How should I write IAM to make only a certain VPC can send mail via SES?












0














I use Redash on EC2 instance, and I have to send invitation mails via Amazon SES.

I'd like to add a setting to restrict mail sender to inside a certain VPC where the Redash instance is located.



Here's my IAM for SES:



{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVpce": "vpce-******"
},
"ForAnyValue:StringLike": {
"ses:Recipients": "*@mycompany.com"
}
}
}
]
}


But I can't send any mail. I think it's because I use VPC endpoint in the code above. It's not available for SES yet.

Is there any other way to specify a certain VPC?










share|improve this question





























    0














    I use Redash on EC2 instance, and I have to send invitation mails via Amazon SES.

    I'd like to add a setting to restrict mail sender to inside a certain VPC where the Redash instance is located.



    Here's my IAM for SES:



    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "VisualEditor0",
    "Effect": "Allow",
    "Action": "ses:SendRawEmail",
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "aws:SourceVpce": "vpce-******"
    },
    "ForAnyValue:StringLike": {
    "ses:Recipients": "*@mycompany.com"
    }
    }
    }
    ]
    }


    But I can't send any mail. I think it's because I use VPC endpoint in the code above. It's not available for SES yet.

    Is there any other way to specify a certain VPC?










    share|improve this question



























      0












      0








      0







      I use Redash on EC2 instance, and I have to send invitation mails via Amazon SES.

      I'd like to add a setting to restrict mail sender to inside a certain VPC where the Redash instance is located.



      Here's my IAM for SES:



      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "ses:SendRawEmail",
      "Resource": "*",
      "Condition": {
      "StringEquals": {
      "aws:SourceVpce": "vpce-******"
      },
      "ForAnyValue:StringLike": {
      "ses:Recipients": "*@mycompany.com"
      }
      }
      }
      ]
      }


      But I can't send any mail. I think it's because I use VPC endpoint in the code above. It's not available for SES yet.

      Is there any other way to specify a certain VPC?










      share|improve this question















      I use Redash on EC2 instance, and I have to send invitation mails via Amazon SES.

      I'd like to add a setting to restrict mail sender to inside a certain VPC where the Redash instance is located.



      Here's my IAM for SES:



      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "ses:SendRawEmail",
      "Resource": "*",
      "Condition": {
      "StringEquals": {
      "aws:SourceVpce": "vpce-******"
      },
      "ForAnyValue:StringLike": {
      "ses:Recipients": "*@mycompany.com"
      }
      }
      }
      ]
      }


      But I can't send any mail. I think it's because I use VPC endpoint in the code above. It's not available for SES yet.

      Is there any other way to specify a certain VPC?







      amazon-web-services amazon-iam amazon-ses redash






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 21 at 3:57









      John Rotenstein

      67.1k774118




      67.1k774118










      asked Nov 21 at 2:35









      Udomomo

      9710




      9710
























          1 Answer
          1






          active

          oldest

          votes


















          1














          This is an interesting challenge!



          The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.



          I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.



          However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.



          If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.



          You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.



          See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53404547%2fhow-should-i-write-iam-to-make-only-a-certain-vpc-can-send-mail-via-ses%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            This is an interesting challenge!



            The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.



            I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.



            However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.



            If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.



            You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.



            See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management






            share|improve this answer


























              1














              This is an interesting challenge!



              The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.



              I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.



              However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.



              If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.



              You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.



              See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management






              share|improve this answer
























                1












                1








                1






                This is an interesting challenge!



                The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.



                I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.



                However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.



                If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.



                You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.



                See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management






                share|improve this answer












                This is an interesting challenge!



                The Amazon SES interface is on the internet, so theoretically anything can access it. Normally, policy restrictions use permissions on the IAM User or Role that calls SES to determine whether calls are allowed, rather than from where the call is made.



                I assume you are doing this because you only want your Production system to send emails, rather than Dev/Test systems.



                However, it is not possible to restrict via VPC, because Amazon SES has no visibility to the concept of a VPC. It simply receives API calls via the Internet.



                If your application is in a private subnet and sends requests via NAT Gateway, then you could add a policy to restrict based upon the IP address of the NAT Gateway.



                You could do this either by putting the restriction on the Allow statement, or by adding a Deny statement.



                See: AWS: Denies Access to AWS Based on the Source IP - AWS Identity and Access Management







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 21 at 3:56









                John Rotenstein

                67.1k774118




                67.1k774118






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53404547%2fhow-should-i-write-iam-to-make-only-a-certain-vpc-can-send-mail-via-ses%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    404 Error Contact Form 7 ajax form submitting

                    How to know if a Active Directory user can login interactively

                    Refactoring coordinates for Minecraft Pi buildings written in Python