# Security in Amazon Simple Email Service
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) describes this as security of the cloud and security in the cloud:
+ **Security of the cloud** – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/). To learn about the compliance programs that apply to Amazon Simple Email Service, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).
+ **Security in the cloud** – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations
This documentation helps you understand how to apply the shared responsibility model when using Amazon Simple Email Service. It shows you how to configure Amazon Simple Email Service to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Amazon Simple Email Service resources.
**Note**
If you need to report abuse of AWS resources, including email spam and malware distribution, do not use the feedback link on any of the pages of this developer guide, as the form is received by the AWS Documentation team, not AWS Trust & Safety. Instead, on the [How do I report abuse of AWS resources?](https://aws.amazon.com/premiumsupport/knowledge-center/report-aws-abuse/) page, follow the directions to contact the AWS Trust & Safety team to report any type of Amazon AWS abuse.
**Topics**
+ [Data protection](data-protection.md)
+ [Identity and access management](control-user-access.md)
+ [Logging and monitoring](security-monitoring-overview.md)
+ [Compliance validation](compliance-validation.md)
+ [Resilience](disaster-recovery-resiliency.md)
+ [Infrastructure security in SES](infrastructure-security.md)
+ [VPC endpoints](send-email-set-up-vpc-endpoints.md)
# Data protection in Amazon Simple Email Service
The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Simple Email Service. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3.
+ Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
+ If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).
We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Amazon Simple Email Service or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server.
**Topics**
+ [
# Data encryption at rest for Amazon SES
](encryption-rest.md)
+ [
## Encryption in transit
](#encryption-transit)
+ [
# Deleting personal data from Amazon SES
](deleting-personal-data.md)
# Data encryption at rest for Amazon SES
By default, Amazon SES encrypts all data at rest. Encryption by default helps reduce the operational overhead and complexity involved in protecting data. Encryption also enables you to create Mail Manager archives that meet strict encryption compliance and regulatory requirements.
SES provides the following encryption options:
+ **AWS owned keys** – SES uses these by default. You can't view, manage, or use AWS owned keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide*.
+ **Customer managed keys** – SES supports the use of symmetric customer managed keys that you create, own, and manage. Because you have full control of the encryption, you can perform such tasks as:
+ Establishing and maintaining key policies
+ Establishing and maintaining IAM policies and grants
+ Enabling and disabling key policies
+ Rotating key cryptographic material
+ Adding tags
+ Creating key aliases
+ Scheduling keys for deletion
To use your own key, choose a customer managed key when you create your SES resources.
For more information, see [Customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*.
**Note**
SES automatically enables encryption at rest using AWS owned keys at no charge.
However, AWS KMS charges apply for using a customer managed key. For more information about pricing, see the [AWS Key Management Service pricing](https://aws.amazon.com/kms/pricing/).
## Create a customer managed key
You can create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs.
**To create a symmetric customer managed key**
Follow the steps for [Creating symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*.
**Note**
For archiving, your key must meet the following requirements:
The key must be symmetric.
The key material origin must be `AWS_KMS`.
The key usage must be `ENCRYPT_DECRYPT`.
**Key policy**
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see [Managing access to customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#managing-access) in the *AWS Key Management Service Developer Guide*.
To use your customer managed key with Mail Manager archiving, your key policy must permit the following API operations:
+ [kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) – Provides the customer managed key details that allow SES to validate the key.
+ [kms:GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) – Allows SES to generate a data key for encrypting data at rest.
+ [kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) – Allows SES to decrypt stored data before returning it to API clients.
The following example shows a typical key policy:
```
{
"Sid": "Allow SES to encrypt/decrypt",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
},
```
For more information, see [specifying permissions in a policy](https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#overview-policy-elements), in the *AWS Key Management Service Developer Guide*.
For more information about troubleshooting, see [troubleshooting key access](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html#example-no-iam), in the *AWS Key Management Service Developer Guide*.
## Specifying a customer managed key for Mail Manager
You can specify a customer managed key as an alternative to using AWS owned keys. When you create an archive or configure an ingress endpoint with mutual TLS (mTLS) authentication, you can specify the data key by entering a **KMS key ARN**. For archiving, Mail Manager uses the key to encrypt all customer data in the archive. For mTLS ingress endpoints, Mail Manager uses the key to encrypt the trust store contents at rest.
+ **KMS key ARN** – A [key identifier](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id) for a AWS KMS customer managed key. Enter a key ID, key ARN, alias name, or alias ARN.
## Amazon SES encryption context
An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is an optional set of key-value pairs that contain additional contextual information about the data.
AWS KMS uses the encryption context as additional authenticated data to support authenticated encryption. When you include an encryption context in a request to encrypt data, AWS KMS binds the encryption context to the encrypted data. To decrypt data, you include the same encryption context in the request.
**Note**
Amazon SES doesn't support encryption contexts for archive creation. Instead, you use an IAM or KMS policy. For example policies, see [Archive creation policies](#archive-creation-policies), later in this section.
**Amazon SES encryption context**
SES uses the same encryption context in all AWS KMS cryptographic operations, where the key is `aws:ses:arn` and the value is the resource [Amazon Resource Name](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) (ARN).
**Example**
```
"encryptionContext": {
"aws:ses:arn": "arn:aws:ses:us-west-2:111122223333:ExampleResourceName/ExampleResourceID"
}
```
**Using encryption context for monitoring**
When you use a symmetric customer managed key to encrypt your SES resource, you can also use the encryption context in audit records and logs to identify how the customer managed key is being used. The encryption context also appears in [logs generated by AWS CloudTrail or Amazon CloudWatch Logs](#example-custom-encryption).
**Using encryption context to control access to your customer managed key**
You can use the encryption context in key policies and IAM policies as `conditions` to control access to your symmetric customer managed key. You can also use encryption context constraints in a grant.
SES uses an encryption context constraint in grants to control access to the customer managed key in your account or region. The grant constraint requires that the operations that the grant allows use the specified encryption context.
**Example**
The following are example key policy statements to grant access to a customer managed key for a specific encryption context. The condition in this policy statement requires that the grants have an encryption context constraint that specifies the encryption context.
```
{
"Sid": "Enable DescribeKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Enable CreateGrant",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:ses:arn": "arn:aws:ses:us-west-2:111122223333:ExampleResourceName/ExampleResourceID"
}
}
}
```
## Archive creation policies
The following example policies show how to enable archive creation. The policies work on all assets.
**IAM policy**
```
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ses:CreateArchive",
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "ses.us-east-1.amazonaws.com",
"kms:CallerAccount": "012345678910"
}
}
}
```
**AWS KMS policy**
```
{
"Sid": "Allow SES to encrypt/decrypt",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
},
```
## Ingress endpoint mTLS policies
The following example policies enable using a customer managed key to encrypt trust store contents for mutual TLS (mTLS) authentication on Mail Manager ingress endpoints.
To scope the example policies to a specific ingress endpoint, replace the wildcard in the condition with an exact resource ARN (for example, `arn:aws:ses:us-east-1:111122223333:mailmanager-ingress-point/inp-ab1c2defgh3ij4klmno5pq6rs`).
