Actions, resources, and condition keys for Amazon SES
Amazon SES (service prefix:
ses
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
-
Learn how to configure this service .
-
View a list of the API operations available for this service .
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon SES
You can specify the following actions in the
Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The
Resource types
column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The actions table .
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
CloneReceiptRuleSet | Creates a receipt rule set by cloning an existing one | Write | |||
CreateConfigurationSet | Creates a new configuration set | Write | |||
CreateConfigurationSetEventDestination | Creates a configuration set event destination | Write | |||
CreateConfigurationSetTrackingOptions | Creates an association between a configuration set and a custom domain for open and click event tracking | Write | |||
CreateCustomVerificationEmailTemplate | Creates a new custom verification email template | Write | |||
CreateReceiptFilter | Creates a new IP address filter | Write | |||
CreateReceiptRule | Creates a receipt rule | Write | |||
CreateReceiptRuleSet | Creates an empty receipt rule set | Write | |||
CreateTemplate | Creates an email template | Write | |||
DeleteConfigurationSet | Deletes the configuration set | Write | |||
DeleteConfigurationSetEventDestination | Deletes a configuration set event destination | Write | |||
DeleteConfigurationSetTrackingOptions | Deletes an association between a configuration set and a custom domain for open and click event tracking | Write | |||
DeleteCustomVerificationEmailTemplate | Deletes an existing custom verification email template | Write | |||
DeleteIdentity | Deletes the specified identity (an email address or a domain) from the list of verified identities | Write | |||
DeleteIdentityPolicy | Deletes the specified identity (an email address or a domain) from the list of verified identities | Write | |||
DeleteReceiptFilter | Deletes the specified IP address filter | Write | |||
DeleteReceiptRule | Deletes the specified receipt rule | Write | |||
DeleteReceiptRuleSet | Deletes the specified receipt rule set and all of the receipt rules it contains | Write | |||
DeleteTemplate | Deletes an email template | Write | |||
DeleteVerifiedEmailAddress | Deletes the specified email address from the list of verified addresses | Write | |||
DescribeActiveReceiptRuleSet | Returns the metadata and receipt rules for the receipt rule set that is currently active | Read | |||
DescribeConfigurationSet | Returns the details of the specified configuration set | Read | |||
DescribeReceiptRule | Returns the details of the specified receipt rule | Read | |||
DescribeReceiptRuleSet | Returns the details of the specified receipt rule set | Read | |||
GetAccountSendingEnabled | Returns the email sending status of the Amazon SES account for the current region | Read | |||
GetCustomVerificationEmailTemplate | Returns the custom email verification template for the template name you specify | Read | |||
GetIdentityDkimAttributes | Returns the current status of Easy DKIM signing for an entity | Read | |||
GetIdentityMailFromDomainAttributes | Returns the custom MAIL FROM attributes for a list of identities (email addresses and/or domains) | Read | |||
GetIdentityNotificationAttributes | Given a list of verified identities (email addresses and/or domains), returns a structure describing identity notification attributes | Read | |||
GetIdentityPolicies | Returns the requested sending authorization policies for the given identity (an email address or a domain) | Read | |||
GetIdentityVerificationAttributes | Given a list of identities (email addresses and/or domains), returns the verification status and (for domain identities) the verification token for each identity | Read | |||
GetSendQuota | Returns the user's current sending limits | Read | |||
GetSendStatistics | Returns the user's sending statistics. The result is a list of data points, representing the last two weeks of sending activity | Read | |||
GetTemplate | Returns the template object (which includes the Subject line, HTML part and text part) for the template you specify | Read | |||
ListConfigurationSets | Returns a list of the configuration sets associated with your Amazon SES account in the current AWS Region | List | |||
ListCustomVerificationEmailTemplates | Lists the existing custom verification email templates for your account in the current AWS Region | List | |||
ListIdentities | Returns a list containing all of the identities (email addresses and domains) for your AWS account, regardless of verification status | List | |||
ListIdentityPolicies | Returns a list of sending authorization policies that are attached to the given identity (an email address or a domain) | List | |||
ListReceiptFilters | Lists the IP address filters associated with your AWS account | List | |||
ListReceiptRuleSets | Lists the receipt rule sets that exist under your AWS account | List | |||
ListTemplates | Lists the email templates present in your Amazon SES account in the current AWS Region | List | |||
ListVerifiedEmailAddresses | Returns a list containing all of the email addresses that have been verified | List | |||
PutIdentityPolicy | Adds or updates a sending authorization policy for the specified identity (an email address or a domain) | Write | |||
ReorderReceiptRuleSet | Reorders the receipt rules within a receipt rule set | Write | |||
