Can I authorise a customer account to send email using my SES account?

0

I have two AWS accounts, one is for my own use and one is used for a customer. Both are in the same Organisation so that I can accurately distinguish costs between my usage and my customer's.

My account has a production SES account, and I would like to enable a lambda function in my customer's account to send emails to me using my production account. Is this possible? It looks like it is https://aws.amazon.com/blogs/messaging-and-targeting/how-to-grant-another-ses-account-or-user-permission-to-send-emails/ but if I'm reading the article right, my customer would have to have production SES access too, in which case there's no point in delegating them access to mine.

I want a scalable model - I don't want the overhead of having to apply for production SES access for every new customer, as the volume of emails is low (they're just operational) but they are sent to an email address in a different domain.

Any help appreciated,

David

asked 5 months ago163 views
2 Answers
0

If the emails your customers will be sending are to you (that is, to your verified/verifiable identities in SES), the message volumes are low, and associated costs would be correspondingly modest and perhaps not notable enough to allocate to your customers, would it be a an option for the customer accounts simply to remain in sandbox mode? That would still allow them to send 200 emails per day to verified identities.

Alternatively, would it be possible to allow them to assume a role or roles in your production account, if they're using the REST API to send the mails, or the static username/password derived from the access keys of an IAM user in your account, if they need to use SMTP? You could use the ses:FromAddress and/or ses:Recipients request context condition keys (https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html) to limit the permissions of the role/user to sending emails just to you, despite your production account otherwise having broader sending privileges.

EXPERT
answered 5 months ago
0

Some really interesting ideas there, thanks!

I remembered another use case I need to cater for - each of their users need to be able to request their lambda to email them any data it's collected (saved in dynamoDB). So I guess I could have all of their email addresses verified, then they could stay in the sandbox and make do with 200 requests per day.

I suspect the simplest solution is for their lambda to collect all the data into a raw email then assume a role in my production account that allows it to use SES to send that to the requestor. I'll have to work out some way to do the reporting/accounting, maybe out of the cloudwatch logs or something.

Thanks!

David

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions