AWS Security ChangesHomeSearch

AWS ses documentation change

Service: ses · 2026-04-19 · Documentation medium

File: ses/latest/dg/smtp-credentials.md

Summary

Updated required IAM actions for creating SES SMTP credentials and clarified security implications of permission management actions.

Security assessment

The change updates the required IAM permissions from iam:ListUsers and iam:PutUserPolicy to iam:CreateGroup, iam:PutGroupPolicy, and iam:AddUserToGroup. This appears to be a security best practice update that changes how SMTP credentials are provisioned (using groups instead of direct user policies). The documentation now more accurately warns about the security implications of permission management actions. This is a security documentation improvement but doesn't indicate a specific security issue.

Diff

diff --git a/ses/latest/dg/smtp-credentials.md b/ses/latest/dg/smtp-credentials.md
index 0a9c8774a..1f4e07d49 100644
--- a//ses/latest/dg/smtp-credentials.md
+++ b//ses/latest/dg/smtp-credentials.md
@@ -25 +25 @@ For a list of currently available SMTP endpoints, see [SMTP endpoints](https://d
-An IAM user can create SES SMTP credentials, but the user's policy must give them permission to use IAM itself, because SES SMTP credentials are created by using IAM. Your IAM policy must allow you to perform the following IAM actions: `iam:ListUsers`, `iam:CreateUser`, `iam:CreateAccessKey`, and `iam:PutUserPolicy`. If you try to create SES SMTP credentials using the console and your IAM user doesn't have these permissions, you see an error that states that your account is _"not authorized to perform iam:ListUsers."_
+An IAM user can create SES SMTP credentials, but the user's policy must give them permission to use IAM itself, because SES SMTP credentials are created by using IAM. Your IAM policy must allow you to perform the following IAM actions: `iam:CreateUser`, `iam:CreateGroup`, `iam:PutGroupPolicy`, `iam:AddUserToGroup`, and `iam:CreateAccessKey`. If you try to create SES SMTP credentials using the console and your IAM user doesn't have these permissions, you may see an error or the SMTP credentials may be created without the proper policy settings.
@@ -29 +29 @@ An IAM user can create SES SMTP credentials, but the user's policy must give the
-The IAM actions referenced above have the [Permission management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html#access_policies_access-level) access level which is the highest IAM level because it gives permission to grant or modify resource permissions in the service. Therefore, to improve the security of your AWS account, it is highly recommended that you restrict or regularly monitor these policies that include the Permissions management access level classification.
+Some of the IAM actions referenced above, specifically `iam:PutGroupPolicy` and `iam:AddUserToGroup`, have the [Permission management](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html#access_policies_access-level) access level which is the highest IAM level because it gives permission to grant or modify resource permissions in the service. Therefore, to improve the security of your AWS account, it is highly recommended that you restrict or regularly monitor these policies that include the Permissions management access level classification.