AWS Security ChangesHomeSearch

AWS ses documentation change

Service: ses · 2026-04-01 · Documentation low

File: ses/latest/dg/eb-policies.md

Summary

Added KMS key policy for mTLS trust store encryption and documented IAM permission policies for Bounce and Invoke Lambda function rule actions

Security assessment

This change adds documentation for security-related policies: 1) KMS key policy required for encrypting mTLS trust stores, which is a security feature for certificate management, and 2) IAM permission policies for bounce and Lambda invocation actions that can be used for security filtering. These are routine documentation updates for new features rather than fixes for security issues.

Diff

diff --git a/ses/latest/dg/eb-policies.md b/ses/latest/dg/eb-policies.md
index bdd6d7362..faa5f779b 100644
--- a//ses/latest/dg/eb-policies.md
+++ b//ses/latest/dg/eb-policies.md
@@ -76,0 +77,25 @@ It is required to use a customer managed key (CMK) for your secret. The followin
+### KMS customer managed key (CMK) key policy for mTLS trust store
+
+If you use a customer managed key (CMK) to encrypt your mTLS trust store, the following statement is required within your KMS key policy to allow SES to use your key.
+    
+    
+    {
+        "Effect": "Allow",
+        "Principal": {
+            "Service": "ses.amazonaws.com"
+        },
+        "Action": [
+            "kms:Decrypt",
+            "kms:DescribeKey"
+        ],
+        "Resource": "*",
+        "Condition": {
+            "StringEquals": {
+                "aws:SourceAccount": "000000000000"
+            },
+            "ArnLike": {
+                "aws:SourceArn": "arn:aws:ses:us-east-1:000000000000:mailmanager-ingress-point/*"
+            }
+        }
+    }
+
@@ -362,0 +388,4 @@ JSON
+  * Bounce policy
+
+  * Invoke Lambda function policy
+
@@ -629,0 +659,47 @@ For more information about attaching policies to AWS KMS keys, see [Using Key Po
+### Permission policy for _Bounce_ rule action
+
+The following policy is required for your IAM role to use the **Bounce** rule action which bounces the email by returning a bounce response to the sender.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowSendBounce",
+                "Effect": "Allow",
+                "Action": [
+                    "ses:SendBounce"
+                ],
+                "Resource": [
+                    "arn:aws:ses:us-east-1:123456789012:identity/*"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "ses:FromAddress": "[email protected]"
+                    }
+                }
+            }
+        ]
+    }
+
+### Permission policy for _Invoke Lambda function_ rule action
+
+The following policy is required for your IAM role to use the **Invoke Lambda function** rule action which invokes an AWS Lambda function to process the email.
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "AllowInvokeLambdaFunction",
+                "Effect": "Allow",
+                "Action": [
+                    "lambda:InvokeFunction"
+                ],
+                "Resource": [
+                    "arn:aws:lambda:us-east-1:123456789012:function:MyFunction"
+                ]
+            }
+        ]
+    }
+