Using restricted SES IAM users

  • Resolved squarecandy

    (@squarecandy)


    2 months, 1 week ago

    Hello –

    We have dozens of client sites that we have setup to use AWS SES for transactional email.

    As a security precaution, we want to make sure if one site’s Access Keys are compromised that the attacker does not gain access to send email from all of our client domains. We also want to make sure that clients can’t see a list of all of our client websites in the settings anywhere. To accomplish this, we use an IAM policy that looks like this:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowSendingToUsersDomain",
                "Effect": "Allow",
                "Action": "ses:*",
                "Resource": [
                    "arn:aws:ses:us-east-1:123456789012:identity/exampleclientsite.com",
                    "arn:aws:ses:us-east-1:123456789012:identity/backupsitefortesting.com"
                ]
            }
        ]
    }

    We are trying to start testing to see if we could switch from the Offload SES Lite plugin to Fluent SMTP. But with the settings above, we can’t even make the initial connection.

    Any recommendations for how to set this up without granting access to list and use all SES Identities on the account?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support Ibrahim Sharif

    (@ibrahimsharif)

    Hello @squarecandy,

    I have reviewed your inquiry regarding using restricted SES IAM users with FluentSMTP. I understand your concerns for security, and I want to assure you that we highly prioritize the privacy and security of our users.

    The issue you’re facing is that by design, FluentSMTP requires permission to list all SES Identities on the account in order to establish a connection. However, we understand that you want to limit access to only specific SES Identities for security reasons.

    To address this, I recommend creating a separate IAM user with limited permissions specifically for FluentSMTP. This user will be granted the necessary permissions to access the required SES settings for FluentSMTP, without compromising the security of your other client sites.

    Please let me know if you have any other questions or issues.

    Thread Starter squarecandy

    (@squarecandy)

    Hi Ibrahim –

    Thanks for getting back to me and taking the time to look into this.

    I recommend creating a separate IAM user with limited permissions specifically for FluentSMTP

    Yes, that’s exactly what we already did. See the original post above. Properly limiting the permissions with a single IAM user per site is what is causing the issue.

    FluentSMTP requires permission to list all SES Identities on the account in order to establish a connection

    We already have “Action”: “ses:*” set which includes listing identities. But we also have restricted the “Resource”: to the specific site identities we want to allow for this client site, so that will block the “list all” action. If I make one IAM user for each client but give them all permission to access all SES Identities, then that still gives every site permission to see our complete client site list and to send emails from any of their domains at any time. There’s no point in making one IAM user per site if they can all access every authorized domain. For us that means if one site is compromised, a spammer could send emails out to their choice of 50+ authorized client domain names.

    I realize that probably many of your users are more casual and need easy setup and also they will just be starting a new AWS account for only one company. The existing setup will work fine for those users. But for agency users, it would be great to have some kind of “advanced” mode or override to be able to set things up in this way where we truly can restrict the IAM user to sending from only specific authorized domains.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.