Can I authorise a customer account to send email using my SES account?

0

I have two AWS accounts, one is for my own use and one is used for a customer. Both are in the same Organisation so that I can accurately distinguish costs between my usage and my customer's.

My account has a production SES account, and I would like to enable a lambda function in my customer's account to send emails to me using my production account. Is this possible? It looks like it is https://aws.amazon.com/blogs/messaging-and-targeting/how-to-grant-another-ses-account-or-user-permission-to-send-emails/ but if I'm reading the article right, my customer would have to have production SES access too, in which case there's no point in delegating them access to mine.

I want a scalable model - I don't want the overhead of having to apply for production SES access for every new customer, as the volume of emails is low (they're just operational) but they are sent to an email address in a different domain.

Any help appreciated,

David

dmb0058
已提問 2 個月前檢視次數 105 次
2 個答案
0

If the emails your customers will be sending are to you (that is, to your verified/verifiable identities in SES), the message volumes are low, and associated costs would be correspondingly modest and perhaps not notable enough to allocate to your customers, would it be a an option for the customer accounts simply to remain in sandbox mode? That would still allow them to send 200 emails per day to verified identities.

Alternatively, would it be possible to allow them to assume a role or roles in your production account, if they're using the REST API to send the mails, or the static username/password derived from the access keys of an IAM user in your account, if they need to use SMTP? You could use the ses:FromAddress and/or ses:Recipients request context condition keys (https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html) to limit the permissions of the role/user to sending emails just to you, despite your production account otherwise having broader sending privileges.

專家
Leo K
已回答 2 個月前
0

Some really interesting ideas there, thanks!

I remembered another use case I need to cater for - each of their users need to be able to request their lambda to email them any data it's collected (saved in dynamoDB). So I guess I could have all of their email addresses verified, then they could stay in the sandbox and make do with 200 requests per day.

I suspect the simplest solution is for their lambda to collect all the data into a raw email then assume a role in my production account that allows it to use SES to send that to the requestor. I'll have to work out some way to do the reporting/accounting, maybe out of the cloudwatch logs or something.

Thanks!

David

dmb0058
已回答 2 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容