We had a security incident where an attacker attempted to use AWS access credentials to send emails on behalf of all of our identities. This policy isolates our IAM users to the principal of minimal access, so that should there be a leak, our entire infrastructure is not at risk.
Notice the Amazon Resource Name (ARN) for [email protected]. You will want to swap both of these instances out for the identity that you would like to scope.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendTemplatedEmail",
"ses:SendRawEmail"
],
"Resource": [
"arn:aws:ses:us-east-1:466687935190:identity/VERIFIED_EMAIL",
"arn:aws:ses:*:466687935190:configuration-set/*",
"arn:aws:ses:*:466687935190:template/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ses:ListTemplates",
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendCustomVerificationEmail",
"ses:SendBulkEmail"
],
"Resource": [
"arn:aws:ses:us-east-1:466687935190:identity/VERIFIED_EMAIL",
"arn:aws:ses:*:466687935190:custom-verification-email-template/*",
"arn:aws:ses:*:466687935190:configuration-set/*",
"arn:aws:ses:*:466687935190:template/*"
]
}
]
}