# Amazon SES AWS Systems Manager Automation provides predefined runbooks for Amazon Simple Email Service. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json). **Topics** + [ # `AWSSupport-AnalyzeSESMessageSendingStatus` ](awssupport-analyze-ses-message-sending-status.md) + [ # `AWSSupport-DeploySESSendingLogsToCloudWatchLogs` ](automation-awssupport-deploysessendinglogstocloudwatchlogs.md) # `AWSSupport-AnalyzeSESMessageSendingStatus` **Description** The `AWSSupport-AnalyzeSESMessageSendingStatus` automation runbook summarizes the email delivery status of undelivered email messages and gives you advice to solve why it was undelivered. The runbook retrieves Amazon Simple Email Service (Amazon SES) email sending events stored in an Amazon CloudWatch Logs group published by Amazon SES. For Amazon SES event publishing details, please refer to [Monitoring using Amazon Simple Email Service event publishing](https://docs.aws.amazon.com/ses/latest/dg/monitor-using-event-publishing.html). The runbook also provides a summary and the timeline of the email deliveries as well as recommendations which can potentially affect undelivered email messages. You can find those messages in the output section of each executions. Please note that this runbook can only troubleshoot the events after the event store deployment. **How does it work?** The runbook performs the following steps: + Checks concurrent automation executions for the same CloudWatch Logs group. + Analyze Amazon SES events corresponding to message IDs given by the automation parameter. + Output delivery summaries to the output section of the automation execution. **Important** Before executing this runbook, you have to store published Amazon SES events to a CloudWatch Logs log group specified by the automation parameter. This runbook only analyzes Amazon SES events stored in the log group. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-AnalyzeSESMessageSendingStatus) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `logs:StartQuery` + `logs:GetQueryResults` + `ses:GetIdentityMailFromDomainAttributes` + `ses:GetSendQuota` + `ssm:DescribeAutomationExecutions` + `ssm:GetAutomationExecution` **Instructions** Follow these steps to configure the automation: 1. Navigate to [https://console.aws.amazon.com/systems-manager/documents/AWSSupport-AnalyzeSESMessageSendingStatus/description](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-AnalyzeSESMessageSendingStatus/description) in Systems Manager under Documents. 1. Select Execute automation. 1. For the input parameters, enter the following: + **AutomationAssumeRole (Optional):** The Amazon Resource Name (ARN) of the AWS AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user who starts this runbook. + **MessageIds (Required)** Comma separated Amazon Simple Email Service message IDs of the Amazon Simple Email Service events that you would like to analyze. + **CloudWatchLogsGroup (Optional)** The Amazon CloudWatch Logs group which stores Amazon Simple Email Service events. The default log group name is `/ses/sending\$1event\$1logs`. If you would like to utilize another log group than the default log group, please enter your log group name in this field.", + **QueryStartTime (Optional)** The start time of the time range for the event analysis. The valid time format is ISO8601 (e.g. `yyyy-MM-ddTHH:mm:ss`, `1970-01-01T00:00:00`). The default date time is 30 days ago. + **QueryEndTime (Optional)** The end time of the time range for the event analyasis. The valid time format is ISO8601 (e.g. `yyyy-MM-ddTHH:mm:ss`, `1970-01-01T00:00:00`). The default date time is the current time. ![\[Input parameters section on the management console which shows textboxes for the above five parameters.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-analyze-ses-message-sending-status_input_parameters.png) 1. Select Execute. 1. The automation initiates. 1. The document performs the following steps: + **`CheckConcurrency:`** Ensures that there is only one execution of this runbook targeting the Amazon CloudWatch Logs group. If the runbook finds another execution targeting the same log group, it returns an error and ends. + **`AnalyzeSesEvents:`** Analyze Amazon Simple Email Service events stored in the Amazon CloudWatch Logs group specified by the automation parameter. + **`OutputFailureReason:`** Output execution step failure messages when the `AnalyzeSESMessageSendingStatus` step failed. 