msp

Configuring AWS SES to allow sending emails from specific ip addresses only

Madhukar Prabhakara
Configuring AWS SES to allow sending emails from specific ip addresses only

I started using AWS SES to allow my application https://appsare.com to send email notifications.

I enabled SES on my account.

Configured my domain appsare.com with necessary settings.

Basically these 4 need to be enabled (of course you can skip the send test email step)

After you have:

  • Verified your ownership of email
  • Verified your domain
  • Requested production access and granted of course

You then create credentials so your application can send emails through SES.

Creating these credentials creates a user in IAM that authorizes you to send emails but here is the problem.

Anyone that. can get access to your credentials can send emails through your account.

You may think.

How is this possible?

Why would someone do it?

Well, the bad news is that it is possible and there are enough people who would do it.

The real problem:

When your account gets used to send emails mainly marketing spam, the biggest hit is not that emails were sent and you would incur some cost. The biggest hit is that emails are. sent to invalid email addresses and sent without people’s consent. This hits your sender reputation because your account is being used to send to invalid email addresses that would just bounce and many people will mark the email as spam.

AWS takes this seriously and if the bounce rate goes beyond 10% they put your account under review and the next action if this percentage is not brought down is blocking your account entirely from sending emails.

Quickest way to avoid this problem and to protect your reputation is to configure a security policy that allows only your machine, where you application is deployed, to send email.

This is super easy to configure. In the policy that gets created when you create your SES credentials, modify the policy to include the IP address of your system, like so:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "ses:SendRawEmail",
			"Resource": "*",
			"Condition": {
				"IpAddress": {
					"aws:SourceIp": [
						"*.*.*.*"
					]
				}
			}
		}
	]
}

With this in place, any other system, even with access to Key and Secret will not be able to send emails through your account.

Madhukar Prabhakara Avatar
Madhukar Prabhakara

Categories

Featured Post