Actions, resources, and condition keys for Amazon Simple Email Service v2 - Service Authorization Reference

Actions, resources, and condition keys for Amazon Simple Email Service v2

Amazon Simple Email Service v2 (service prefix: ses ) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Simple Email Service v2

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table .

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CreateConfigurationSet Grants permission to create a new configuration set Write

aws:TagKeys

aws:RequestTag/${TagKey}

CreateConfigurationSetEventDestination Grants permission to create a configuration set event destination Write

configuration-set*

aws:ResourceTag/${TagKey}

CreateContact Grants permission to create a contact Write

contact-list*

aws:ResourceTag/${TagKey}

CreateContactList Grants permission to create a contact list Write

aws:TagKeys

aws:RequestTag/${TagKey}

CreateCustomVerificationEmailTemplate Grants permission to create a new custom verification email template Write

identity*

CreateDedicatedIpPool Grants permission to create a new pool of dedicated IP addresses Write

aws:TagKeys

aws:RequestTag/${TagKey}

CreateDeliverabilityTestReport Grants permission to create a new predictive inbox placement test Write

identity*

aws:TagKeys

aws:RequestTag/${TagKey}

CreateEmailIdentity Grants permission to start the process of verifying an email identity Write

aws:TagKeys

aws:RequestTag/${TagKey}

CreateEmailIdentityPolicy Grants permission to create the specified sending authorization policy for the given identity Permissions management

identity*

aws:ResourceTag/${TagKey}

CreateEmailTemplate Grants permission to create an email template Write
CreateImportJob Grants permission to creates an import job for a data destination Write
DeleteConfigurationSet Grants permission to delete an existing configuration set Write

configuration-set*

aws:ResourceTag/${TagKey}

DeleteConfigurationSetEventDestination Grants permission to delete an event destination Write

configuration-set*

aws:ResourceTag/${TagKey}

DeleteContact Grants permission to delete a contact from a contact list Write

contact-list*

aws:ResourceTag/${TagKey}

DeleteContactList Grants permission to delete a contact list with all of its contacts Write

contact-list*

aws:ResourceTag/${TagKey}

DeleteCustomVerificationEmailTemplate Grants permission to delete an existing custom verification email template Write

custom-verification-email-template*

DeleteDedicatedIpPool Grants permission to delete a dedicated IP pool Write

dedicated-ip-pool*

aws:ResourceTag/${TagKey}

DeleteEmailIdentity Grants permission to delete an email identity Write

identity*

aws:ResourceTag/${TagKey}

DeleteEmailIdentityPolicy Grants permission to delete the specified sending authorization policy for the given identity (an email address or a domain) Permissions management

identity*

aws:ResourceTag/${TagKey}

DeleteEmailTemplate Grants permission to delete an email template Write

template*

DeleteSuppressedDestination Grants permission to remove an email address from the suppression list for your account Write
GetAccount Grants permission to get information about the email-sending status and capabilities for your account Read
GetBlacklistReports Grants permission to retrieve a list of the deny lists on which your dedicated IP addresses or tracked domains appear Read
GetConfigurationSet Grants permission to get information about an existing configuration set Read

configuration-set*

aws:ResourceTag/${TagKey}

GetConfigurationSetEventDestinations Grants permission to retrieve a list of event destinations that are associated with a configuration set Read

configuration-set*

aws:ResourceTag/${TagKey}

GetContact Grants permission to return a contact from a contact list Read

contact-list*

aws:ResourceTag/${TagKey}

GetContactList Grants permission to return contact list metadata Read

contact-list*

GetCustomVerificationEmailTemplate Grants permission to return the custom email verification template for the template name you specify Read

custom-verification-email-template*

GetDedicatedIp Grants permission to get information about a dedicated IP address Read
GetDedicatedIps Grants permission to list the dedicated IP addresses a dedicated IP pool Read

dedicated-ip-pool*

aws:ResourceTag/${TagKey}

GetDeliverabilityDashboardOptions Grants permission to get the status of the Deliverability dashboard Read
GetDeliverabilityTestReport Grants permission to retrieve the results of a predictive inbox placement test Read

