Question 19935 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

AWS SES IAM policy to restrict a recipient is not working the way I expect

I am using AWS Simple Email Service (SES), however I want to have a very tightly restricted policy.
I want to set up a policy to

  • only be able to send emails to a domain (mydomain)
  • from a specific ([email protected]) email address
  • using a specific configuration set (internalonly)

I have tried the entry below, but it is not restricting the recipients. I cant see what Im doing wrongly.

Ive been chewing this one for a few days, and need some help. Can anyone point me in the right direction?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "arn:aws:ses:eu-west-1:999999999:identity/[email protected]",
            "Condition": {
                "StringLike": {
                    "ses:FromAddress": "[email protected]"
                },
                "ForAllValues:StringLike": {
                    "ses:Recipients": "*@mydomain.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "arn:aws:ses:eu-west-1:99999999999:configuration-set/internalonly",
            "Condition": {
                "StringLike": {
                    "ses:FromAddress": "[email protected]"
                },
                "ForAllValues:StringLike": {
                    "ses:Recipients": "*@mydomain.com"
                }
            }
        }
    ]
}

Following applying the policy, I tested this using the details here: https://docs.aws.amazon.com/ses/latest/dg/send-email-smtp-client-command-line.html

Sample test file ses-internal.txt

EHLO mydomain.com
AUTH LOGIN
Base64EncodedSMTPUserName
Base64EncodedSMTPPassword
MAIL FROM: [email protected]
RCPT TO: [email protected]
DATA
X-SES-CONFIGURATION-SET: internalonly
From: PM Access <[email protected]>
To: [email protected]
Subject: Amazon SES SMTP Test to luke

This message was sent using the Amazon SES SMTP interface.

.
QUIT

Testing: works when it should prevent me sending to [email protected]

% openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.<region>.amazonaws.com:587 < ses-internal.txt
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = email-smtp.<region>.amazonaws.com
verify return:1
250 Ok
250-email-smtp.amazonaws.com
250-8BITMIME
250-STARTTLS
250-AUTH PLAIN LOGIN
250 Ok
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
235 Authentication successful.
250 Ok
250 Ok
354 End data with <CR><LF>.<CR><LF>
250 Ok 01020184133e8041-ba607190-5bf0-4610-9280-bbc38b9cb074-000000
451 4.4.2 Timeout waiting for data from client.
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Many thanks for the suggestion @baduker

    More reading and I found the mistake. A) The "ses:Recipients" should be an array B) The test file I was using has a schoolboy SMTP error in it. The To: field is documentary, the RCPT TO: field is the real recipient.

    Here is the complete solution

    1. The correct IAM rule:
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "arn:aws:ses:eu-west-1: 999999999999:identity/[email protected]",
            "Condition": {
                "StringLike": {
                    "ses:FromAddress": "[email protected]"
                },
                "ForAllValues:StringLike": {
                    "ses:Recipients": [
                        "*@mydomain.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "arn:aws:ses:eu-west-1: 999999999999:configuration-set/internalonly",
            "Condition": {
                "StringLike": {
                    "ses:FromAddress": "[email protected]"
                },
                "ForAllValues:StringLike": {
                    "ses:Recipients": [
                        "*@mydomain.com"
                    ]
                }
            }
        }
    ]
}
    1. The correct test file
    EHLO propertymonitor.com
AUTH LOGIN
Base64EncodedSMTPUserName
Base64EncodedSMTPPassword
MAIL FROM: [email protected]
RCPT TO: [email protected]
DATA
X-SES-CONFIGURATION-SET: internalonly
From: PM Access <[email protected]>
Subject: Amazon SES SMTP Test to luke

This message was sent using the Amazon SES SMTP interface.

.
QUIT
    1. The command:
    openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:587 < ses-internal-fail.txt
    1. Running it gives the desired results:
    depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = email-smtp.eu-west-1.amazonaws.com
verify return:1
250 Ok
250-email-smtp.amazonaws.com
250-8BITMIME
250-STARTTLS
250-AUTH PLAIN LOGIN
250 Ok
334 XXXXXX
334 YYYYYY
235 Authentication successful.
250 Ok
250 Ok
354 End data with <CR><LF>.<CR><LF>
554 Access denied: User `arn:aws:iam::999999999:user/ses-internal-user' is not authorized to perform `ses:SendRawEmail' on resource `arn:aws:ses:eu-west-1:999999999:identity/[email protected]'
451 4.4.2 Timeout waiting for data from client.

  2. 0

    Could you give this policy a try and see if the recipients are getting restricted?

    {
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AuthorizeAWS",
      "Effect":"Allow",
      "Resource":"arn:aws:ses:eu-west-1:999999999999:identity/[email protected]",
      "Action":[
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Condition":{
        "StringLike":{
          "ses:FromAddress":"[email protected]"
        }
      }
    },
    {
      "Sid":"AuthorizeInternal",
      "Effect":"Allow",
      "Resource":"arn:aws:ses:eu-west-1:999999999999:identity/[email protected]",
      "Action":[
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Condition":{
        "ForAllValues:StringLike":{
          "ses:Recipients":"*@mydomain.com"
        }
      }
    }
  ]
}

    Also, please note that to use a configuration set when sending an email, you must pass the name of the configuration set in the headers of the email.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search