2

How do I restrict access for some users to operate only on SES and not other services on my AWS account?

Exemple:

{
    "Version": "2021-12-16",
    "Statement": [
        {
            "Sid": "AllowsSES",
            "Effect": "Allow",
            "Action": "ses:*",
            "Resource": "*"
        },
        {
            "Sid": "DenyAllOthers", 
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Tulho Melo
  • 35
  • 4
  • 1
    Removing the second statement should have the desired effect generally. If you explicitly want to deny it, you can use a `NotAction` for `ses:*`. Do you need an explicit deny / is the lack of an allow not enough? – luk2302 Dec 16 '21 at 21:36
  • Allowed is only what is allowed (deny is used preventing actions allowed by other, more generic policies). My concern is allowing all ses actions on all resources? What is the user intended to do? Even create/modify and delete the SES resources? – gusto2 Dec 16 '21 at 21:47
  • I want to allow access to all SES features for a user. But I want to completely block access to all other AWS services. – Tulho Melo Dec 16 '21 at 21:53
  • 1
    As stated above, the Deny is redundant and will not have the desired effect. Note that within an IAM policy, by default everything is IMPLICITLY denied (does not need to be defined) and the EXPLICIT allow you have state above should be sufficient. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow – Norman Dec 16 '21 at 23:16

2 Answers2

1

IAM Users in AWS have no access by default. They only have access when permission is specifically granted to the via Allow policies.

This can happen via IAM policies, but some services can also grant permission directly, such as Amazon S3 bucket policies and Amazon SQS access policies.

In general, it is best to avoid using Deny policies, since they override Allow policies. It is better to simply limit what is granted via Allow policies. Sometimes, however, a Deny is required. For example, an Administrator might be granted permission over all S3 buckets, but specifically Denied access to a bucket that contains sensitive data.

For your situation, it should be sufficient simply to use your first (Allow) policy to grant them access to Amazon SES. By default, they will not have access to any other service.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
0

For your case the below policy is all you need

{
"Version": "2021-12-16",
"Statement": [
    {
        "Sid": "AllowsSES",
        "Effect": "Allow",
        "Action": "ses:*",
        "Resource": "arn:aws:ses:(regiondetail):(AWSAccountNumber):identity/(AWSIAMName)"
    }
]
}

The reason is you are potentially creating a policy that is a bit contradicting. You are providing access and denying the access to everyone. So the policy when being applied in real time might not work as you expect to still give access to you.

Also use Deny policy when absolutely necessary and use it for denying access to specific users or resources as appropriate. Also when you give specific access like above, it will give access to ONLY those users.

Including Deny, you can use the below:-

{
"Version": "2021-12-16",
"Statement": [
    {
        "Sid": "AllowsSES",
        "Effect": "Allow",
        "Action": "ses:*",
        "Resource": "*"
    },
    {
        "Sid": "DenySelected", 
        "Effect": "Deny",
        "Action": "*",
        "Resource": "arn:aws:ses:(regiondetail):(AWSAccountNumber):identity/(AWSIAMName)"
    }
]
}
Abdur Rahman
  • 1,420
  • 1
  • 21
  • 32
Pradeep Hombali
  • 11
  • 3