I have following issue with AWS Cognito using AWS SES for sending emails:
I configured Cognito using SES by CDK, but I read in the documentation that the "Service-linked role permissions" is required:
Using Service-Linked Roles for Amazon Cognito
All other AWS documentation about this topic was also no helpful for me.
Now I'm not sure, how I should add this role permission. I have a configured permission boundary, but here I haven't this role.
My question: Do I need to add this in the Permission Boundary or via CDK using IAM, and if I have to do this with CDK which method?
Thanks in advance!
I found the solution by myself:
The "Service-linked role permissions" has to be configured in SES itself and not in Cognito (or elsewhere).
Therefore go to
AWS SES / Section: Identity Management
Domains or Email Addresses
Click on your entry and expand Identity Policies
Create Policy for:
Service: "email.cognito-idp.amazonaws.com"
Allow Actions: "ses:SendEmail", "ses:SendRawEmail"