# Using identity authorization in Amazon SES
Identity authorization policies define how individual verified identities can use Amazon SES by specifying which SES API actions are allowed or denied for the identity and under what conditions.
Through the use of these authorization polices, you can maintain control over your identities by changing or revoking permissions at any time. You can even authorize other users to use the identities that you own (domains or email addresses) with their own SES accounts.
**Topics**
+ [Amazon SES policy anatomy](policy-anatomy.md)
+ [Creating an identity authorization policy in Amazon SES](identity-authorization-policies-creating.md)
+ [Identity policy examples in Amazon SES](identity-authorization-policy-examples.md)
+ [Managing your identity authorization policies in Amazon SES](managing-policies.md)
# Amazon SES policy anatomy
Policies adhere to a specific structure, contain elements, and must meet certain requirements.
## Policy structure
Each authorization policy is a JSON document that is attached to an identity. Each policy includes the following sections:
+ Policy-wide information at the top of the document.
+ One or more individual statements, each of which describes a set of permissions.
The following example policy grants AWS account ID *123456789012* permissions specified in the *Action* section for the verified domain *example.com*.
------
#### [ JSON ]
****
```
{
"Id":"ExampleAuthorizationPolicy",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AuthorizeAccount",
"Effect":"Allow",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal":{
"AWS":[
"123456789012"
]
},
"Action":[
"ses:GetEmailIdentity",
"ses:UpdateEmailIdentityPolicy",
"ses:ListRecommendations",
"ses:CreateEmailIdentityPolicy",
"ses:DeleteEmailIdentity"
]
}
]
}
```
------
You can find more authorization policy examples at [Identity policy examples](identity-authorization-policy-examples.md).
## Policy elements
This section describes the elements contained in identity authorization policies. First we describe policy-wide elements, and then we describe elements that apply only to the statement in which they are included. We follow with a discussion of how to add conditions to your statements.
For specific information about the syntax of the elements, see [Grammar of the IAM Policy Language](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-grammar.html) in the *IAM User Guide*.
### Policy-wide information
There are two policy-wide elements: `Id` and `Version`. The following table provides information about these elements.
****
| Name | Description | Required | Valid values |
| --- | --- | --- | --- |
| `Id` | Uniquely identifies the policy. | No | Any string |
| `Version` | Specifies the policy access language version. | No | Any string. As a best practice, we recommend that you include this field with a value of "2012-10-17". |
### Statements specific to the policy
Identity authorization policies require at least one statement. Each statement can include the elements described in the following table.
****
| Name | Description | Required | Valid values |
| --- | --- | --- | --- |
| `Sid` | Uniquely identifies the statement. | No | Any string. |
| `Effect` | Specifies the result that you want the policy statement to return at evaluation time. | Yes | "Allow" or "Deny". |
| `Resource` | Specifies the identity to which the policy applies. (For [sending authorization](sending-authorization-identity-owner-tasks-policy.md), this is the email address or domain that the identity owner is authorizing the delegate sender to use.) | Yes | The Amazon Resource Name (ARN) of the identity. |
| `Principal` | Specifies the AWS account, user, or AWS service that receives the permission in the statement. | Yes | A valid AWS account ID, user ARN, or AWS service. AWS account IDs and user ARNs are specified using `"AWS"` (for example, `"AWS": ["123456789012"]` or `"AWS": ["arn:aws:iam::123456789012:root"]`). AWS service names are specified using `"Service"` (for example, `"Service": ["cognito-idp.amazonaws.com"]`). For examples of the format of user ARNs, see the [AWS General Reference](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam.html). |
| `Action` | Specifies the action that the statement applies to. | Yes | "ses:BatchGetMetricData", "ses:CancelExportJob", "ses:CreateDeliverabilityTestReport", "ses:CreateEmailIdentityPolicy", "ses:CreateExportJob", "ses:DeleteEmailIdentity", "ses:DeleteEmailIdentityPolicy", "ses:GetDomainStatisticsReport", "ses:GetEmailIdentity","ses:GetEmailIdentityPolicies", "ses:GetExportJob", "ses:ListExportJobs", "ses:ListRecommendations", "ses:PutEmailIdentityConfigurationSetAttributes", "ses:PutEmailIdentityDkimAttributes", "ses:PutEmailIdentityDkimSigningAttributes", "ses:PutEmailIdentityFeedbackAttributes", "ses:PutEmailIdentityMailFromAttributes", "ses:TagResource", "ses:UntagResource", "ses:UpdateEmailIdentityPolicy" ([Sending authorization](sending-authorization-identity-owner-tasks-policy.md) actions: "ses:SendEmail", "ses:SendRawEmail", "ses:SendTemplatedEmail", "ses:SendBulkTemplatedEmail") You can specify one or more of these operations. |
| `Condition` | Specifies any restrictions or details about the permission. | No | See the information about conditions following this table. |
### Conditions
A *condition* is any restriction about the permission in the statement. The part of the statement that specifies the conditions can be the most detailed of all the parts. A *key* is the specific characteristic that's the basis for access restriction, such as the date and time of the request.