SendBounce | Generates and sends a bounce message to the sender of an email you received through Amazon SES | Write | |||
SendBulkTemplatedEmail | Composes an email message to multiple destinations | Write | |||
SendCustomVerificationEmail | Adds an email address to the list of identities for your Amazon SES account in the current AWS Region and attempts to verify it | Write | |||
SendEmail | Composes an email message based on input data, and then immediately queues the message for sending | Write | |||
SendRawEmail | Sends an email message, with header and content specified by the client | Write | |||
SendTemplatedEmail | Composes an email message using an email template and immediately queues it for sending | Write | |||
SetActiveReceiptRuleSet | Sets the specified receipt rule set as the active receipt rule set | Write | |||
SetIdentityDkimEnabled | Enables or disables Easy DKIM signing of email sent from an identity | Write | |||
SetIdentityFeedbackForwardingEnabled | Given an identity (an email address or a domain), enables or disables whether Amazon SES forwards bounce and complaint notifications as email | Write | |||
SetIdentityHeadersInNotificationsEnabled | Given an identity (an email address or a domain), sets whether Amazon SES includes the original email headers in the Amazon Simple Notification Service (Amazon SNS) notifications of a specified type | Write | |||
SetIdentityMailFromDomain | Enables or disables the custom MAIL FROM domain setup for a verified identity (an email address or a domain) | Write | |||
SetIdentityNotificationTopic | Given an identity (an email address or a domain), sets the Amazon Simple Notification Service (Amazon SNS) topic to which Amazon SES will publish bounce, complaint, and/or delivery notifications for emails sent with that identity as the Source | Write | |||
SetReceiptRulePosition | Sets the position of the specified receipt rule in the receipt rule set | Write | |||
TestRenderTemplate | Creates a preview of the MIME content of an email when provided with a template and a set of replacement data | Write | |||
UpdateAccountSendingEnabled | Enables or disables email sending across your entire Amazon SES account in the current AWS Region | Write | |||
UpdateConfigurationSetEventDestination | Updates the event destination of a configuration set | Write | |||
UpdateConfigurationSetReputationMetricsEnabled | Enables or disables the publishing of reputation metrics for emails sent using a specific configuration set in a given AWS Region | Write | |||
UpdateConfigurationSetSendingEnabled | Enables or disables email sending for messages sent using a specific configuration set in a given AWS Region | Write | |||
UpdateConfigurationSetTrackingOptions | Modifies an association between a configuration set and a custom domain for open and click event tracking | Write | |||
UpdateCustomVerificationEmailTemplate | Updates an existing custom verification email template | Write | |||
UpdateReceiptRule | Updates a receipt rule | Write | |||
UpdateTemplate | Updates an email template | Write | |||
VerifyDomainDkim | Returns a set of DKIM tokens for a domain | Read | |||
VerifyDomainIdentity | Verifies a domain | Read | |||
VerifyEmailAddress | Verifies an email address. This action causes a confirmation email message to be sent to the specified address. This action is throttled at one request per second | Read | |||
VerifyEmailIdentity | Verifies an email address. This action causes a confirmation email message to be sent to the specified address. This action is throttled at one request per second | Read |
Resource types defined by Amazon SES
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the
Actions table
identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see
The resource types table
.
Resource types | ARN | Condition keys |
---|---|---|
configuration-set |
arn:$
{
Partition}:ses:$
{
Region}:$
{
Account}:configuration-set/$
{
ConfigurationSetName}
|
|
custom-verification-email-template |
arn:$
{
Partition}:ses:$
{
Region}:$
{
Account}:custom-verification-email-template/$
{
CustomVerificationEmailTemplateName}
|
|
event-destination |
arn:$
{
Partition}:ses:$
{
Region}:$
{
Account}:configuration-set/$
{
ConfigurationSetName}:event-destination/$
{
EventDestinationName}
|
|
identity |
arn:$
{
Partition}:ses:$
{
Region}:$
{
Account}:identity/$
{
IdentityName}
|
|
receipt-filter |
arn:$
{
Partition}:ses:$
{
Region}:$
{
Account}:receipt-filter/$
{
ReceiptFilterName}
|
|
receipt-rule |
arn:$
{
Partition}:ses:$
{
Region}:$
{
Account}:receipt-rule-set/$
{
ReceiptRuleSetName}:receipt-rule/$
{
ReceiptRuleName}
|
|
receipt-rule-set |
arn:$
{
Partition}:ses:$
{
Region}:$
{
Account}:receipt-rule-set/$
{
ReceiptRuleSetName}
|
|
template |
arn:$
{
Partition}:ses:$
{
Region}:$
{
Account}:template/$
{
TemplateName}
|
Condition keys for Amazon SES
Amazon SES defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see
The condition keys table
.
To view the global condition keys that are available to all services, see Available global condition keys .
Condition keys | Description | Type |
---|---|---|
ses:FeedbackAddress | The "Return-Path" address, which specifies where bounces and complaints are sent by email feedback forwarding. | String |
ses:FromAddress | The "From" address of a message. | String |
ses:FromDisplayName | The "From" address that is used as the display name of a message. | String |
ses:Recipients | The recipient addresses of a message, which include the "To", "CC", and "BCC" addresses. | String |