AWS ses documentation change
Summary
Added KMS key policy for mTLS trust store encryption and documented IAM permission policies for Bounce and Invoke Lambda function rule actions
Security assessment
This change adds documentation for security-related policies: 1) KMS key policy required for encrypting mTLS trust stores, which is a security feature for certificate management, and 2) IAM permission policies for bounce and Lambda invocation actions that can be used for security filtering. These are routine documentation updates for new features rather than fixes for security issues.
Diff
diff --git a/ses/latest/dg/eb-policies.md b/ses/latest/dg/eb-policies.md index bdd6d7362..faa5f779b 100644 --- a//ses/latest/dg/eb-policies.md +++ b//ses/latest/dg/eb-policies.md @@ -76,0 +77,25 @@ It is required to use a customer managed key (CMK) for your secret. The followin +### KMS customer managed key (CMK) key policy for mTLS trust store + +If you use a customer managed key (CMK) to encrypt your mTLS trust store, the following statement is required within your KMS key policy to allow SES to use your key. + + + { + "Effect": "Allow", + "Principal": { + "Service": "ses.amazonaws.com" + }, + "Action": [ + "kms:Decrypt", + "kms:DescribeKey" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "000000000000" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:ses:us-east-1:000000000000:mailmanager-ingress-point/*" + } + } + } + @@ -362,0 +388,4 @@ JSON + * Bounce policy + + * Invoke Lambda function policy + @@ -629,0 +659,47 @@ For more information about attaching policies to AWS KMS keys, see [Using Key Po +### Permission policy for _Bounce_ rule action + +The following policy is required for your IAM role to use the **Bounce** rule action which bounces the email by returning a bounce response to the sender. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowSendBounce", + "Effect": "Allow", + "Action": [ + "ses:SendBounce" + ], + "Resource": [ + "arn:aws:ses:us-east-1:123456789012:identity/*" + ], + "Condition": { + "StringEquals": { + "ses:FromAddress": "[email protected]" + } + } + } + ] + } + +### Permission policy for _Invoke Lambda function_ rule action + +The following policy is required for your IAM role to use the **Invoke Lambda function** rule action which invokes an AWS Lambda function to process the email. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowInvokeLambdaFunction", + "Effect": "Allow", + "Action": [ + "lambda:InvokeFunction" + ], + "Resource": [ + "arn:aws:lambda:us-east-1:123456789012:function:MyFunction" + ] + } + ] + } +