Configuring Cognito User Pool to send emails with SES at ap-southeast-2

Question

I have the following cloudformation template (it is part of a serverless.yml template) to create a Cognito UserPool that sends e-mails using SES.

I am deploying my serverless project on ap-southeast-2, and I wanted to use the same region to send e-mails from. I have pre-verified in ap-southeast-2 the account in the template in SES, but if I replace the SourceArn in the template below (last line) with the ap-southeast-2 (or the serverless pseudo variable #{AWS::Region}) region I get an error:

An error occurred: CognitoUserPool - Unable to send email message, please try again (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: ...).

When I replace the region with us-west-2 (as in the template below), it works. Why is ap-southeast-2 not supported if it allows me to use SES from that region?

  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      # Generate a name based on the stage
      UserPoolName: ${self:provider.stage}-user-pool
      # Set email as an alias
      AutoVerifiedAttributes:
        - email
      # UsernameAttributes and AliasAttributes are mutually exclusive configuration options
      AliasAttributes: # instead of UsernameAttributes:
        - preferred_username
        - email
      UsernameConfiguration:
        CaseSensitive: false
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
      AdminCreateUserConfig:
        UnusedAccountValidityDays: 5
        AllowAdminCreateUserOnly: false
      Policies:
        PasswordPolicy:
          MinimumLength: 10
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: true
          RequireUppercase: true
      Schema:
        - Name: membershipType
          Required: false
          Mutable: true
          AttributeDataType: String
      VerificationMessageTemplate:
        DefaultEmailOption: CONFIRM_WITH_LINK
        EmailMessageByLink: "Please click on the following link to verify: {##Verify Email##}"
        EmailSubjectByLink: Please confirm your registration 
      EmailConfiguration:
        EmailSendingAccount: DEVELOPER
        From: my@email.com
        ReplyToEmailAddress: my@email.com
        SourceArn: arn:aws:ses:us-west-2:#{AWS::AccountId}:identity/my@email.com

Answer 1

I haven't tested this yet (although am about to), but I don't see why you wouldn't be able to use a Lambda-based "Custom Email Sender" to route through the Sydney region, as per the instructions here: Configure Cognito to send emails through third party such as SendGrid the proper way

Answer 2

Did you verified the email from which you want to send emails in the SES console? After verifying you will see the correct arn from which to set.

I had one more strange mistake. I had to remove the EmailConfiguration.From field. When I had this field set, even same as verified email, it caused me a similar error.

Answer 3

This feature is not supported in ap-southeast-2. Can't do much until AWS provides that support in the new regions.

From docs:

Available regions for Amazon SES are US East (N. Virginia)us-east-1, US West (Oregon) us-west-2, and Europe (Ireland)eu-west-1. Amazon SES doesn't support email receiving in the following Regions: Asia Pacific (Mumbai), Asia Pacific (Sydney), Canada (Central), Europe (Frankfurt), Europe (London), South America (São Paulo), and AWS GovCloud (US).