**IAM policy**
```
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/rolename"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "ses.us-east-1.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:ses:arn": [
"arn:aws:ses:us-east-1:111122223333:mailmanager-ingress-point/*"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/rolename"
},
"Action": [
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "ses.us-east-1.amazonaws.com"
}
}
}
```
**AWS KMS policy**
```
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": [
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:SourceArn": [
"arn:aws:ses:us-east-1:111122223333:mailmanager-ingress-point/*"
],
"kms:EncryptionContext:aws:ses:arn": [
"arn:aws:ses:us-east-1:111122223333:mailmanager-ingress-point/*"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": [
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:SourceArn": [
"arn:aws:ses:us-east-1:111122223333:mailmanager-ingress-point/*"
]
}
}
}
```
## Monitoring your encryption keys for Amazon SES
When you use an AWS KMS customer managed key with your Amazon SES resources, you can use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) or [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) to track requests that SES sends to AWS KMS.
The following examples are AWS CloudTrail events for `GenerateDataKey`, `Decrypt`, and `DescribeKey` to monitor KMS operations called by SES to access data encrypted by your customer managed key:
------
#### [ GenerateDataKey ]
When you enable an AWS KMS customer managed key for your resource, SES creates a unique table key. It sends a `GenerateDataKey` request to AWS KMS that specifies the AWS KMScustomer managed key for the resource.
When you enable an AWS KMS customer managed key for your Mail Manager archive resource, it will use `GenerateDataKey` when encrypting archive data at rest.
The following example event records the `GenerateDataKey` operation:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "ses.amazonaws.com"
},
"eventTime": "2021-04-22T17:07:02Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"encryptionContext": {
"aws:ses:arn": "arn:aws:ses:us-west-2:111122223333:ExampleResourceName/ExampleResourceID"
},
"keySpec": "AES_256",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"sharedEventID": "57f5dbee-16da-413e-979f-2c4c6663475e"
}
```
------
#### [ Decrypt ]
When you access an encrypted resource, SES calls the `Decrypt` operation to use the stored encrypted data key to access the encrypted data.
The following example event records the `Decrypt` operation:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AWSService",
"invokedBy": "ses.amazonaws.com"
},
"eventTime": "2021-04-22T17:10:51Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"encryptionContext": {
"aws:ses:arn": "arn:aws:ses:us-west-2:111122223333:ExampleResourceName/ExampleResourceID"
},
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"encryptionAlgorithm": "SYMMETRIC_DEFAULT"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333",
"sharedEventID": "dc129381-1d94-49bd-b522-f56a3482d088"
}
```
------
#### [ DescribeKey ]
SES uses the `DescribeKey` operation to verify if the AWS KMS customer managed key associated with your resource exists in the account and region.
The following example event records the `DescribeKey` operation:
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE3",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
"accountId": "111122223333",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2021-04-22T17:02:00Z"
}
},
"invokedBy": "ses.amazonaws.com"
},
"eventTime": "2021-04-22T17:07:02Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "172.12.34.56",
"userAgent": "ExampleDesktop/1.0 (V1; OS)",
"requestParameters": {
"keyId": "00dd0db0-0000-0000-ac00-b0c000SAMPLE"
},
"responseElements": null,
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333"
}
```
------
## Learn more
The following resources provide more information about data encryption at rest.
+ For more information about [AWS Key Management Service basic concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html), see the *AWS Key Management Service Developer Guide*.
+ For more information about [Security best practices for AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html), see the *AWS Key Management Service Developer Guide*.
## Encryption in transit
By default, Amazon SES uses opportunistic TLS. This means that Amazon SES always attempts to make a secure connection to the receiving mail server. If it can't establish a secure connection, it sends the message unencrypted. You can change this behavior so that Amazon SES sends the message to the receiving email server only if it can establish a secure connection. For more information, see [Amazon SES and security protocols](security-protocols.md).
# Deleting personal data from Amazon SES
Depending on how you use it, Amazon SES might store certain data that could be considered personal. For example, in order to send email using Amazon SES, you must provide at least one verified identity (an email address or a domain). You can use the Amazon SES console or the Amazon SES API to permanently delete this personal data.
This chapter provides procedures for deleting various types of data that might be considered personal.
**Topics**
+ [
## Delete Email Addresses From the Account-Level Suppression List
](#deleting-personal-data-account-suppression-list)
+ [
## Delete Data About Email Sent Using Amazon SES
](#deleting-personal-data-message-data)
+ [
## Delete Data About Identities
](#deleting-personal-data-identities)
+ [
## Delete Sender Authentication Data
](#deleting-personal-data-sender-authentication)
+ [
## Delete Data Related to Receiving Rules
](#deleting-personal-data-receiving-rules)
+ [
## Delete Data Related to IP Address Filters
](#deleting-personal-data-ip-address-filters)
+ [
## Delete Data in Email Templates
](#deleting-personal-data-email-templates)
+ [
## Delete Data in Custom Verification Email Templates
](#deleting-personal-data-cve-templates)
+ [
## Delete All Personal Data by Closing Your AWS Account
](#deleting-personal-data-closing-account)
## Delete Email Addresses From the Account-Level Suppression List
Amazon SES includes an optional account-level suppression list. When you enable this feature, email addresses are automatically added to a suppression list when they result in a bounce or complaint. Email addresses remain on this list until you delete them. For more information about the account-level suppression list, see [Using the Amazon SES account-level suppression list](sending-email-suppression-list.md).
You can remove email addresses from the account-level suppression list by using the `DeleteSuppressedDestination` operation in the [Amazon SES API v2](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DeleteSuppressedDestination.html). This section includes a procedure for deleting email addresses by using the AWS CLI. For more information about installing and configuring the AWS CLI, see the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/).
**To remove an address from the account-level suppression list by using the AWS CLI**
+ At the command line, enter the following command:
```
aws sesv2 delete-suppressed-destination --email-address recipient@example.com
```
In the preceding command, replace *recipient@example.com* with the email address that you want to remove from the account-level suppression list.
## Delete Data About Email Sent Using Amazon SES
When you use Amazon SES to send an email, you can send information about that email to other AWS services. For example, you can send information about email events (such as deliveries, opens, and clicks) to Firehose. This event data typically contains your email address and the IP address the email was sent from. It also contains the email addresses of all the recipients the email was sent to.
You can use Firehose to stream email event data to several destinations—including Amazon Simple Storage Service, Amazon OpenSearch Service, and Amazon Redshift. To remove this data, you should first stop streaming data to Firehose, and then delete the data that has already been streamed. To stop streaming Amazon SES event data to Firehose, you must delete the Firehose event destination.
**To remove a Firehose event destination by using the Amazon SES console**
1. Open the Amazon SES console at [https://console.aws.amazon.com/ses/](https://console.aws.amazon.com/ses/).
1. Under **Email Sending**, choose **Configuration Sets**.
1. In the list of configuration sets, choose the configuration set that contains the Firehose event destination.
1. Next to the Firehose event destination that you want to delete, choose the **delete** (![\[Close or cancel icon represented by an X symbol in a circular shape.\]](http://docs.aws.amazon.com/ses/latest/dg/images/delete_icon.png)) button.