You use both conditions and keys together to express the restriction. For example, if you want to restrict the delegate sender from making requests to Amazon SES on your behalf after July 30, 2019, you use the condition called `DateLessThan`. You use the key called `aws:CurrentTime` and set it to the value `2019-07-30T00:00:00Z`.
SES implements only the following AWS-wide policy keys:
+ `aws:CurrentTime`
+ `aws:EpochTime`
+ `aws:SecureTransport`
+ `aws:SourceIp`
+ `aws:SourceVpc`
+ `aws:SourceVpce`
+ `aws:UserAgent`
+ `aws:VpcSourceIp`
For more information about these keys, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html#Condition).
## Policy requirements
Policies must meet all of the following requirements:
+ Each policy has to include at least one statement.
+ Each policy has to include at least one valid principal.
+ Each policy has to specify one resource, and that resource has to be the ARN of the identity that the policy is attached to.
+ Identity owners can associate up to 20 policies with each unique identity.
+ Policies can't exceed 4 kilobytes (KB) in size.
+ Policy names can't exceed 64 characters. Additionally, they can only include alphanumeric characters, dashes, and underscores.
# Creating an identity authorization policy in Amazon SES
An identity authorization policy is comprised of statements specifying what API actions are allowed or denied for an identity and under what conditions.
To authorize an Amazon SES domain or email address identity that you own, you create an authorization policy, and then attach that policy to the identity. An identity can have zero, one, or many policies. However, a single policy can only be associated with a single identity.
For a list of API actions that can be used in an identity authorization policy, see the *Action* row in the [Statements specific to the policy](policy-anatomy.md#identity-authorization-policy-statements) table.
You can create an identity authorization policy in the following ways:
+ **By using the policy generator** – You can create a simple policy by using the policy generator in the SES console. In addition to allowing or denying permissions on SES API actions, you can constrain the actions with conditions. You can also use the policy generator to quickly create the basic structure of a policy and then customize it later by editing the policy.
+ **By creating a custom policy** – If you want to include more advanced conditions or use an AWS service as the principal, you can create a custom policy and attach it to the identity by using the SES console or the SES API.
**Topics**
+ [Using the policy generator](using-policy-generator.md)
+ [Creating a custom policy](creating-custom-policy.md)
# Using the policy generator
You can use the policy generator to create a simple authorization policy by following these steps.
**To create a policy by using the policy generator**
1. Sign in to the AWS Management Console and open the Amazon SES console at [https://console.aws.amazon.com/ses/](https://console.aws.amazon.com/ses/).
1. In the navigation pane, under **Configuration**, choose **Identities**.
1. In the **Identities** container on the **Identities** screen, select the verified identity you wish to create an authorization policy for.
1. In the details screen of the verified identity you selected in the previous step, choose the **Authorization** tab.
1. In the **Authorization policies** pane, choose **Create policy** and select **Use policy generator** from the dropdown.
1. In the **Create statement** pane, choose **Allow** in the **Effect** field. (If you want to create a policy to restrict this identity, choose **Deny** instead.)
1. In the **Principals** field, enter the *AWS account ID*, *IAM user ARN*, or AWS service to receive the permissions you want to authorize for this identity, then choose **Add**. (If you wish to authorize more than one, repeat this step for each one.)
1. In the **Actions** field, select the check box for each action you would like to authorize for your principals.
1. (Optional) Expand **Specify conditions** if you wish to add a qualifying statement to the permission.
