1

I have following issue with AWS Cognito using AWS SES for sending emails:

I configured Cognito using SES by CDK, but I read in the documentation that the "Service-linked role permissions" is required:

Using Service-Linked Roles for Amazon Cognito

All other AWS documentation about this topic was also no helpful for me.

Now I'm not sure, how I should add this role permission. I have a configured permission boundary, but here I haven't this role.

My question: Do I need to add this in the Permission Boundary or via CDK using IAM, and if I have to do this with CDK which method?

Thanks in advance!

droebi
  • 872
  • 1
  • 14
  • 27
  • I am not sure if support for using SES in Cognito is already supported. According to this page, it is not supported yet. https://docs.aws.amazon.com/cdk/api/latest/docs/aws-cognito-readme.html – addicted Oct 23 '21 at 08:52
  • @addicted Thanks for your comment! My problem is not configure SES by CDK, my question is related to the Service-Linked-Roles (Have I add this on my Cognito CDK code or on the PermissionBoundary?) – droebi Oct 23 '21 at 16:14

1 Answers1

0

I found the solution by myself:

The "Service-linked role permissions" has to be configured in SES itself and not in Cognito (or elsewhere).

Therefore go to

  1. AWS SES / Section: Identity Management

  2. Domains or Email Addresses

  3. Click on your entry and expand Identity Policies

  4. Create Policy for:

    Service: "email.cognito-idp.amazonaws.com"

    Allow Actions: "ses:SendEmail", "ses:SendRawEmail"

droebi
  • 872
  • 1
  • 14
  • 27