise a support ticket in your account. They can see your whole configuration at once, including a large number of more obscure possible sources of issues.
Relevant content
- asked 7 months ago
- asked 6 years ago
aws:Referershould never be used in anything related to security. It looks at the HTTP headerReferer(misspelt in the HTTP protocol standard), which anyone making a request can populate with whatever value they please. AWS doesn't use it to indicate the account on whose behalf the request is being made.