1. Select an operator from the **Operator** dropdown.
1. Select a type from the **Key** dropdown.
1. Respective to the key type you selected, enter its value in the **Value** field. (If you wish to add more conditions, choose **Add new condition** and repeat this step for each additional one.)
1. Choose **Save statement**.
1. (Optional) Expand **Create another statement** if you wish to add more statements to your policy and repeat steps 6 - 10.
1. Choose **Next** and on the **Customize policy** screen, the **Edit policy details** container has fields where you can change or customize the policy’s **Name** and the **Policy document** itself.
1. Choose **Next** and on the **Review and apply** screen, the **Overview** container will show the verified identity you’re authorizing as well as the name of this policy. In the **Policy document** pane will be the actual policy you just wrote along with any conditions you added - review the policy and if it looks correct, choose **Apply policy**. (If you need to change or correct something, choose **Previous** and work in the **Edit policy details** container.)
# Creating a custom policy
If you want to create a custom policy and attach it to an identity, you have the following options:
+ **Using the Amazon SES API** – Create a policy in a text editor and then attach the policy to the identity by using the `PutIdentityPolicy` API described in the [Amazon Simple Email Service API Reference](https://docs.aws.amazon.com/ses/latest/APIReference/).
+ **Using the Amazon SES console** – Create a policy in a text editor and attach it to an identity by pasting it into the custom policy editor in the Amazon SES console. The following procedure describes this method.
**To create a custom policy by using the custom policy editor**
1. Sign in to the AWS Management Console and open the Amazon SES console at [https://console.aws.amazon.com/ses/](https://console.aws.amazon.com/ses/).
1. In the navigation pane, under **Configuration**, choose **Identities**.
1. In the **Identities** container on the **Identities** screen, select the verified identity you wish to create an authorization policy for.
1. In the details screen of the verified identity you selected in the previous step, choose the **Authorization** tab.
1. In the **Authorization policies** pane, choose **Create policy** and select **Create custom policy** from the dropdown.
1. In the **Policy document** pane, type or paste the text of your policy in JSON format. You can also use the policy generator to quickly create the basic structure of a policy and then customize it here.
1. Choose **Apply Policy**. (If you ever need to modify your custom policy, just select its check box under the **Authorization** tab, choose **Edit**, and make your changes in the **Policy document** pane followed by **Save changes**).
# Identity policy examples in Amazon SES
Identity authorization enables you to specify the fine-grained conditions under which you allow or deny API actions for an identity.
**Topics**
+ [Specifying the principal](#identity-authorization-policy-example-delegate-user)
+ [Restricting the action](#sending-authorization-policy-example-restricting-action)
+ [Using multiple statements](#identity-authorization-policy-example-multiple-statements)
## Specifying the principal
The *principal*, which is the entity to which you are granting permission, can be an AWS account, an AWS Identity and Access Management (IAM) user, or an AWS service that belongs to the same account.
The following example shows a simple policy that allows AWS ID *123456789012* to control the verified identity *example.com* which is also owned by AWS account *123456789012*.
------
#### [ JSON ]
****
```
{
"Id":"SampleAuthorizationPolicy",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AuthorizeMarketer",
"Effect":"Allow",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal":{
"AWS":[
"123456789012"
]
},
"Action":[
"ses:DeleteEmailIdentity",
"ses:PutEmailIdentityDkimSigningAttributes"
]
}
]
}
```
------
The following example policy grants permission to two users to control the verified identity *example.com*. Users are specified by their Amazon Resource Name (ARN).
------
#### [ JSON ]
****
```
{
"Id":"ExampleAuthorizationPolicy",
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AuthorizeIAMUser",
"Effect":"Allow",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal":{
"AWS":[
"arn:aws:iam::123456789012:user/John",
"arn:aws:iam::123456789012:user/Jane"
]
},
"Action":[
"ses:DeleteEmailIdentity",
"ses:PutEmailIdentityDkimSigningAttributes"
]
}
]
}
```
------
## Restricting the action
There are multiple actions that can be specified in an identity authorization policy depending on the level of control you want to authorize:
```
1. "BatchGetMetricData",
2. "ListRecommendations",
3. "CreateDeliverabilityTestReport",
4. "CreateEmailIdentityPolicy",
5. "DeleteEmailIdentity",
6. "DeleteEmailIdentityPolicy",
7. "GetDomainStatisticsReport",
8. "GetEmailIdentity",
9. "GetEmailIdentityPolicies",
10. "PutEmailIdentityConfigurationSetAttributes",
11. "PutEmailIdentityDkimAttributes",
12. "PutEmailIdentityDkimSigningAttributes",
13. "PutEmailIdentityFeedbackAttributes",
14. "PutEmailIdentityMailFromAttributes",
15. "TagResource",
16. "UntagResource",
17. "UpdateEmailIdentityPolicy"
```
Identity authorization policies also enable you to restrict the principal to just one of those actions.
