Search code examples
amazon-sesaws-cdk

CDK Add Policy to Custom Created SES Verified Email

Using the AWS SDK, I can create an SES verified email address. But how do I create a policy to give SendEmail and SendRawEmail permissions to the email (like in the console)? My understanding is the AwsCustomResource policy attribute gives permissions to the Lambda function creating the resource and NOT to the created resource itself.

enter image description here

const customResource = new cr.AwsCustomResource(this, 'VerifyEmailIdentity', {
    onCreate: {
        service: 'SES',
        action: 'verifyEmailIdentity',
        parameters: {
            EmailAddress: cognitoEmailAddress,
        },
        physicalResourceId: cr.PhysicalResourceId.of(`verify-${cognitoEmailAddress}`)
    },
    onDelete: {
        service: 'SES',
        action: 'deleteIdentity',
        parameters: {
            Identity: cognitoEmailAddress
        }
    },
    policy: cr.AwsCustomResourcePolicy.fromStatements([
        new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ['ses:VerifyEmailIdentity', 'ses:DeleteIdentity'],
            resources: ['*']
        })
    ])
});
Solution

  • Add the following additional code which calls the SES putIdentityPolicy allowing (for example) the Cognito service to SendEmail and SendRawEmail.

    import * as cr from '@aws-cdk/custom-resources';
import * as iam from '@aws-cdk/aws-iam';

const cognitoEmailAddress = 'myemail@mydomain.com';
const cognitoEmailAddressArn = `arn:aws:ses:${myRegion}:${myAccount}:identity/${cognitoEmailAddress}`;

const policy = {
    Version: '2008-10-17',
    Statement: [
        {
            Sid: 'stmt1621717794524',
            Effect: 'Allow',
            Principal: {
                Service: 'cognito-idp.amazonaws.com'
            },
            Action: [
                'ses:SendEmail',
                'ses:SendRawEmail'
            ],
            Resource: cognitoEmailAddressArn
        }
    ]
};

new cr.AwsCustomResource(this, 'PutIdentityPolicy', {
    onCreate: {
        service: 'SES',
        action: 'putIdentityPolicy',
        parameters: {
            Identity: cognitoEmailAddress,
            Policy: JSON.stringify(policy),
            PolicyName: 'CognitoSESEmail'
        },
        physicalResourceId: cr.PhysicalResourceId.of(`policy-${cognitoEmailAddress}`)
    },
    onDelete: {
        service: 'SES',
        action: 'deleteIdentityPolicy',
        parameters: {
            Identity: cognitoEmailAddress,
            PolicyName: 'CognitoSESEmail'
        }
    },
    // There is a policy bug in the CDK for custom resources: https://github.com/aws/aws-cdk/issues/4533
    // Use the following policy workaround. https://stackoverflow.com/questions/65886628/verify-ses-email-address-through-cdk
    policy: cr.AwsCustomResourcePolicy.fromStatements([
        new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ['ses:PutIdentityPolicy', 'ses:DeleteIdentityPolicy'],
            resources: ['*']
        })
    ])
});