Actions, resources, and condition keys for Amazon SES - Service Authorization Reference

Actions, resources, and condition keys for Amazon SES

Amazon SES (service prefix: ses ) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon SES

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table .

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CloneReceiptRuleSet Grants permission to create a receipt rule set by cloning an existing one Write
CreateConfigurationSet Grants permission to create a new configuration set Write
CreateConfigurationSetEventDestination Grants permission to create a configuration set event destination Write
CreateConfigurationSetTrackingOptions Grants permission to creates an association between a configuration set and a custom domain for open and click event tracking Write
CreateCustomVerificationEmailTemplate Grants permission to create a new custom verification email template Write

identity*

CreateReceiptFilter Grants permission to create a new IP address filter Write
CreateReceiptRule Grants permission to create a receipt rule Write
CreateReceiptRuleSet Grants permission to create an empty receipt rule set Write
CreateTemplate Grants permission to creates an email template Write
DeleteConfigurationSet Grants permission to delete an existing configuration set Write
DeleteConfigurationSetEventDestination Grants permission to delete an event destination Write
DeleteConfigurationSetTrackingOptions Grants permission to delete an association between a configuration set and a custom domain for open and click event tracking Write
DeleteCustomVerificationEmailTemplate Grants permission to delete an existing custom verification email template Write
DeleteIdentity Grants permission to delete the specified identity Write

identity*

DeleteIdentityPolicy Grants permission to delete the specified sending authorization policy for the given identity (an email address or a domain) Permissions management

identity*

DeleteReceiptFilter Grants permission to delete the specified IP address filter Write
DeleteReceiptRule Grants permission to delete the specified receipt rule Write
DeleteReceiptRuleSet Grants permission to delete the specified receipt rule set and all of the receipt rules it contains Write
DeleteTemplate Grants permission to delete an email template Write
DeleteVerifiedEmailAddress Grants permission to delete the specified email address from the list of verified addresses Write

identity*

DescribeActiveReceiptRuleSet Grants permission to return the metadata and receipt rules for the receipt rule set that is currently active Read
DescribeConfigurationSet Grants permission to return the details of the specified configuration set Read
DescribeReceiptRule Grants permission to return the details of the specified receipt rule Read
DescribeReceiptRuleSet Grants permission to return the details of the specified receipt rule set Read
GetAccountSendingEnabled Grants permission to return the email sending status of your account Read
GetCustomVerificationEmailTemplate Grants permission to return the custom email verification template for the template name you specify Read
GetIdentityDkimAttributes Grants permission to return the current status of Easy DKIM signing for an entity Read

identity*

GetIdentityMailFromDomainAttributes Grants permission to return the custom MAIL FROM attributes for a list of identities (email addresses and/or domains) Read

identity*

GetIdentityNotificationAttributes Grants permission to return a structure describing identity notification attributes for a list of verified identities (email addresses and/or domains), Read

identity*

GetIdentityPolicies Grants permission to return the requested sending authorization policies for the given identity (an email address or a domain) Read

identity*

GetIdentityVerificationAttributes Grants permission to return the verification status and (for domain identities) the verification token for a list of identities Read

identity*

GetSendQuota Grants permission to return the user's current sending limits Read
GetSendStatistics Grants permission to returns the user's sending statistics Read
GetTemplate Grants permission to return the template object, which includes the subject line, HTML par, and text part for the template you specify Read
ListConfigurationSets Grants permission to list all of the configuration sets for your account List
ListCustomVerificationEmailTemplates Grants permission to list all of the existing custom verification email templates for your account List
ListIdentities Grants permission to list the email identities for your account List
ListIdentityPolicies Grants permission to list all of the email templates for your account List
ListReceiptFilters Grants permission to list the IP address filters associated with your account Read
ListReceiptRuleSets Grants permission to list the receipt rule sets that exist under your account Read
ListTemplates Grants permission to list the email templates present in your account List
ListVerifiedEmailAddresses Grants permission to list all of the email addresses that have been verified in your account Read
PutConfigurationSetDeliveryOptions Grants permission to add or update the delivery options for a configuration set Write
PutIdentityPolicy Grants permission to add or update a sending authorization policy for the specified identity (an email address or a domain) Permissions management

