SES – email receiving + S3 action + encrypted S3 bucket = FAIL

Hello, a couple of thoughts on this topic:

1. Firstly, check the that S3 has the correct bucket policy to allow SES to put objects, and doesn't have any denies. The stack overflow link and its corresponding amazon documents assume the correct permissions for KMS, but do not specify the proper policy for SES to upload objects (in this case emails) to S3. You can follow this link to see how to give proper permissions to S3 https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html
2. Other suggestions:

a. Make sure to enforce encryption for any email being uploaded to the S3 bucket as talked about in this blog post: https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/

b. Try following these steps when you configure Amazon SES to receive email and encrypt the email messages before saving them to your S3 bucket:

1. Create a receipt rule for Amazon SES, specifying the S3 action, an S3 bucket for storage, and an AWS KMS key for encryption.

2. Amazon SES receives an email message that matches your receipt rule.

3. Amazon SES requests a unique data key encrypted with the KMS key that you specified in the applicable receipt rule.

4. AWS KMS creates a new data key, encrypts it with the specified KMS key, and then sends the encrypted and plaintext copies of the data key to Amazon SES.

5. Amazon SES uses the plaintext data key to encrypt the email message and then removes the plaintext data key from memory as soon as possible after use.

6. Amazon SES puts the encrypted email message and the encrypted data key in the specified S3 bucket. The encrypted data key is stored as metadata with the encrypted email message.

c. Inside your KMS key's policy, make sure you have specified the required aws:ses:rule-name and aws:ses:message-id in the EncryptionContext. More information can be found here: https://docs.aws.amazon.com/kms/latest/developerguide/services-ses.html#services-ses-permissions