1. If necessary, remove the data that Firehose wrote to other services. For more information, see [Remove Stored Event Data](#deleting-personal-data-message-data-storage).
You can also use the Amazon SES API to delete event destinations. The following procedure uses the AWS Command Line Interface (AWS CLI) to interact with the Amazon SES API. You can also interact with the API by using an AWS SDK, or by making HTTP requests directly.
**To remove a Firehose event destination by using the AWS CLI**
1. At the command line, type the following command:
```
aws sesv2 delete-configuration-set-event-destination --configuration-set-name configSet \
--event-destination-name eventDestination
```
In this command, replace *configSet* with the name of the configuration set that contains the Firehose event destination. Replace *eventDestination* with the name of the Firehose event destination.
1. If necessary, remove the data that Firehose wrote to other services. For more information, see [Remove Stored Event Data](#deleting-personal-data-message-data-storage).
### Remove Stored Event Data
For more information about deleting information from other AWS services, see the following documents:
+ [Delete an Object and Bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/DeletingAnObjectandBucket.html) in the *Amazon Simple Storage Service User Guide*
+ [Delete an OpenSearch Service Domain](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/es-gsg-deleting.html) in the *Amazon OpenSearch Service Developer Guide*
+ [Deleting a Cluster](https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#delete-cluster) in the *Amazon Redshift Cluster Management Guide*
You can also use Firehose to stream email data to Splunk, a third-party service that isn't supported by AWS or managed in the AWS Management Console. For more information about removing data from Splunk, consult your system administrator or the documentation on the [Splunk website](http://docs.splunk.com/Documentation).
## Delete Data About Identities
Identities include the email addresses and domains that you use to send email using Amazon SES. In some jurisdictions, email addresses or domains might be considered personally identifiable data.
**To delete an identity by using the Amazon SES console**
1. Open the Amazon SES console at [https://console.aws.amazon.com/ses/](https://console.aws.amazon.com/ses/).
1. Under **Identity Management**, do one of the following:
+ Choose **Domains** if you want to delete a domain.
+ Choose **Email Addresses** if you want to delete an email address.
1. Choose the identity that you want to delete, and then choose **Remove**.
1. On the confirmation dialog box, choose **Yes, Delete Identity**.
You can also use the Amazon SES API to delete identities. The following procedure uses the AWS Command Line Interface (AWS CLI) to interact with the Amazon SES API. You can also interact with the API by using an AWS SDK, or by making HTTP requests directly.
**To delete an identity by using the AWS CLI**
+ At the command line, type the following command:
```
aws ses delete-identity --identity sender@example.com
```
In this command, replace *sender@example.com* with the identity that you want to delete.
## Delete Sender Authentication Data
Sender authentication refers to the process of configuring Amazon SES so that another user can send email on your behalf. To enable sender authorization, you must create a policy, as described in [Using sending authorization with Amazon SES](sending-authorization.md). These policies contain identities (which belong to you), in addition to AWS IDs (which are associated with the person or group that sends email on your behalf). You can remove this personal data by modifying or deleting the sender authentication policies. The following procedures show you how to delete these policies.
**To delete a sender authentication policy by using the Amazon SES console**
1. Open the Amazon SES console at [https://console.aws.amazon.com/ses/](https://console.aws.amazon.com/ses/).
1. Under **Identity Management**, do one of the following:
+ Choose **Domains** if the sender authentication policy you want to delete is associated with a domain.
+ Choose **Email Addresses** if the sender authentication policy you want to delete is associated with an email address.
1. Under **Identity Policies**, choose the policy you want to delete, and then choose **Remove Policy**.
You can also use the Amazon SES API to delete sender authentication policies. The following procedure uses the AWS Command Line Interface (AWS CLI) to interact with the Amazon SES API. You can also interact with the API by using an AWS SDK, or by making HTTP requests directly.
**To delete a sender authentication policy by using the AWS CLI**
+ At the command line, type the following command:
```
aws ses delete-identity-policy --identity example.com --policy-name samplePolicy
```
In this command, replace *example.com* with the identity that contains the sender authentication policy. Replace *samplePolicy* with the name of the sender authentication policy.
## Delete Data Related to Receiving Rules
If you use Amazon SES to receive incoming email, you can create receipt rules that are applied to one or more identities (email addresses or domains). These rules determine what Amazon SES does with incoming mail sent to the specified identities.
**To delete a receipt rule by using the Amazon SES console**
1. Open the Amazon SES console at [https://console.aws.amazon.com/ses/](https://console.aws.amazon.com/ses/).
1. Under **Email Receiving**, choose **Rule Sets**.
1. If the receipt rule is part of the active rule set, choose **View Active Rule Set**. Otherwise, choose the rule set that contains the receipt rule that you want to delete.
1. In the list of receipt rules, choose the rule that you want to delete.
1. On the **Actions** menu, choose **Delete**.
1. On the confirmation dialog box, choose **Delete**.
You can also use the Amazon SES API to delete receipt rules. The following procedure uses the AWS Command Line Interface (AWS CLI) to interact with the Amazon SES API. You can also interact with the API by using an AWS SDK, or by making HTTP requests directly.
**To delete a receipt rule by using the AWS CLI**
+ At the command line, type the following command:
```
aws ses delete-receipt-rule --rule-set myRuleSet --rule-name myReceiptRule
```
In this command, replace *myRuleSet* with the name of the receipt rule set that contains the receipt rule. Replace *myReceiptRule* with the name of the receipt rule that you want to delete.
## Delete Data Related to IP Address Filters
If you use Amazon SES to receive incoming email, you can create filters to explicitly accept or block messages that are sent from specific IP addresses.
**To delete an IP address filter by using the Amazon SES console**
1. Open the Amazon SES console at [https://console.aws.amazon.com/ses/](https://console.aws.amazon.com/ses/).
1. Under **Email Receiving**, choose **IP Address Filters**.
1. In the list of IP address filters, choose the filter that you want to remove, and then choose **Delete**.
You can also use the Amazon SES API to delete IP address filters. The following procedure uses the AWS Command Line Interface (AWS CLI) to interact with the Amazon SES API. You can also interact with the API by using an AWS SDK, or by making HTTP requests directly.
**To delete an IP address filter by using the AWS CLI**
+ At the command line, type the following command:
```
aws ses delete-receipt-filter --filter-name IPfilter
```
In this command, replace *IPfilter* with the name of the IP address filter you want to delete.
## Delete Data in Email Templates
If you use email templates for sending email, it's possible that those templates might contain personal data, depending on how you configured them. For example, you might have added an email address to the template that recipients could contact for more information.
You can only delete email templates by using the Amazon SES API.
**To delete an email template by using the AWS CLI**
+ At the command line, type the following command:
```
aws ses delete-template --template-name sampleTemplate
```
In this command, replace *sampleTemplate* with the name of the email template that you want to delete.