1. After completed, review the Outputs section for the detailed results of the execution: + **Output of analysis on an undelivered email message because of a bounce** Output of an automation execution for an email message that didn't reach the destination mailbox because of a bounce. ![\[Example of automation execution output of a message ID that received a bounce from the destination email server.\]](http://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/images/awssupport-analyze-ses-message-sending-status_outputs.png) **References** Systems Manager Automation + [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-AnalyzeSESMessageSendingStatus/description) + [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html) + [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html) + [Support Automation Workflows landing page](https://aws.amazon.com/premiumsupport/technology/saw/) # `AWSSupport-DeploySESSendingLogsToCloudWatchLogs` **Description** **The AWSSupport-DeploySESSendingLogsToCloudWatchLogs ** automation runbook helps configure the infrastructure required for Amazon Simple Email Service (Amazon SES) event publishing to Amazon CloudWatch Logs (CloudWatch Logs). This runbook sets up the components needed to capture email sending events and store them in CloudWatch Logs for monitoring and analysis. For more information about Amazon SES event publishing, see [Monitor email sending using Amazon SES event publishing](https://docs.aws.amazon.com/ses/latest/dg/monitor-using-event-publishing.html). When the `ApproveDeployAnalyticEnvironment` parameter is set to `approve`, this runbook creates new AWS resources in your AWS account. The CloudFormation stack is automatically deleted after the time specified in the `SleepTime` parameter unless set to `0`. **How does it work?** This runbook performs the following actions: + Lists existing configuration sets that have event destinations configured for Amazon Simple Notification Service (Amazon SNS) topics or delivery streams. + Creates the infrastructure required for Amazon SES event publishing to CloudWatch Logs when the `ApproveDeployAnalyticEnvironment` parameter is set to `approve`. When the `ApproveDeployAnalyticEnvironment` parameter is set to `approve`, the runbook creates the following resources: + An CloudFormation stack named `AWSSupport-SESSendingLogsToCloudWatchLogs` that includes: + Amazon SNS topic with AWS Key Management Service (AWS KMS) encryption + Amazon Simple Queue Service (Amazon SQS) queue + AWS Lambda function for processing email sending events + AWS Identity and Access Management (IAM) execution role with permissions for Amazon SQS and CloudWatch Logs + CloudWatch Logs log group + AWS KMS key for encryption + Amazon SES configuration set with event destinations + The infrastructure processes email sending events in the following flow: Amazon SES Email Sending Events → Amazon SES Configuration Set → Amazon SNS Topic → Amazon SQS Queue → Lambda Function → CloudWatch Logs + Associates the created configuration set as the default configuration set for a specified Amazon SES identity when the `SesIdentity` parameter is provided. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-DeploySESSendingLogsToCloudWatchLogs) **Document type** Automation **Owner** Amazon **Platforms** / **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `cloudformation:CreateStack` + `cloudformation:DeleteStack` + `cloudformation:DescribeStackEvents` + `cloudformation:DescribeStacks` + `iam:CreateRole` + `iam:AttachRolePolicy` + `iam:PassRole` + `kms:CreateKey` + `kms:CreateAlias` + `lambda:CreateFunction` + `lambda:AddPermission` + `logs:CreateLogGroup` + `logs:PutRetentionPolicy` + `ses:CreateConfigurationSet` + `ses:CreateConfigurationSetEventDestination` + `ses:ListConfigurationSets` + `ses:PutEmailIdentityConfigurationSetAttributes` + `sns:CreateTopic` + `sns:Subscribe` + `sqs:CreateQueue` + `sqs:SetQueueAttributes` + `ssm:DescribeAutomationExecutions` Example Policy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "iam:CreateRole", "iam:AttachRolePolicy", "iam:PassRole", "kms:CreateKey", "kms:CreateAlias", "lambda:CreateFunction", "lambda:AddPermission", "logs:CreateLogGroup", "logs:PutRetentionPolicy", "ses:CreateConfigurationSet", "ses:CreateConfigurationSetEventDestination", "ses:ListConfigurationSets", "ses:PutEmailIdentityConfigurationSetAttributes", "sns:CreateTopic", "sns:Subscribe", "sqs:CreateQueue", "sqs:SetQueueAttributes", "ssm:DescribeAutomationExecutions" ], "Resource": "*" } ] } ``` **Instructions** Follow these steps to configure the automation: 1. Navigate to [https://console.aws.amazon.com/systems-manager/documents/AWSSupport-DeploySESSendingLogsToCloudWatchLogs/description](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-DeploySESSendingLogsToCloudWatchLogs/description) in Systems Manager under Documents. 