Search code examples
aws-cloudformationserverless-frameworkamazon-ses

Configuring Cognito User Pool to send emails with SES at ap-southeast-2

I have the following cloudformation template (it is part of a serverless.yml template) to create a Cognito UserPool that sends e-mails using SES.

I am deploying my serverless project on ap-southeast-2, and I wanted to use the same region to send e-mails from. I have pre-verified in ap-southeast-2 the account in the template in SES, but if I replace the SourceArn in the template below (last line) with the ap-southeast-2 (or the serverless pseudo variable #{AWS::Region}) region I get an error:

An error occurred: CognitoUserPool - Unable to send email message, please try again (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: ...).

When I replace the region with us-west-2 (as in the template below), it works. Why is ap-southeast-2 not supported if it allows me to use SES from that region?

  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      # Generate a name based on the stage
      UserPoolName: ${self:provider.stage}-user-pool
      # Set email as an alias
      AutoVerifiedAttributes:
        - email
      # UsernameAttributes and AliasAttributes are mutually exclusive configuration options
      AliasAttributes: # instead of UsernameAttributes:
        - preferred_username
        - email
      UsernameConfiguration:
        CaseSensitive: false
      AccountRecoverySetting:
        RecoveryMechanisms:
          - Name: verified_email
            Priority: 1
      AdminCreateUserConfig:
        UnusedAccountValidityDays: 5
        AllowAdminCreateUserOnly: false
      Policies:
        PasswordPolicy:
          MinimumLength: 10
          RequireLowercase: true
          RequireNumbers: true
          RequireSymbols: true
          RequireUppercase: true
      Schema:
        - Name: membershipType
          Required: false
          Mutable: true
          AttributeDataType: String
      VerificationMessageTemplate:
        DefaultEmailOption: CONFIRM_WITH_LINK
        EmailMessageByLink: "Please click on the following link to verify: {##Verify Email##}"
        EmailSubjectByLink: Please confirm your registration 
      EmailConfiguration:
        EmailSendingAccount: DEVELOPER
        From: my@email.com
        ReplyToEmailAddress: my@email.com
        SourceArn: arn:aws:ses:us-west-2:#{AWS::AccountId}:identity/my@email.com
Solution

  • This feature is not supported in ap-southeast-2. Can't do much until AWS provides that support in the new regions.

    From docs:

    Available regions for Amazon SES are US East (N. Virginia)us-east-1, US West (Oregon) us-west-2, and Europe (Ireland)eu-west-1. Amazon SES doesn't support email receiving in the following Regions: Asia Pacific (Mumbai), Asia Pacific (Sydney), Canada (Central), Europe (Frankfurt), Europe (London), South America (São Paulo), and AWS GovCloud (US).