deliverability-test-report*

aws:ResourceTag/${TagKey}

GetDomainDeliverabilityCampaign Grants permission to retrieve all the deliverability data for a specific campaign Read
GetDomainStatisticsReport Grants permission to retrieve inbox placement and engagement rates for the domains that you use to send email Read

identity*

aws:ResourceTag/${TagKey}

GetEmailIdentity Grants permission to get information about a specific identity Read

identity*

aws:ResourceTag/${TagKey}

GetEmailIdentityPolicies Grants permission to return the requested sending authorization policies for the given identity (an email address or a domain) Read

identity*

aws:ResourceTag/${TagKey}

GetEmailTemplate Grants permission to return the template object, which includes the subject line, HTML part, and text part for the template you specify Read

template*

GetImportJob Grants permission to provide information about an import job Read

import-job*

GetSuppressedDestination Grants permission to retrieve information about a specific email address that's on the suppression list for your account Read
ListConfigurationSets Grants permission to list all of the configuration sets for your account List
ListContactLists Grants permission to list all of the contact lists available for your account List
ListContacts Grants permission to list the contacts present in a specific contact list List

contact-list*

ListCustomVerificationEmailTemplates Grants permission to list all of the existing custom verification email templates for your account List
ListDedicatedIpPools Grants permission to list all of the dedicated IP pools for your account List
ListDeliverabilityTestReports Grants permission to retrieve the list of the predictive inbox placement tests that you've performed, regardless of their statuses, for your account List
ListDomainDeliverabilityCampaigns Grants permission to list deliverability data for campaigns that used a specific domain to send email during a specified time range Read
ListEmailIdentities Grants permission to list the email identities for your account List
ListEmailTemplates Grants permission to list all of the email templates for your account List
ListImportJobs Grants permission to list all of the import jobs for your account List
ListSuppressedDestinations Grants permission to list email addresses that are on the suppression list for your account Read
ListTagsForResource Grants permission to retrieve a list of the tags (keys and values) that are associated with a specific resource for your account Read

configuration-set

contact-list

dedicated-ip-pool

deliverability-test-report

identity

PutAccountDedicatedIpWarmupAttributes Grants permission to enable or disable the automatic warm-up feature for dedicated IP addresses Write
PutAccountDetails Grants permission to update your account details Write
PutAccountSendingAttributes Grants permission to enable or disable the ability to send email for your account Write
PutAccountSuppressionAttributes Grants permission to change the settings for the account-level suppression list Write
PutConfigurationSetDeliveryOptions Grants permission to associate a configuration set with a dedicated IP pool Write

configuration-set*

aws:ResourceTag/${TagKey}

PutConfigurationSetReputationOptions Grants permission to enable or disable collection of reputation metrics for emails that you send using a particular configuration set Write

configuration-set*

aws:ResourceTag/${TagKey}

PutConfigurationSetSendingOptions Grants permission to enable or disable email sending for messages that use a particular configuration set Write

configuration-set*

aws:ResourceTag/${TagKey}

PutConfigurationSetSuppressionOptions Grants permission to specify the account suppression list preferences for a particular configuration set Write

configuration-set*

aws:ResourceTag/${TagKey}

PutConfigurationSetTrackingOptions Grants permission to specify a custom domain to use for open and click tracking elements in email that you send for a particular configuration set Write

configuration-set*

aws:ResourceTag/${TagKey}

PutDedicatedIpInPool Grants permission to move a dedicated IP address to an existing dedicated IP pool Write

dedicated-ip-pool*

aws:ResourceTag/${TagKey}

PutDedicatedIpWarmupAttributes Grants permission to put Dedicated IP warm up attributes Write
PutDeliverabilityDashboardOption Grants permission to enable or disable the Deliverability dashboard Write
PutEmailIdentityConfigurationSetAttributes Grants permission to associate a configuration set with an email identity Write

identity*

configuration-set

aws:ResourceTag/${TagKey}

PutEmailIdentityDkimAttributes Grants permission to enable or disable DKIM authentication for an email identity Write