1. Select **Execute automation.** 1. For the input parameters, enter the following: + **AutomationAssumeRole (Optional):** + Description: (Optional) The Amazon Resource Name (ARN) of the IAM role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook. + Type: `AWS::IAM::Role::Arn` + **ApproveDeployAnalyticEnvironment (Optional):** + Description: (Optional) Approval to deploy the Amazon SES event publishing infrastructure. Enter `approve` to create the CloudFormation stack and related resources. If left empty, the runbook only displays existing configuration sets with or Amazon SNS event destinations in the current region. + Type: `String` + Allow Pattern: `^$|^approve$` + Default: `""` + **SesIdentity (Optional):** + Description: (Optional) Amazon SES identity (email address or domain) to associate with the newly created configuration set as the default configuration set. This will overwrite any existing default configuration set for the specified identity. + Type: `String` + Default: `""` + **CloudWatchLogGroupName (Optional):** + Description: (Optional) Name of the CloudWatch Logs log group to create for storing Amazon SES email sending events. + Type: `String` + Allow Pattern: `^[0-9a-zA-Z_.#/\\-]{1,512}$` + Default: `/ses/sending_event_logs` + **MaskPIIData (Optional):** + Description: (Optional) Specify whether to mask personally identifiable information (PII) data such as destination email addresses and email subjects in CloudWatch Logs. Set to `False` to include this information in the logs. + Type: `String` + Allowed Values: `[True, False]` + Default: `True` + **SleepTime (Optional):** + Description: (Optional) Number of minutes to wait before automatically deleting the CloudFormation stack. The default is 24 hours (1,440 minutes), maximum is 7 days (10,080 minutes). Set to `0` to prevent automatic deletion. + Type: `String` + Allow Pattern: `^(?:[0-9]|[1-9]\\d{1,3}|100[0-7][0-9])$` + Default: `1440` + **RetainCloudWatchLogsOnDeletion (Optional):** + Description: (Optional) Specify whether to retain the CloudWatch Logs log group when the CloudFormation stack is deleted. Set to `False` to delete the log group along with the stack. + Type: `String` + Allowed Values: `[True, False]` + Default: `True` + **UniqueId (Optional):** + Description: (Optional) A unique identifier for the workflow. + Type: `String` + Allow Pattern: `\\{\\{ automation:EXECUTION_ID \\}\\}|[a-zA-Z0-9-]+` + Default: `{{ automation:EXECUTION_ID }}` + ax Characters: `64` 1. Select **Execute**. 1. The automation initiates. 1. The document performs the following steps: + **BranchOnValueOfParameterApproveDeployAnalyticEnvironment** Determines whether to deploy the Amazon SES event publishing infrastructure based on the `ApproveDeployAnalyticEnvironment` parameter value. + **GetEligibleConfigurationSets** Retrieves existing Amazon SES configuration sets and identifies those with event destinations configured for delivery streams or Amazon SNS topics. + **CheckConcurrency** Verifies that no existing stack exists and that no other concurrent executions of this runbook are creating the same stack. + **DeploySesEventDestinations** Creates the CloudFormation stack containing the Amazon SES event publishing infrastructure including Amazon SNS topic, Amazon SQS queue, Lambda function, and CloudWatch Logs log group. + **RelateConfigurationSetAsDefaultConfigurationSet** Associates the newly created Amazon SES configuration set as the default configuration set for the specified Amazon SES identity (if provided). + **SleepBeforeDeleteCloudFormationStack** Waits for the specified duration in the SleepTime parameter before proceeding to delete the CloudFormation stack. + **DeleteCloudFormationStack** Deletes the CloudFormation stack after the specified time period. 1. After completion, review the **Outputs** section for the detailed results of the execution. **References** Systems Manager Automation + [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/documents/AWSSupport-DeploySESSendingLogsToCloudWatchLogs/description) + [Run an automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-working-executing.html) + [Setting up an Automation](https://docs.aws.amazon.com//systems-manager/latest/userguide/automation-setup.html) + [Support Automation Workflows landing page](https://aws.amazon.com/premiumsupport/technology/saw/)