How to Give Amazon SES Permission to Write to Your Amazon S3 Bucket

Question

I want my SES(AWS) can receive emails, so I follow the following tutorial, http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-getting-started-receipt-rule.html

When I am at last step - creating rule, it comes with following error, Could not write to bucket: "email-receiving"

I google and found this information on (http://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html) can fix the issue.

However, when adding my policy statement, it comes with an error - This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.

My policy statement is,

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GiveSESPermissionToWriteEmail", "Effect": "Allow", "Principal": { "Service": [ "ses.amazonaws.com" ] }, "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::mybulketname/*", "Condition": { "StringEquals": { "aws:Referer": "my12accountId" } } } ] }

If I take off

"Principal": { "Service": [ "ses.amazonaws.com" ] }

Validate policy will pass.

Thanks

In the IAM. The problem has been fixed. The policy should be created on the bucket on S3 not in the IAM. — Yun, Jan 25 '17 at 03:34

score 16 · Answer 1 · answered Jun 28 '18 at 01:16

16

Find bucket->permission->bucketPolicy

{
    "Version": "2012-10-17",
    "Statement": [
       {
           "Sid": "AllowSESPuts",
           "Effect": "Allow",
           "Principal": {
               "Service": "ses.amazonaws.com"
           },
           "Action": "s3:PutObject",
           "Resource": "arn:aws:s3:::BUCKEN_NAME/*",
           "Condition": {
            "StringEquals": {
                   "aws:Referer": "YOUR ID"
                }
           }
       }
   ]
}

Read more here https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email-permissions.html

To find your AWS account ID number on the AWS Management Console, choose Support on the navigation bar on the upper-right, and then choose Support Center. Your currently signed-in account ID appears in the upper-right corner below the Support menu.

Read more here https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html

answered Jun 28 '18 at 01:16

Yevgeniy Afanasyev

37,872
26
173
191

This solution worked for me, however it did take me some time to get right. After noticing others mention that removing the `Condition` section works, I determined this is where my error was. In fact, the issue was using dashes in my account ID. Do not enter your account ID into the policy formatted like this: `"aws:Referer": "####-####-####-####"`. Instead, **enter the account ID without dashes** like this: `"aws:Referer": "################"`. – taky2 Jan 29 '19 at 06:28
The link that I provide for `Finding Your AWS Account ID` does show the account ID without dashes. Where did you find it with dashes? – Yevgeniy Afanasyev Jan 29 '19 at 21:40
sure, the link shows an account ID without dashes but if you’re the account owner (and not under an alias) and follow the instructions at the link to find your ID within the AWS web console it displays your ID with dashes. – taky2 Jan 30 '19 at 01:22
I'm the account owner and I follow instruction that I put in the answer and I see my `account number` without any dashes, however it is not in the upper-right corner, it is rather upper-left corner, but the image in the documentation is the same as in reality. – Yevgeniy Afanasyev Jan 30 '19 at 08:13
I see what happened now. I was not following your instructions to find my account ID. Insead I was following some AWS documentation that led me here: https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html Notice that the section titled **Finding Your AWS Account ID** describes a different method to find your account ID than your instructions. The account ID obtained following the instructions I linked contains dashes. Sorry for the confusion but at least this is all documented now! ;) – taky2 Feb 02 '19 at 22:16
Thank you. Glad my answer worked for you even if you did not follow it :) – Yevgeniy Afanasyev Feb 04 '19 at 00:44
1

Thanks @Yevgeniy. Note to others that if you get this error: `Error: Action does not apply to any resource(s) in statement` then you need to add the `/*` to the Resource string, as shown in the answer above. When I generated my policy from scratch, I missed the fact that you *must* specify a `key_name`, which can just be a `*` wildcard. – stwr667 Apr 15 '19 at 12:11

JD D · Answer 2 · 2019-03-28T00:51:53.567

8

I follow this advice but I was still having the issue. After much debugging, I realized that SES was failing to write because I had default server-side encryption (on the bucket) set to "AWS-KMS"

I did a 5 minute google search and couldn't find this incompatibility documented anywhere.

You can work around this by updating your default encryption setting on the target bucket to either "AES-256" or "None".

edited Mar 28 '19 at 00:51

answered Mar 27 '19 at 21:15

JD D

7,398
2
34
53

3

This! This was the issue that I was seeing. Thank you for making this note. – Murphy Randle Jun 26 '19 at 01:30
Got to the same issue today. Thx for mentioning. – Alexey Sobolev Mar 17 '20 at 18:36
This did it for me. The example on the hashicorp site mentions kms, and is probably the cause of many people failing. – Luis Muñiz Jan 28 '21 at 17:45
This was a life saver, thank you! – hyphen Aug 08 '23 at 19:14

score 1 · Answer 3 · answered Jan 25 '17 at 03:38

1

This problem has been resolved.
Create the policy on the bucket you want to grant the SES permission, not in the IAM

answered Jan 25 '17 at 03:38

Yun

173
1
12

score 0 · Answer 4 · answered Jan 19 '21 at 10:05

Note, I continued to have this error even after correctly specifying permissions. If you are using cross-region (e.g. SES is in N Virginia and S3 Bucket is in Africa) then you either need to specify the bucket name with the region or else just make the bucket in the same region.

score -2 · Answer 5 · edited Mar 28 '19 at 15:21

-2

I have the same problem, if I only delete the "Condition" the policy passes and the "RuleSet" is Ok:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GiveSESPermissionToWriteEmail",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::mybulketname/*"
        }
    ]
}

edited Mar 28 '19 at 15:21

Moe

2,672
10
22

answered Apr 03 '18 at 18:27

Enrique C.

11
1

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowSESPuts", "Effect": "Allow", "Principal": { "Service": "ses.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::mybulketname/*", "Condition": { "StringEquals": { "aws:Referer": "myIdAccount" } } } ] } – Enrique C. Apr 03 '18 at 21:26
1

this `/*` in Resource field is critical – Yevgeniy Afanasyev Jun 28 '18 at 00:59
1

removing the condition is not a good idea as it allows others in different accounts to configure ses to add things to your bucket... this could happen if someone typos a bucket name – JD D Mar 27 '19 at 23:09

How to Give Amazon SES Permission to Write to Your Amazon S3 Bucket

5 Answers5