Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Using an Organization OU to give all accounts in that OU access to SES in another account?

0

We have the following Organization setup:

Sandbox (OU)
  - sandbox-user1
  - sandbox-user2
Prod (OU)
  - backend-prod
  • Our backend workload (whether run in backend-prod or in any of the sandbox accounts) needs to use SES to send 2FA codes over email, originating from ourcompany.com.
  • Each developer has a sandbox-<username> account in the Sandbox OU. Each developer account is meant to run our whole backend workload, for development purposes.
  • The backend-prod account has set up and verified ownership of ourcompany.com in SES. It runs the same backend workload.

We'd like all developer accounts in the Sandbox OU to be able to send emails using @ourcompany.com. We'd like to avoid having to do manual per-account setup of the sandbox accounts in the Sandbox OU, as that wouldn't scale very well with lots of developers (e.g. doing DKIM validation for each account would be very tedious and not very IaC).

Is there a way to achieve this using Organizations? For example, could we e.g. create an IAM user in backend-prod that all the sandbox accounts are able to act as to use SES in the backend-prod account? How would the setup look like?

P.S. Eventually we'd like to do the same for SNS for sending the same 2FA codes over SMS.

Topics
Application IntegrationFront-End Web & MobileManagement & GovernanceBusiness ApplicationsSecurity, Identity, & Compliance
Tags
Amazon Simple Notification Service (SNS)Amazon Simple Email ServiceAWS OrganizationsSecurity, Identity, & Compliance
Language
English
asked 2 years ago529 views
1 Answer
0

Hi, In order to grant cross account access, the SES permissions must be granted on both ends, the SES centralized account and on the sandbox accounts. In the SES centralized account you define an authorization policy that grant access to accounts in the specific OUs. E.g.:

{
  "Version": "2012-10-17",
  "Id": "SampleAuthorizationPolicy",
  "Statement": [
    {
      "Sid": "AuthorizeIdentity",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Resource": "arn:aws:ses:<region>:<ses account>:identity/me@ourcompany.com",
      "Condition": {
        "StringLike": {
          "ses:FromAddress": "me@ourcompany.com"
        },
        "ForAnyValue:StringLike": {
          "aws:PrincipalOrgPaths": ["o-myorganization/Prod/*", "o-myorganization/Sandbox/*"]
        }
      }
    }
  ]
}

(disclaimer: the authorization policy is just an example, it has not been tested)

In the Sandbox accounts you grant IAM entity (role, user, group), preferably an IAM role, the desired SES permissions.

AWS
answered a year ago
AWS
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content