## Delete Data in Custom Verification Email Templates
If you use customized templates for verifying new email sending addresses, it's possible that those templates might contain personal data, depending on how you configured them. For example, you might have added an email address to the verification email template that recipients could contact for more information.
You can only delete custom verification email templates by using the Amazon SES API.
**To delete a custom verification email template by using the AWS CLI**
+ At the command line, type the following command:
```
aws ses delete-custom-verification-email-template --template-name verificationEmailTemplate
```
In this command, replace *verificationEmailTemplate* with the name of the custom verification email template that you want to delete.
## Delete All Personal Data by Closing Your AWS Account
It's also possible to delete all personal data that's stored in Amazon SES by closing your AWS account. However, this action also deletes all other data—personal or non-personal—that you have stored in every other AWS service.
When you close your AWS account, the data in your AWS account is retained for 90 days. After that retention period, it's deleted permanently and irreversibly.
**To close your AWS account**
Complete instructions on how to close your AWS account is covered in [Close an AWS account](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-closing.html).
# Identity and access management in Amazon SES
You can use AWS Identity and Access Management (IAM) with Amazon Simple Email Service (Amazon SES) to specify which SES API actions an user, group, or role can perform. (In this topic we refer to these entities collectively as *user*.) You can also control which email addresses the user can use for the "From", recipient, and "Return-Path" addresses of emails.
For example, you can create an IAM policy that allows users in your organization to send email, but not perform administrative actions such as checking sending statistics. As another example, you can write a policy that allows a user to send emails through SES from your account, but only if they use a specific "From" address.
To use IAM, you define an IAM policy, which is a document that explicitly defines permissions, and attach the policy to a user. To learn how to create IAM policies, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html). Other than applying the restrictions you set in your policy, there are no changes to how users interact with SES or in how SES carries out requests.
**Note**
If your account is in the SES sandbox, its restrictions well prevent the implementation of some of these polices - see [Request production access](request-production-access.md).
You can also control access to SES by using sending authorization policies. Whereas IAM policies constrain what individual users can do, sending authorization policies constrain how individual verified identities can be used. Further, only sending authorization policies can grant cross-account access. For more information about sending authorization, see [Using sending authorization with Amazon SES](sending-authorization.md).
If you are looking for information about how to generate SES SMTP credentials for an existing user, see [Obtaining Amazon SES SMTP credentials](smtp-credentials.md).
## Creating IAM Policies for Access to SES
This section explains how you can use IAM policies specifically with SES. To learn how to create IAM policies in general, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html).
There are three reasons you might use IAM with SES:
+ To restrict the email-sending action.
+ To restrict the "From", recipient, and "Return-Path" addresses of the emails that the user sends.
+ To control general aspects of API usage such as the time period during which a user is permitted to call the APIs that they are authorized to use.
### Restricting the Action
To control which SES actions a user can perform, you use the `Action` element of an IAM policy. You can set the `Action` element to any SES API action by prefixing the API name with the lowercase string `ses:`. For example, you can set the `Action` to `ses:SendEmail`, `ses:GetSendStatistics`, or `ses:*` (for all actions).
Then, depending on the `Action`, specify the `Resource` element as follows:
**If the `Action` element only permits access to email-sending APIs (that is, `ses:SendEmail` and/or `ses:SendRawEmail`):**
+ To allow the user to send from any identity in your AWS account, set `Resource` to \$1
+ To restrict the identities that a user is allowed to send from, set `Resource` to the ARNs of the identities that you are permitting the user to use.
**If the `Action` element permits access to all APIs:**
+ If you don't want to restrict the identities that the user can send from, set `Resource` to \$1
+ If you want to restrict the identities that a user is allowed to send from, you need to create two policies (or two statements within one policy):
+ One with `Action` set to an explicit list of the permitted non-email-sending APIs and `Resource` set to \$1
+ One with `Action` set to one of the email-sending APIs (`ses:SendEmail` and/or `ses:SendRawEmail`), and `Resource` set to the ARN(s) of the identities you are permitting the user to use.
For a list of available SES actions, see the [Amazon Simple Email Service API Reference](https://docs.aws.amazon.com/ses/latest/APIReference/). If the user will be using the SMTP interface, you must allow access to `ses:SendRawEmail` at a minimum.
### Restricting Email Addresses
If you want to restrict the user to specific email addresses, you can use a `Condition` block. In the `Condition` block, you specify conditions by using condition keys as described in the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html#Condition). By using condition keys, you can control the following email addresses:
**Note**
These email address condition keys apply only to the APIs noted in the following table.
****
| Condition Key | Description | API |
| --- | --- | --- |
| `ses:Recipients` | Restricts the recipient addresses, which include the To:, "CC", and "BCC" addresses. | `SendEmail`, `SendRawEmail` |
| `ses:FromAddress` | Restricts the "From" address. | `SendEmail`, `SendRawEmail`, `SendBounce` |
| `ses:FromDisplayName` | Restricts the "From" address that is used as the display name. | `SendEmail`, `SendRawEmail` |
| `ses:FeedbackAddress` | Restricts the "Return-Path" address, which is the address where bounces and complaints can be sent to you by email feedback forwarding. For information about email feedback forwarding, see [Receiving Amazon SES notifications through email](monitor-sending-activity-using-notifications-email.md). | `SendEmail`, `SendRawEmail` |
| `ses:MultiRegionEndpointId` | Allows you to control what endpoint ID is used when sending email | `SendEmail`, `SendBulkEmail` |
### Restricting by SES API version
By using the `ses:ApiVersion` key in conditions, you can restrict access to SES based on the version of the SES API.
**Note**
The SES SMTP interface uses SES API version 2 of `ses:SendRawEmail`.
### Restricting General API Usage
By using AWS-wide keys in conditions, you can restrict access to SES based on aspects such as the date and time that user is permitted access to APIs. SES implements only the following AWS-wide policy keys:
+ `aws:CurrentTime`
+ `aws:EpochTime`
+ `aws:SecureTransport`
+ `aws:SourceIp`
+ `aws:SourceVpc`
+ `aws:SourceVpce`
+ `aws:UserAgent`
+ `aws:VpcSourceIp`
For more information about these keys, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html#Condition).
## Example IAM Policies for SES
This topic provides examples of policies that permit a user access to SES, but only under certain conditions.