identity*

aws:ResourceTag/${TagKey}

PutEmailIdentityDkimSigningAttributes Grants permission to configure or change the DKIM authentication settings for an email domain identity Write

identity*

aws:ResourceTag/${TagKey}

PutEmailIdentityFeedbackAttributes Grants permission to enable or disable feedback forwarding for an email identity Write

identity*

aws:ResourceTag/${TagKey}

PutEmailIdentityMailFromAttributes Grants permission to enable or disable the custom MAIL FROM domain configuration for an email identity Write

identity*

aws:ResourceTag/${TagKey}

PutSuppressedDestination Grants permission to add an email address to the suppression list Write
SendBulkEmail Grants permission to compose an email message to multiple destinations Write
SendCustomVerificationEmail Grants permission to add an email address to the list of identities and attempts to verify it Write

custom-verification-email-template*

SendEmail Grants permission to send an email message Write

identity*

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

TagResource Grants permission to add one or more tags (keys and values) to a specified resource Tagging

configuration-set

contact-list

dedicated-ip-pool

deliverability-test-report

identity

aws:TagKeys

aws:RequestTag/${TagKey}

TestRenderEmailTemplate Grants permission to create a preview of the MIME content of an email when provided with a template and a set of replacement data Write

template*

UntagResource Grants permission to remove one or more tags (keys and values) from a specified resource Tagging

configuration-set

contact-list

dedicated-ip-pool

deliverability-test-report

identity

aws:TagKeys

UpdateConfigurationSetEventDestination Grants permission to update the configuration of an event destination for a configuration set Write

configuration-set*

aws:ResourceTag/${TagKey}

UpdateContact Grants permission to update a contact's preferences for a list Write

contact-list*

aws:ResourceTag/${TagKey}

UpdateContactList Grants permission to update contact list metadata Write

contact-list*

aws:ResourceTag/${TagKey}

UpdateCustomVerificationEmailTemplate Grants permission to update an existing custom verification email template Write

custom-verification-email-template*

UpdateEmailIdentityPolicy Grants permission to update the specified sending authorization policy for the given identity (an email address or a domain) Permissions management

identity*

aws:ResourceTag/${TagKey}

UpdateEmailTemplate Grants permission to update an email template Write

template*

Resource types defined by Amazon Simple Email Service v2

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table .

Resource types ARN Condition keys
configuration-set arn:$ { Partition}:ses:$ { Region}:$ { Account}:configuration-set/$ { ConfigurationSetName}

aws:ResourceTag/${TagKey}

contact-list arn:$ { Partition}:ses:$ { Region}:$ { Account}:contact-list/$ { ContactListName}

aws:ResourceTag/${TagKey}

custom-verification-email-template arn:$ { Partition}:ses:$ { Region}:$ { Account}:custom-verification-email-template/$ { TemplateName}
dedicated-ip-pool arn:$ { Partition}:ses:$ { Region}:$ { Account}:dedicated-ip-pool/$ { DedicatedIPPool}

aws:ResourceTag/${TagKey}

deliverability-test-report arn:$ { Partition}:ses:$ { Region}:$ { Account}:deliverability-test-report/$ { ReportId}

aws:ResourceTag/${TagKey}

identity arn:$ { Partition}:ses:$ { Region}:$ { Account}:identity/$ { IdentityName}

aws:ResourceTag/${TagKey}

import-job arn:$ { Partition}:ses:$ { Region}:$ { Account}:import-job/$ { ImportJobId}
template arn:$ { Partition}:ses:$ { Region}:$ { Account}:template/$ { TemplateName}

Condition keys for Amazon Simple Email Service v2

Amazon Simple Email Service v2 defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table .

To view the global condition keys that are available to all services, see Available global condition keys .

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request String
ses:FeedbackAddress Filters actions based on the "Return-Path" address, which specifies where bounces and complaints are sent by email feedback forwarding String
ses:FromAddress Filters actions based on the "From" address of a message String
ses:FromDisplayName Filters actions based on the "From" address that is used as the display name of a message String
ses:Recipients Filters actions based on the recipient addresses of a message, which include the "To", "CC", and "BCC" addresses ArrayOfString