Reputation: 1274
AWS SES Policy - limit sending from specific users + email address + daily limit
I looking to lock-down an IAM account I am using to send emails as much as possible, which includes the following restrictions:
- send email from 1 specific email address only [DONE]
- limit email distribution from 2 specific IAM accounts only
- set a limit of 100 emails per day to be sent from each IAM account
#1 has already been achieved, but #2 seems impossible since according to the AWS Policy Builder the PRINCIPAL does not support IDENTITY_POLICY in the same policy.
As for #3, I am curious on how to approach this and whether its actually possible to do this via AWS Policy? Is there perhaps an alternative approach via Cloudwatch that would flag / email alert me if a user has sent more than 100 emails?
Here my current policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "arn:aws:ses:eu-west-1:123456789012:identity/domain.com",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Condition": {
"StringEquals": {
"ses:FromAddress": "[email protected]"
}
}
}
]
}
Upvotes: 1
Views: 2347
Answers (2)
Reputation: 67
As per #3, you cannot specifiy hard limits, but you can keep track of usage and trigger alerts (and you could actually automate disabling the IAM based on this alerts, it just gets complicated).
You cannot specify sending limits by IAM, but you can keep track of how many e-mails have been set by an account on CloudWatch and set alarms on usage.
Here you can find how to set this up:
https://repost.aws/knowledge-center/ses-iam-user-sent-email
To wrap up:
- Create a configuration Set, as explained on the link.
- Associate this configuration set to ALL identities (NOT EXPLAINED IN THE LINK).
- Build the Chart and Alerts on Cloudwatch, this is very flexible and can setup anything to catter your needs.
Upvotes: 0
Reputation: 1104
For 2: Doesnt simple IAM policies and roles will give you what you want? Only people with the desired Role would be able to use SES, and all the other access is blocked by default. Then you would allow only those 2 accounts to assume the role and the solution is done and can be easily extended to any other accounts in the future (and it is also similar to all other ways of solving similar problems in AWS).
For 3: TBH, I would implement it differently and more generic. There is sth called configuration sets. You can specify what kind of events you would like to get on a given SQS queue. Here, you would be interested in the SEND events. When the email is being send, you would have a message on SQS queue with all the information necessary (including the sender email address). Based on that you can either split it to different queues (based on the sender address) and count it separately, or just count the messages in one queue. Afterwards, with cloudwatch, I would simply create an alert for the size of the queue whether it is bigger than 100 (probably in some timespan) and set up a handler as a SNS topic (with the specifics of your email handling). I would say this solution is more generic, as you literally, can split the main queues for email sending to only two senders afterwards, and in case anything different is going on, you can even set up the 3rd queue for the rest of the emails (just in case the 2nd didnt work) and create an alert if anything pops up then it would also use similar SNS topic to alert you in whatever way you would prefer.
Upvotes: 2
Related Questions
- Amazon SES Max Send Rate
- AWS SES IAM policy to restrict a recipient is not working the way I expect
- AWS SES: API rate limits on calling SendEmail
- Enable user to send and receive email through AWS SES
- Does Amazon allow raising the SES mail *receiving* limits?
- AWS policy that limit the IAM user to send SES emails from a specific sender
- Amazon SES User policy for sending limit
- Restricting Send/Recieve to a Specific IAM user and SES E-mail Account
- AWS EC2 email sending limit when using third party smtp server
- AWS SES - Sending Emails