**Topics**
+ [
### Allowing Full Access to All SES Actions
](#iam-and-ses-examples-full-access)
+ [
### Allowing Access to only SES API version 2
](#iam-and-ses-examples-access-specific-ses-api-version)
+ [
### Allowing Access to Email-Sending Actions Only
](#iam-and-ses-examples-email-sending-actions)
+ [
### Restricting the Time Period of Sending
](#iam-and-ses-examples-time-period)
+ [
### Restricting the Recipient Addresses
](#iam-and-ses-examples-recipients)
+ [
### Restricting the "From" Address
](#iam-and-ses-examples-from-address)
+ [
### Restricting the Display Name of the Email Sender
](#iam-and-ses-examples-display-name)
+ [
### Restricting the Destination of Bounce and Complaint Feedback
](#iam-and-ses-examples-feedback)
### Allowing Full Access to All SES Actions
The following policy allows a user to call any SES action.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ses:*"
],
"Resource":"*"
}
]
}
```
------
### Allowing Access to only SES API version 2
The following policy allows a user to call only the SES actions of API version 2.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ses:*"
],
"Resource":"*",
"Condition": {
"StringEquals" : {
"ses:ApiVersion" : "2"
}
}
}
]
}
```
------
### Allowing Access to Email-Sending Actions Only
The following policy permits a user to send email using SES, but does not permit the user to perform administrative actions such as accessing SES sending statistics.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource":"*"
}
]
}
```
------
### Restricting the Time Period of Sending
The following policy permits a user to call SES email-sending APIs only during the month of September 2018.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource":"*",
"Condition":{
"DateGreaterThan":{
"aws:CurrentTime":"2018-08-31T12:00Z"
},
"DateLessThan":{
"aws:CurrentTime":"2018-10-01T12:00Z"
}
}
}
]
}
```
------
### Restricting the Recipient Addresses
The following policy permits a user to call the SES email-sending APIs, but only to recipient addresses in domain *example.com* (`StringLike` *is case sensitive*).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource":"*",
"Condition":{
"ForAllValues:StringLike":{
"ses:Recipients":[
"*@example.com"
]
}
}
}
]
}
```
------
### Restricting the "From" Address
The following policy permits a user to call the SES email-sending APIs, but only if the "From" address is *marketing@example.com*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource":"*",
"Condition":{
"StringEquals":{
"ses:FromAddress":"marketing@example.com"
}
}
}
]
}
```
------
The following policy permits a user to call the [SendBounce](https://docs.aws.amazon.com/ses/latest/APIReference/API_SendBounce.html) API, but only if the "From" address is *bounce@example.com*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ses:SendBounce"
],
"Resource":"*",
"Condition":{
"StringEquals":{
"ses:FromAddress":"bounce@example.com"
}
}
}
]
}
```
------
### Restricting the Display Name of the Email Sender
The following policy permits a user to call the SES email-sending APIs, but only if the display name of the "From" address includes *Marketing* (`StringLike` *is case sensitive*).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource":"*",
"Condition":{
"StringLike":{
"ses:FromDisplayName":"Marketing"
}
}
}
]
}
```
------
### Restricting the Destination of Bounce and Complaint Feedback
The following policy permits a user to call the SES email-sending APIs, but only if the "Return-Path" of the email is set to *feedback@example.com*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource":"*",
"Condition":{
"StringEquals":{
"ses:FeedbackAddress":"feedback@example.com"
}
}
}
]
}
```
------
# AWS managed policies for Amazon Simple Email Service
To add permissions to users, groups, and roles, it is easier to use AWS managed policies than to write policies yourself. It takes time and expertise to [create IAM customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) that provide your team with only the permissions they need. To get started quickly, you can use our AWS managed policies. These policies cover common use cases and are available in your AWS account. For more information about AWS managed policies, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
AWS services maintain and update AWS managed policies. You can't change the permissions in AWS managed policies. Services occasionally add additional permissions to an AWS managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an AWS managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an AWS managed policy, so policy updates won't break your existing permissions.
Additionally, AWS supports managed policies for job functions that span multiple services. For example, the **ReadOnlyAccess** AWS managed policy provides read-only access to all AWS services and resources. When a service launches a new feature, AWS adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html) in the *IAM User Guide*.
## AWS managed policy: AmazonSESFullAccess
You can attach the `AmazonSESFullAccess` policy to your IAM identities. Provides full access to Amazon SES.
To view the permissions for this policy, see [AmazonSESFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSESFullAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AmazonSESReadOnlyAccess
You can attach the `AmazonSESReadOnlyAccess` policy to your IAM identities. Provides read only access to Amazon SES.
To view the permissions for this policy, see [AmazonSESReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSESReadOnlyAccess.html) in the *AWS Managed Policy Reference*.
## AWS managed policy: AmazonSESServiceRolePolicy
You can't attach the `AmazonSESServiceRolePolicy` policy to your IAM entities. This policy is attached to a service-linked role that allows Amazon SES to perform actions on your behalf. For more information, see [Service-linked role permissions for Amazon SES](using-service-linked-roles.md#service-linked-role-permissions).
To view the permissions for this policy, see [AmazonSESServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonSESServiceRolePolicy.html) in the *AWS Managed Policy Reference*.
## Amazon Simple Email Service updates to AWS managed policies
View details and about updates to AWS managed policies for Amazon Simple Email Service since this service began tracking these changes.
| Change | Description | Date |
| --- | --- | --- |
| Amazon Simple Email Service added a new managed policy | Amazon Simple Email Service added AmazonSESServiceRolePolicy to the service-linked role AWSServiceRoleForAmazonSES that allows SES to perform actions on your behalf | May 13, 2024 |
| Amazon Simple Email Service updated a policy definition | Amazon Simple Email Service clarified the previous entry in this table (row below) to be: Amazon Simple Email Service added ses:BatchGetMetricData to AmazonSESReadOnlyAccess managed policy—this will give access to the SES API BatchGetMetricData | Apr 30, 2024 |
| Amazon Simple Email Service updated a policy definition | Amazon Simple Email Service added ses:BatchGet\$1 to AmazonSESReadOnlyAccess managed policy—this will give access to the SES API BatchGetMetricData | Feb 16, 2024 |
| Amazon Simple Email Service changed two policy definitions | Amazon Simple Email Service removed "via the AWS Management Console" from the end of the AmazonSESFullAccess and AmazonSESReadOnlyAccess definitions | May 3, 2023 |
| Amazon Simple Email Service started tracking changes | Amazon Simple Email Service started tracking changes to its AWS managed policies | April 5, 2023 |
# Using service-linked roles for Amazon SES
Amazon Simple Email Service (SES) uses AWS Identity and Access Management (IAM) [service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Amazon SES. Service-linked roles are predefined by SES and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up SES easier because you don’t have to manually add the necessary permissions. SES defines the permissions of its service-linked roles, and unless defined otherwise, only SES can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your SES resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-linked roles** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for Amazon SES
SES uses the service-linked role named **AWSServiceRoleForAmazonSES** – Allows SES to publish Amazon CloudWatch basic monitoring metrics on behalf of your SES resources.
The AWSServiceRoleForAmazonSES service-linked role trusts the following service to assume the role:
+ `ses.amazonaws.com`
The role permissions policy named AmazonSESServiceRolePolicy is an [AWS managed policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) that allows SES to complete the following actions on the specified resources:
+ Action: `cloudwatch:PutMetricData` in the `AWS/SES` CloudWatch namespace. This action grants permission for SES to put metric data into the CloudWatch `AWS/SES` namespace. For more information about SES metrics available in CloudWatch, see [Logging and monitoring in Amazon SES](security-monitoring-overview.md).
+ Action: `cloudwatch:PutMetricData` in the `AWS/SES/MailManager` CloudWatch namespace. This action grants permission for SES to put metric data into the CloudWatch `AWS/SES/MailManager` namespace. For more information about SES metrics available in CloudWatch, see [Logging and monitoring in Amazon SES](security-monitoring-overview.md).
