# Creating an identity authorization policy in Amazon SES
An identity authorization policy is comprised of statements specifying what API actions are allowed or denied for an identity and under what conditions.
To authorize an Amazon SES domain or email address identity that you own, you create an authorization policy, and then attach that policy to the identity. An identity can have zero, one, or many policies. However, a single policy can only be associated with a single identity.
For a list of API actions that can be used in an identity authorization policy, see the *Action* row in the [Statements specific to the policy](policy-anatomy.md#identity-authorization-policy-statements) table.
You can create an identity authorization policy in the following ways:
+ **By using the policy generator** – You can create a simple policy by using the policy generator in the SES console. In addition to allowing or denying permissions on SES API actions, you can constrain the actions with conditions. You can also use the policy generator to quickly create the basic structure of a policy and then customize it later by editing the policy.
+ **By creating a custom policy** – If you want to include more advanced conditions or use an AWS service as the principal, you can create a custom policy and attach it to the identity by using the SES console or the SES API.
**Topics**
+ [Using the policy generator](using-policy-generator.md)
+ [Creating a custom policy](creating-custom-policy.md)
# Using the policy generator
You can use the policy generator to create a simple authorization policy by following these steps.
**To create a policy by using the policy generator**
1. Sign in to the AWS Management Console and open the Amazon SES console at [https://console.aws.amazon.com/ses/](https://console.aws.amazon.com/ses/).
1. In the navigation pane, under **Configuration**, choose **Identities**.
1. In the **Identities** container on the **Identities** screen, select the verified identity you wish to create an authorization policy for.
1. In the details screen of the verified identity you selected in the previous step, choose the **Authorization** tab.
1. In the **Authorization policies** pane, choose **Create policy** and select **Use policy generator** from the dropdown.
1. In the **Create statement** pane, choose **Allow** in the **Effect** field. (If you want to create a policy to restrict this identity, choose **Deny** instead.)
1. In the **Principals** field, enter the *AWS account ID*, *IAM user ARN*, or AWS service to receive the permissions you want to authorize for this identity, then choose **Add**. (If you wish to authorize more than one, repeat this step for each one.)
1. In the **Actions** field, select the check box for each action you would like to authorize for your principals.
1. (Optional) Expand **Specify conditions** if you wish to add a qualifying statement to the permission.
1. Select an operator from the **Operator** dropdown.
1. Select a type from the **Key** dropdown.
1. Respective to the key type you selected, enter its value in the **Value** field. (If you wish to add more conditions, choose **Add new condition** and repeat this step for each additional one.)
1. Choose **Save statement**.
1. (Optional) Expand **Create another statement** if you wish to add more statements to your policy and repeat steps 6 - 10.
1. Choose **Next** and on the **Customize policy** screen, the **Edit policy details** container has fields where you can change or customize the policy’s **Name** and the **Policy document** itself.
1. Choose **Next** and on the **Review and apply** screen, the **Overview** container will show the verified identity you’re authorizing as well as the name of this policy. In the **Policy document** pane will be the actual policy you just wrote along with any conditions you added - review the policy and if it looks correct, choose **Apply policy**. (If you need to change or correct something, choose **Previous** and work in the **Edit policy details** container.)
# Creating a custom policy
If you want to create a custom policy and attach it to an identity, you have the following options:
+ **Using the Amazon SES API** – Create a policy in a text editor and then attach the policy to the identity by using the `PutIdentityPolicy` API described in the [Amazon Simple Email Service API Reference](https://docs.aws.amazon.com/ses/latest/APIReference/).
+ **Using the Amazon SES console** – Create a policy in a text editor and attach it to an identity by pasting it into the custom policy editor in the Amazon SES console. The following procedure describes this method.
**To create a custom policy by using the custom policy editor**
1. Sign in to the AWS Management Console and open the Amazon SES console at [https://console.aws.amazon.com/ses/](https://console.aws.amazon.com/ses/).
1. In the navigation pane, under **Configuration**, choose **Identities**.
1. In the **Identities** container on the **Identities** screen, select the verified identity you wish to create an authorization policy for.
1. In the details screen of the verified identity you selected in the previous step, choose the **Authorization** tab.
1. In the **Authorization policies** pane, choose **Create policy** and select **Create custom policy** from the dropdown.
1. In the **Policy document** pane, type or paste the text of your policy in JSON format. You can also use the policy generator to quickly create the basic structure of a policy and then customize it here.
1. Choose **Apply Policy**. (If you ever need to modify your custom policy, just select its check box under the **Authorization** tab, choose **Edit**, and make your changes in the **Policy document** pane followed by **Save changes**).