AWS Security ChangesHomeSearch

AWS ses documentation change

Service: ses · 2025-08-16 · Documentation low

File: ses/latest/dg/receiving-email-permissions.md

Summary

Added cross-account S3 permissions guidance for SES email receiving

Security assessment

Clarifies IAM role and bucket policy requirements for secure cross-account access, but does not address a specific vulnerability. Enhances documentation of security controls without evidence of fixing an existing issue.

Diff

diff --git a/ses/latest/dg/receiving-email-permissions.md b/ses/latest/dg/receiving-email-permissions.md
index b4781f83a..e4b926331 100644
--- a//ses/latest/dg/receiving-email-permissions.md
+++ b//ses/latest/dg/receiving-email-permissions.md
@@ -40,0 +41,9 @@ This permission policy must be pasted into the IAM role's inline policy editor
+###### Note
+
+  * You have the option to set up the S3 action without specifying an IAM role by allowing just the SES service in the S3 bucket policy as shown Give SES permission to write to an S3 bucket. This will work for cross-account scenarios as well.
+
+  * If you specify an IAM role for the S3 action, SES assumes that role for 'PutObject' operation, and the IAM permissions specified here will be sufficient for same account usage. However, for cross-account usage, you'll need an additional bucket policy that allows the IAM role to 'PutObject' in the bucket. This is specified by the bucket owner granting cross-account bucket permissions as explained in [Bucket owner granting cross-account bucket permissions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html).
+
+
+
+