+ Action: `cloudwatch:PutMetricData` in the `AWS/SES/Addons` CloudWatch namespace. This action grants permission for SES to put metric data into the CloudWatch `AWS/SES/Addons` namespace. For more information about SES metrics available in CloudWatch, see [Logging and monitoring in Amazon SES](security-monitoring-overview.md).
You must configure permissions to allow your users, groups, or roles to create, edit, or delete a service-linked role. For more information, see [Service-linked role permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*.
## Creating a service-linked role for Amazon SES
You don't need to manually create a service-linked role. When you create SES resources in the AWS Management Console, the AWS CLI, or the AWS API, SES creates the service-linked role for you.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you create SES resources, SES creates the service-linked role for you again.
## Editing a service-linked role for Amazon SES
SES does not allow you to edit the AWSServiceRoleForAmazonSES service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM.
## Deleting a service-linked role for SES
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.
### Cleaning Up a service-linked role
Before you can use IAM to delete a service-linked role, you must first delete all SES resources.
**Note**
If the SES service is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again.
### Manually delete the service-linked role
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAmazonSES service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
## Supported Regions for Amazon SES service-linked roles
SES does not support using service-linked roles in every Region where the service is available. You can use the AWSServiceRoleForAmazonSES role in the following Regions.
****
| Region name | Region identity | Support in SES |
| --- | --- | --- |
| US East (N. Virginia) | us-east-1 | Yes |
| US East (Ohio) | us-east-2 | Yes |
| Asia Pacific (Sydney) | ap-southeast-2 | Yes |
| Asia Pacific (Tokyo) | ap-northeast-1 | Yes |
| Europe (Frankfurt) | eu-central-1 | Yes |
| Europe (Ireland) | eu-west-1 | Yes |
# Logging and monitoring in Amazon SES
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon SES and your AWS solutions. AWS provides tools to help you monitor Amazon SES and respond to potential incidents.
+ *Amazon CloudWatch* monitors your AWS resources and the applications you run on AWS in real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For more information, see [Retrieving Amazon SES event data from CloudWatch](event-publishing-retrieving-cloudwatch.md) and [Creating reputation monitoring alarms using CloudWatch](reputationdashboard-cloudwatch-alarm.md).
+ *AWS CloudTrail* captures API calls and related events made by or on behalf of your AWS account and delivers the log files to an Amazon S3 bucket that you specify. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. For more information, see [Logging Amazon SES API calls with AWS CloudTrail](logging-using-cloudtrail.md).
+ Amazon SES *email sending events* can help you fine-tune your email sending strategy. Amazon SES captures detailed information, including the numbers of sends, deliveries, opens, clicks, bounces, complaints, and rejections. For more information, see [Monitoring sending activity](monitor-sending-activity.md).
+ Amazon SES *reputation metrics* tracks the bounce and complaint rates for your account. For more information, see [Monitoring sender reputation](monitor-sender-reputation.md).
# Logging Amazon SES API calls with AWS CloudTrail
Amazon SES is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in SES. CloudTrail captures API calls for SES as events. The calls captured include calls from the SES console and code calls to the SES API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for SES. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to SES, the IP address from which the request was made, who made the request, when it was made, and additional details.
To learn more about CloudTrail, including how to configure and enable it, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
## SES information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When supported event activity occurs in SES, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for SES, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail Log Files from Multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail Log Files from Multiple Accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
For more information, see the [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
## SES data events in CloudTrail
[Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) provide information about the resource operations performed on or in a resource. These are also known as data plane operations. Data events are often high-volume activities. By default, CloudTrail doesn’t log data events. The CloudTrail event history doesn't record data events.
Additional charges apply for data events. For more information about CloudTrail pricing, see [AWS CloudTrail pricing](https://aws.amazon.com/cloudtrail/pricing/).
**Note**
Email sending activity via SES SMTP Interface is not logged to CloudTrail events. For comprehensive activity logging, use the latest SES APIs in the [SES API Reference](https://docs.aws.amazon.com/ses/latest/APIReference/API_Operations.html) and [SES API v2 Reference](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_Operations.html).
The following table lists the SES resource types for which you can log data events. The *Data event type (console)* column shows the value to choose from the **Data event type** list on the CloudTrail console. The *resources.type value* column shows the `resources.type` value, which you would specify when configuring advanced event selectors using the column shows the AWS CLI or CloudTrail APIs. The *Data APIs logged to CloudTrail* column shows the API calls logged to CloudTrail for the resource type.
**SES resource types for data events**
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/ses/latest/dg/logging-using-cloudtrail.html)
The following example shows how to log all data events for all SES email identities by using the `--advanced-event-selectors` parameter:
```
aws cloudtrail put-event-selectors \
--region Region \
--trail-name TrailName \
--advanced-event-selectors
'[
{
"Name": "Log SES data plane actions for all email identities",
"FieldSelectors": [
{ "Field": "eventCategory", "Equals": ["Data"] },
{ "Field": "resources.type", "Equals": ["AWS::SES::EmailIdentity"] }
]
}
]'
```
You can further refine the advanced event selectors to filter on the `eventName`, `readOnly`, and `resources.ARN` fields to log only those events that are important to you. For more information about these fields, see [AdvancedFieldSelector](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) in the *AWS CloudTrail API Reference*. For more examples on how to log data events see [Logging data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html) for trails.
## CloudTrail log delivery scenarios for SES logging
CloudTrail delivers logs based on such factors as account and resource ownership, identity type, and region. The following matrix explains to whom and where the logs would be delivered to based on specific combinations of these factors.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/ses/latest/dg/logging-using-cloudtrail.html)
**Note**
CloudTrail always delivers logs to the requester account.
Resource owners receive logs even if they didn't perform the operation.
For Global endpoints, both accounts need CloudTrail subscriptions in all configured regions.
During regional impairments, all logs appear in the healthy region.
## SES management events in CloudTrail
SES delivers management events to CloudTrail. Management events include actions that are related to creating and managing resources within your AWS account. In Amazon SES, management events include actions such as creating and deleting identities or receipt rules. For more information about SES API operations, see the [SES API Reference](https://docs.aws.amazon.com/ses/latest/APIReference/API_Operations.html) and [SES API v2 Reference](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_Operations.html).
