How should I write IAM to make only a certain VPC can send mail via SES?
I use Redash on EC2 instance, and I have to send invitation mails via Amazon SES.
I'd like to add a setting to restrict mail sender to inside a certain VPC where the Redash instance is located.
Here's my IAM for SES:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-******"
},
"ForAnyValue:StringLike": {
"ses:Recipients": "*@mycompany.com"
}
}
}
]
}
But I can't send any mail. I think it's because I use VPC endpoint in the code above. It's not available for SES yet.
Is there any other way to specify a certain VPC?
amazon-web-services amazon-iam amazon-ses redash
edited Nov 21 at 3:57
John Rotenstein
67.1k774118
asked Nov 21 at 2:35
Udomomo
9710
add a comment |
I use Redash on EC2 instance, and I have to send invitation mails via Amazon SES.
I'd like to add a setting to restrict mail sender to inside a certain VPC where the Redash instance is located.
Here's my IAM for SES:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-******"
},
"ForAnyValue:StringLike": {
"ses:Recipients": "*@mycompany.com"
}
}
}
]
}
But I can't send any mail. I think it's because I use VPC endpoint in the code above. It's not available for SES yet.
Is there any other way to specify a certain VPC?
amazon-web-services amazon-iam amazon-ses redash
edited Nov 21 at 3:57
John Rotenstein
67.1k774118
asked Nov 21 at 2:35
Udomomo
9710
add a comment |
I use Redash on EC2 instance, and I have to send invitation mails via Amazon SES.
I'd like to add a setting to restrict mail sender to inside a certain VPC where the Redash instance is located.
Here's my IAM for SES:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-******"
},
"ForAnyValue:StringLike": {
"ses:Recipients": "*@mycompany.com"
}
}
}
]
}
But I can't send any mail. I think it's because I use VPC endpoint in the code above. It's not available for SES yet.
Is there any other way to specify a certain VPC?
amazon-web-services amazon-iam amazon-ses redash
edited Nov 21 at 3:57
John Rotenstein
67.1k774118
asked Nov 21 at 2:35
Udomomo
9710
I use Redash on EC2 instance, and I have to send invitation mails via Amazon SES.
I'd like to add a setting to restrict mail sender to inside a certain VPC where the Redash instance is located.
Here's my IAM for SES:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-******"
},
"ForAnyValue:StringLike": {
"ses:Recipients": "*@mycompany.com"
}
}
}
]
}
But I can't send any mail. I think it's because I use VPC endpoint in the code above. It's not available for SES yet.
Is there any other way to specify a certain VPC?
amazon-web-services amazon-iam amazon-ses redash
amazon-web-services amazon-iam amazon-ses redash
edited Nov 21 at 3:57
John Rotenstein
67.1k774118
asked Nov 21 at 2:35
Udomomo
9710
edited Nov 21 at 3:57
John Rotenstein
67.1k774118
asked Nov 21 at 2:35
Udomomo
9710
edited Nov 21 at 3:57
John Rotenstein
67.1k774118
edited Nov 21 at 3:57
John Rotenstein
67.1k774118
edited Nov 21 at 3:57
John Rotenstein
67.1k774118
67.1k774118
asked Nov 21 at 2:35
Udomomo
9710
asked Nov 21 at 2:35
Udomomo
9710
asked Nov 21 at 2:35
Udomomo
9710
9710
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
This is an interesting challenge!
The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.
I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.
However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.
If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.
You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.
See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management
answered Nov 21 at 3:56
John Rotenstein
67.1k774118
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53404547%2fhow-should-i-write-iam-to-make-only-a-certain-vpc-can-send-mail-via-ses%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is an interesting challenge!
The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.
I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.
However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.
If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.
You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.
See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management
answered Nov 21 at 3:56
John Rotenstein
67.1k774118
add a comment |
This is an interesting challenge!
The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.
I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.
However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.
If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.
You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.
See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management
answered Nov 21 at 3:56
John Rotenstein
67.1k774118
add a comment |
This is an interesting challenge!
The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.
I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.
However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.
If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.
You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.
See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management
answered Nov 21 at 3:56
John Rotenstein
67.1k774118
This is an interesting challenge!
The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.
I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.
However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.
If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.
You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.
See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management
answered Nov 21 at 3:56
John Rotenstein
67.1k774118
answered Nov 21 at 3:56
John Rotenstein
67.1k774118
answered Nov 21 at 3:56
John Rotenstein
67.1k774118
answered Nov 21 at 3:56
John Rotenstein
67.1k774118
67.1k774118
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53404547%2fhow-should-i-write-iam-to-make-only-a-certain-vpc-can-send-mail-via-ses%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
