- 最新
- 最多得票
- 最多評論
Hello,
From the above use case, I understand that you need an IAM policy that can verify the identity but not able to list all the identities in the account. Please let me know if I misunderstood the query.
For this use case, as you specified create Identity is available in SES v2. With the following set, you can verify and create but not list the identities.
[ "ses:SendEmail", "ses:TagResource", "ses:CreateEmailIdentity", "ses:SendBulkEmail" ]
SES v2 supports authorization based on tags. Customer engagement services - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html#engagement_svcs. So if tags are supported for the resource (meaning you can create tags) then you can use "aws:ResourceTag" condition key as that condition key checks the tag of the resource
Controlling access to AWS resources using tags - https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html AWS global condition context keys - aws:ResourceTag/<em>tag-key</em> - >>https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag
Using tags, you can control on the IAM side and whichever IAM creates the resource should be able to send using that IAM policy. You can give specific verified identity permissions using the following:
The following policy permits a user to call the Amazon SES email-sending APIs, but only if the "From" address is marketing@example.com.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "ses:SendEmail", "ses:SendRawEmail" ], "Resource":"*", "Condition":{ "StringEquals":{ "ses:FromAddress":"marketing@example.com" } } } ] }
Reference : https://docs.aws.amazon.com/ses/latest/dg/control-user-access.html
Please let me know if there are any questions or concerns.
相關內容
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前