## CloudTrail log file entries for SES
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
The following examples demonstrate CloudTrail logs of these event types:
**Topics**
+ [
### DeleteIdentity
](#DeleteIdentity)
+ [
### VerifyEmailIdentity
](#VerifyEmailIdentity)
+ [
### SendEmail with simple content
](#SendEmail-with-simple-content)
+ [
### SendEmail with templated content
](#SendEmail-with-templated-content)
### DeleteIdentity
```
{
"Records":[
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA4DO2KAWIPZEXAMPLE:myUserName",
"arn": "arn:aws:sts::111122223333:assumed-role/users/myUserName",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROA4DO2KAWIPZEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/admin-role",
"accountId": "111122223333",
"userName": "myUserName"
},
"attributes": {
"creationDate": "2025-02-27T09:53:35Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2025-02-27T09:54:31Z",
"eventSource": "ses.amazonaws.com",
"eventName": "DeleteIdentity",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.23.4",
"requestParameters": {
"identity": "sender@example.com"
},
"responseElements": null,
"requestID": "50b87bfe-ab23-11e4-9106-5b36376f9d12",
"eventID": "0ffa308d-1467-4259-8be3-c749753be325",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "email.us-east-1.amazonaws.com"
}
}
]
}
```
### VerifyEmailIdentity
```
{
"Records":[
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA4DO2KAWIPZEXAMPLE:myUserName",
"arn": "arn:aws:sts::111122223333:assumed-role/users/myUserName",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROA4DO2KAWIPZEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/admin-role",
"accountId": "111122223333",
"userName": "myUserName"
},
"attributes": {
"creationDate": "2025-02-27T09:53:35Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2025-02-27T09:56:20Z",
"eventSource": "ses.amazonaws.com",
"eventName": "VerifyEmailIdentity",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.23.4",
"requestParameters": {
"emailAddress": "sender@example.com"
},
"responseElements": null,
"requestID": "eb2ff803-ac09-11e4-8ff5-a56a3119e253",
"eventID": "5613b0ff-d6c6-4526-9b53-a603a9231725",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "email.us-east-1.amazonaws.com"
}
}
]
}
```
### SendEmail with simple content
```
{
"Records":[{
"eventTime": "2025-01-24T11:43:00Z",
"eventSource": "ses.amazonaws.com",
"eventName": "SendEmail",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.23.4 md/awscrt#0.23.4",
"requestParameters": {
"destination": {
"bccAddresses": ["HIDDEN_DUE_TO_SECURITY_REASONS"],
"toAddresses": ["HIDDEN_DUE_TO_SECURITY_REASONS"],
"ccAddresses": ["HIDDEN_DUE_TO_SECURITY_REASONS"]
},
"message": {
"subject": {
"charset": "UTF-8",
"data": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"body": {
"html": {
"charset": "UTF-8",
"data": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"text": {
"charset": "UTF-8",
"data": "HIDDEN_DUE_TO_SECURITY_REASONS"
}
}
},
"source": "sender@example.com"
},
"responseElements": null,
"additionalEventData": {
"sesMessageId": "01000100a11a11aa-00aa0a00-00a0-48a8-aaa7-a174a83b456a-000000"
},
"requestID": "ab2cc803-ac09-11d7-8bb8-a56a3119e476",
"eventID": "eb834e01-f168-435f-92c0-c36278378b6e",
"readOnly": true,
"resources": [{
"accountId": "111122223333",
"type": "AWS::SES::EmailIdentity",
"ARN": "arn:aws:ses:us-east-1:111122223333:identity/sender@example.com"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "email.us-east-1.amazonaws.com"
}
}
]
}
```
### SendEmail with templated content
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA4DO2KAWIPZEXAMPLE:myUserName",
"arn": "arn:aws:sts::111122223333:assumed-role/users/myUserName",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROA4DO2KAWIPZEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/admin-role",
"accountId": "111122223333",
"userName": "admin-role"
},
"attributes": {
"creationDate": "2025-03-05T18:51:06Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2025-03-05T19:16:29Z",
"eventSource": "ses.amazonaws.com",
"eventName": "SendEmail",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.23.4",
"requestParameters": {
"fromEmailAddress": "sender@example.com",
"destination": {
"toAddresses": ["HIDDEN_DUE_TO_SECURITY_REASONS"],
"bccAddresses": ["HIDDEN_DUE_TO_SECURITY_REASONS"],
"ccAddresses": ["HIDDEN_DUE_TO_SECURITY_REASONS"]
},
"emailTags": [{
"value": "test",
"name": "campaign"
}, {
"value": "cli-test",
"name": "sender"
}],
"replyToAddresses": ["HIDDEN_DUE_TO_SECURITY_REASONS"],
"content": {
"template": {
"templateData": "HIDDEN_DUE_TO_SECURITY_REASONS",
"templateName": "TestTemplate"
}
}
},
"responseElements": null,
"additionalEventData": {
"sesMessageId": "01000100a11a11aa-00aa0a00-00a0-48a8-aaa7-a174a83b456a-000000"
},
"requestID": "50b87bfe-ab23-11e4-9106-5b36376f9d12",
"eventID": "0ffa308d-1467-4259-8be3-c749753be325",
"readOnly": true,
"resources": [{
"accountId": "111122223333",
"type": "AWS::SES::EmailIdentity",
"ARN": "arn:aws:ses:us-east-1:111122223333:identity/sender@example.com"
}, {
"accountId": "111122223333",
"type": "AWS::SES::Template",
"ARN": "arn:aws:ses:us-east-1:111122223333:template/TestTemplate"
}],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "email.us-east-1.amazonaws.com"
}
}
```
# Compliance validation for Amazon Simple Email Service
Third-party auditors assess the security and compliance of Amazon Simple Email Service as part of multiple AWS compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others.
For a list of AWS services in scope of specific compliance programs, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/). For general information, see [AWS Compliance Programs](https://aws.amazon.com/compliance/programs/).
You can download third-party audit reports using AWS Artifact. For more information, see [Downloading Reports in AWS Artifact](https://docs.aws.amazon.com/artifact/latest/ug/downloading-documents.html).
Your compliance responsibility when using Amazon Simple Email Service is determined by the sensitivity of your data, your company's compliance objectives, and applicable laws and regulations. AWS provides the following resources to help with compliance:
+ [Security and Compliance Quick Start Guides](https://aws.amazon.com/quickstart/?awsf.quickstart-homepage-filter=categories%23security-identity-compliance) – These deployment guides discuss architectural considerations and provide steps for deploying security- and compliance-focused baseline environments on AWS.
+ [AWS Compliance Resources](https://aws.amazon.com/compliance/resources/) – This collection of workbooks and guides might apply to your industry and location.
+ [Evaluating Resources with Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) in the *AWS Config Developer Guide* – AWS Config; assesses how well your resource configurations comply with internal practices, industry guidelines, and regulations.
+ [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) – This AWS service provides a comprehensive view of your security state within AWS that helps you check your compliance with security industry standards and best practices.
# Resilience in Amazon Simple Email Service
The AWS global infrastructure is built around AWS Regions and Availability Zones. Regions provide multiple physically separated and isolated Availability Zones, which are connected through low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.
For more information about AWS Regions and Availability Zones, see [AWS Global Infrastructure](https://aws.amazon.com/about-aws/global-infrastructure/).
# Infrastructure security in Amazon Simple Email Service
As a managed service, Amazon Simple Email Service is protected by AWS global network security. For information about AWS security services and how AWS protects infrastructure, see [AWS Cloud Security](https://aws.amazon.com/security/). To design your AWS environment using the best practices for infrastructure security, see [Infrastructure Protection](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/infrastructure-protection.html) in *Security Pillar AWS Well‐Architected Framework*.
