dominikbot

It’s fine to just use IAM users, that’s what they are there for. You can restrict the IAM user to only use the specific resource with the specific permissions you want. As an example, here is the policy I attached to my IAM user that only deals with this plugin:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "arn:aws:ses:<rest-of-arn-here>"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ses:GetSendQuota",
                "ses:GetIdentityVerificationAttributes",
                "ses:ListIdentities"
            ],
            "Resource": "*"
        }
    ]
}

Does that answer your question? Note to any people who copy this. This policy will only work for you if you verify a domain or email identity in the ses console first, then paste the arn into the first resource slot.

• This reply was modified 4 years, 10 months ago by dominikbot. Reason: formatting

No problem @mikeg_de

I realize your question wasn’t directed to me, but I don’t think there is a security issue. The real solution is to restrict the permissions to a subset of the ones I listed above in the IAM policy maker. I understand this is probably asking a lot from people who aren’t AWS enthusiasts, but I don’t think the application uses anything it doesn’t really need.

I solved this problem by looking through the plugin php. It uses: ses:SendRawEmail, ses:VerifyEmailIdentity, ses:GetSendQuota, ses:GetIdentityVerificationAttributes, ses:ListIdentities, ses:VerifyDomainIdentity, ses:DeleteIdentity.

Because my identity is used through another application I left off ses:DeleteIdentity to prevent something catastrophic happening in the worst case. If you verify through AWS console, I would imagine you could also leave out: ‘ses:VerifyEmailIdentity’.

• This reply was modified 4 years, 10 months ago by dominikbot.