identity*

ReorderReceiptRuleSet Grants permission to reorder the receipt rules within a receipt rule set Write
SendBounce Grants permission to generate and send a bounce message to the sender of an email you received through Amazon SES Write

identity*

ses:FromAddress

SendBulkTemplatedEmail Grants permission to compose an email message to multiple destinations Write

identity*

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

SendCustomVerificationEmail Grants permission to add an email address to the list of identities and attempts to verify it for your account Write

identity*

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

SendEmail Grants permission to send an email message Write

identity*

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

SendRawEmail Grants permission to send an email message, with header and content specified by the client Write

identity*

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

SendTemplatedEmail Grants permission to compose an email message using an email template Write

ses:FeedbackAddress

ses:FromAddress

ses:FromDisplayName

ses:Recipients

SetActiveReceiptRuleSet Grants permission to set the specified receipt rule set as the active receipt rule set Write
SetIdentityDkimEnabled Grants permission to enable or disable Easy DKIM signing of email sent from an identity Write

identity*

SetIdentityFeedbackForwardingEnabled Grants permission to enable or disable whether Amazon SES forwards bounce and complaint notifications for an identity (an email address or a domain) Write

identity*

SetIdentityHeadersInNotificationsEnabled Grants permission to set whether Amazon SES includes the original email headers in the Amazon Simple Notification Service (Amazon SNS) notifications of a specified type for a given identity (an email address or a domain) Write

identity*

SetIdentityMailFromDomain Grants permission to enable or disable the custom MAIL FROM domain setup for a verified identity Write

identity*

SetIdentityNotificationTopic Grants permission to set an Amazon Simple Notification Service (Amazon SNS) topic to use when delivering notifications for a verified identity Write

identity*

SetReceiptRulePosition Grants permission to set the position of the specified receipt rule in the receipt rule set Write
TestRenderTemplate Grants permission to create a preview of the MIME content of an email when provided with a template and a set of replacement data Write
UpdateAccountSendingEnabled Grants permission to enable or disable email sending for your account Write
UpdateConfigurationSetEventDestination Grants permission to update the event destination of a configuration set Write
UpdateConfigurationSetReputationMetricsEnabled Grants permission to enable or disable the publishing of reputation metrics for emails sent using a specific configuration set Write
UpdateConfigurationSetSendingEnabled Grants permission to enable or disable email sending for messages sent using a specific configuration set Write
UpdateConfigurationSetTrackingOptions Grants permission to modify an association between a configuration set and a custom domain for open and click event tracking Write
UpdateCustomVerificationEmailTemplate Grants permission to update an existing custom verification email template Write
UpdateReceiptRule Grants permission to update a receipt rule Write
UpdateTemplate Grants permission to update an email template Write
VerifyDomainDkim Grants permission to return a set of DKIM tokens for a domain Read

identity*

VerifyDomainIdentity Grants permission to verify a domain Read
VerifyEmailAddress Grants permission to verify an email address Read
VerifyEmailIdentity Grants permission to verify an email identity Read

Resource types defined by Amazon SES

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table .

Resource types ARN Condition keys
configuration-set arn:$ { Partition}:ses:$ { Region}:$ { Account}:configuration-set/$ { ConfigurationSetName}
custom-verification-email-template arn:$ { Partition}:ses:$ { Region}:$ { Account}:custom-verification-email-template/$ { TemplateName}
identity arn:$ { Partition}:ses:$ { Region}:$ { Account}:identity/$ { IdentityName}
template arn:$ { Partition}:ses:$ { Region}:$ { Account}:template/$ { TemplateName}

Condition keys for Amazon SES

Amazon SES defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table .

To view the global condition keys that are available to all services, see Available global condition keys .

Condition keys Description Type
ses:FeedbackAddress Filters actions based on the "Return-Path" address, which specifies where bounces and complaints are sent by email feedback forwarding String
ses:FromAddress Filters actions based on the "From" address of a message String
ses:FromDisplayName Filters actions based on the "From" address that is used as the display name of a message String
ses:Recipients Filters actions based on the recipient addresses of a message, which include the "To", "CC", and "BCC" addresses ArrayOfString