You use AWS published API calls to access Amazon Simple Email Service through the network. Clients must support the following:
+ Transport Layer Security (TLS). We require TLS 1.2 and recommend TLS 1.3.
+ Cipher suites with perfect forward secrecy (PFS) such as DHE (Ephemeral Diffie-Hellman) or ECDHE (Elliptic Curve Ephemeral Diffie-Hellman). Most modern systems such as Java 7 and later support these modes.
# Setting up VPC endpoints with Amazon SES
Many Amazon SES customers have corporate policies in place that limit the ability of their internal systems to connect to the public internet. These policies prevent the use of the public Amazon SES endpoints.
If you have similar policies, you can work within these restrictions by using Amazon Virtual Private Cloud. With Amazon VPC, you can deploy AWS resources into a virtual network that exists in an isolated area of the AWS Cloud. For more information about Amazon VPC, see the [Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/).
You can connect directly from [Amazon VPC](https://aws.amazon.com/vpc/) to SES through a [VPC Endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html#concepts-vpc-endpoints) in a secure and scalable manner. When you use an interface VPC endpoint, it provides a better security posture as you don't need to open outbound traffic firewalls as well as providing other benefits of using [Amazon VPC endpoints](https://aws.amazon.com/blogs/architecture/reduce-cost-and-increase-security-with-amazon-vpc-endpoints/).
When using a VPC Endpoint, traffic to SES does not transmit over the internet and never leaves the Amazon network in order to securely connect your VPC to SES without availability risks or bandwidth constraints on your network traffic. You can centralize SES across your multi-account infrastructure and provide it as a service to your accounts without the need to utilize an internet gateway.
**Limitations**
SES does not support SMTP VPC endpoints in the following Availability Zones: `use1-az2`, `use1-az3`, `use1-az5`, `usw1-az2`, `usw2-az4`, `apne2-az4`, `cac1-az3`, and `cac1-az4`.
The SMTP endpoint used within the VPC is restricted to the AWS Region currently being used for your account.
You can also use VPC endpoints with Mail Manager ingress endpoints for secure, private email ingestion within your private network infrastructure. See [Receiving email through Amazon VPC endpoints](eb-ingress.md#eb-ingress-vpc-endpoint) in the Mail Manager chapter.
## Walkthrough example of setting up SES in Amazon VPC
### Prerequisites
Before you complete the procedure in this section, you have to complete the following steps:
+ Have an existing virtual private cloud (VPC) or create a new VPC. For procedures, see [Get started with Amazon VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html).
+ Launch an Amazon EC2 instance in your VPC for testing connectivity to the VPC endpoint created in a later step. For more information, see [Default VPCs](https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html#launching-into).
**Note**
While VPC endpoints for SES can be used with any resource, for ease of test method, this example will have you use an EC2 instance as the resource. Because Amazon EC2 restricts email traffic over port 25 by default, for SMTP endpoints you'll have to use a different port other than TCP 25, such as TCP 465, 587, 2465, or 2587—for more information, see [Restriction on email sent using port 25](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-resource-limits.html#port-25-throttle). For API endpoints use port 443.
### Setting up SES in Amazon VPC
The process of setting up a VPC endpoint to use with SES consists of a few separate steps. First, you have to create a security group that allows the instance to communicate with the chosen port(s), then create a VPC endpoint for Amazon SES, and finally, test the connection to the VPC endpoint to ensure that it's configured properly.
#### Step 1: Create the security group
In this step, you create a security group that lets Amazon EC2 instances communicate with VPC interface endpoint you'll be creating.
**To create the security group**
1. In the navigation pane of the Amazon EC2 console, under **Network & Security**, choose **Security Groups**.
1. Choose **Create security group**.
1. Under **Basic details**, do the following:
+ For **Security group name**, enter a unique name that identifies the security group.
+ For **Description**, enter some text that describes the purpose of the security group.
+ For **VPC**, choose the VPC that you want to use Amazon SES in.
1. Under **Inbound rules**, choose **Add rule**.
1. For the new **Inbound rule**, do the following:
+ For **Type**, choose **Custom TCP**.
+ For **Port range**, enter the port number that you want to use to send email. For SMTP endpoints, you can use any of the following port numbers: **465**, **587**, **2465**, or **2587**. For API endpoints, use port 443.
+ For **Source type**, choose **Custom**.
+ For **Source**, enter the private IP CIDR range or other Security Group IDs that contain the resources that will use the VPC endpoint to communicate with the SES service.
+ (Repeat steps 4 - 5 for each CIDR range or Security Group you wish to allow access from.)
1. When you finish, choose **Create security group**.
#### Step 2: Create the VPC endpoint
In Amazon VPC, a *VPC endpoint* lets you connect your VPC to supported AWS services. In this example, you configure Amazon VPC so that your Amazon EC2 security group can connect to Amazon SES.
**To create the VPC endpoint**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Under **PrivateLink and Lattice**, choose **Endpoints**.
1. Choose **Create Endpoint** to open the **Create Endpoint** page.
1. (Optional) In the **Endpoint settings** panel, create a tag in the **Name tag** field.
1. For **Service category**, select **AWS services**.
1. In the **Services** panel, for SMTP endpoints, filter on *smtp* in the search bar, then select its radio button. For API endpoints, filter on *email* in the search bar. You can also use a FIPS endpoint by searching for *email-fips*.
1. In the **VPC** panel, click inside the search bar and select a VPC from the list box (see [Prerequisites](#send-email-set-up-vpc-endpoints-prereqs)).
1. In the **Subnets** panel, select *Availability Zones* and *Subnet IDs*.
**Note**
Amazon SES doesn't support SMTP VPC endpoints in the following *Availability Zones*: `use1-az2`, `use1-az3`, `use1-az5`, `usw1-az2`, `usw2-az4`, `apne2-az4`, `cac1-az3`, and `cac1-az4`.
1. In the **Security groups** panel, select the security group you created earlier.
1. (Optional) In the **Tags** panel, you can create one or more tags.
1. Choose **Create endpoint**. Wait approximately 5 minutes while Amazon VPC creates the endpoint. When the endpoint is ready to use, the value in the **Status** column changes to *Available*.
#### (Optional) Step 3: Test the connection to the VPC endpoint
When you complete the process of configuring the VPC endpoint, you can test the connection to ensure that the VPC endpoint is configured properly. You can test the connection by using command-line tools that are included with most operating systems.
**To test the connection to the VPC endpoint**
1. Launch an Amazon EC2 instance in the same VPC where you just created the email-smtp VPC endpoint.
For information about connecting to Linux instances, see [Connect to your Linux instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html) in the *Amazon EC2 User Guide*.
For information about connecting to Windows instances, see the [Get started tutorial](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EC2_GetStarted.html#ec2-connect-to-instance-windows) in the *Amazon EC2 User Guide*.
1. Send a test email. For the SMTP endpoint, use the SES SMTP interface. For the API endpoint, use the SES CLI or API.
**Note**
You have to verify an email address or domain before you can send email through Amazon SES. For more information about verifying identities, see [Creating and verifying identities in Amazon SES](creating-identities.md).