Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

SES Templates do not support specific resources or conditions

0

Hello AWS Community,

I am setting up IAM permissions to isolate each developer's stack in my organization. However, shared resources are problematic when it comes to applying the least-privilege access principle.

I want to delegate SES template management to the developers of the team. This means each developer has a CloudFormation stack with email templates and I need to prevent a developer from interacting with templates which he/she does not own.

According to https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html , this is impossible. The only possible resource for the action ses:UpdateTemplate is "*" and no condition is supported. This means that an attacker using a developer's credentials could update a template used in production and insert malicious content. This seems like a huge security oversight from Amazon.

Is it not possible to delegate SES template management in a secure way or am I missing something?

Looking forward to your answers,
Thank you!

Edited by: ArielGadboisRoy on Apr 9, 2021 1:11 PM

Topics
Front-End Web & MobileBusiness Applications
Tags
Amazon Simple Email Service
Language
English
asked 5 years ago739 views
1 Answer
0

The answer is to use the SES v2 API, because it supports template resources in IAM policies.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleemailservicev2.html

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content