------
#### [ JSON ]
****
```
{
"Id": "ExamplePolicy",
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ControlAction",
"Effect": "Allow",
"Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com",
"Principal": {
"AWS": [
"123456789012"
]
},
"Action": [
"ses:PutEmailIdentityMailFromAttributes"
]
}
]
}
```
------
## Using multiple statements
Your identity authorization policy can include multiple statements. The following example policy has two statements. The first statement denies two users to access `getemailidentity` from *sender@example.com* within the same account `123456789012`. The second statement denies `UpdateEmailIdentityPolicy` for the principal, *Jack*, within the same account `123456789012`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"DenyGet",
"Effect":"Deny",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/sender@example.com",
"Principal":{
"AWS":[
"arn:aws:iam::123456789012:user/John",
"arn:aws:iam::123456789012:user/Jane"
]
},
"Action":[
"ses:GetEmailIdentity"
]
},
{
"Sid":"DenyUpdate",
"Effect":"Deny",
"Resource":"arn:aws:ses:us-east-1:123456789012:identity/sender@example.com",
"Principal":{
"AWS":"arn:aws:iam::123456789012:user/Jack"
},
"Action":[
"ses:UpdateEmailIdentityPolicy"
]
}
]
}
```
------
# Managing your identity authorization policies in Amazon SES
In addition to creating and attaching policies to identities, you can edit, remove, list, and retrieve an identity's policies as described in the following sections.
## Managing policies using the Amazon SES console
Managing Amazon SES polices entails viewing, editing, or deleting a policy attached to an identity by using the Amazon SES console.
**To manage policies using the Amazon SES console**
1. Sign in to the AWS Management Console and open the Amazon SES console at [https://console.aws.amazon.com/ses/](https://console.aws.amazon.com/ses/).
1. In the left navigation pane, choose **Verified identities**.
1. In the list of identities, choose the identity you want to manage.
1. On the identity's detail page, navigate to the **Authorization** tab. Here you’ll find a list of all the policies attached to this identity.
1. Select the policy you want to manage by choosing its checkbox.
1. Depending on the desired management task, choose the respective button as follows:
1. To view the policy, choose **View policy**. If you need a copy of it, choose the **Copy** button and it will be copied to your clipboard.
1. To edit the policy, choose **Edit**. In the **Policy document** pane, edit the policy, and then choose **Save changes**.
**Note**
To revoke permissions, you can either edit the policy or remove it.
1. To remove the policy, choose **Delete**.
**Important**
Removing a policy is permanent. We recommend that you back up the policy by copying and pasting it into a text file before you remove it.
## Managing policies using the Amazon SES API
Managing Amazon SES polices entails viewing, editing, or deleting a policy attached to an identity by using the Amazon SES API.
**To list and view policies using the Amazon SES API**
+ You can list the policies that are attached to an identity by using the [ListIdentityPolicies API operation](https://docs.aws.amazon.com/ses/latest/APIReference/API_ListIdentityPolicies.html). You can also retrieve the policies themselves by using the [GetIdentityPolicies API operation](https://docs.aws.amazon.com/ses/latest/APIReference/API_GetIdentityPolicies.html).
**To edit a policy using the Amazon SES API**
+ You can edit a policy that's attached to an identity by using the [PutIdentityPolicy API operation](https://docs.aws.amazon.com/ses/latest/APIReference/API_PutIdentityPolicy.html).
**To delete a policy using the Amazon SES API**
+ You can delete a policy that's attached to an identity by using the [DeleteIdentityPolicy API operation](https://docs.aws.amazon.com/ses/latest/APIReference/API_DeleteIdentityPolicy.html).