I currently have one AWS account with 2 ec2 instances for 2 different domains (websites) I have set up. Previously, I verified one of the domains, created an IAM user for it and lodged a successful request to remove the account from the sandbox. Now I wish to use SES for the other domain as well. I know how to set up different MAIL FROM domains for the 2 domains, but in terms of code, the access and secret key I generate from creating new IAM users (which then get used in code) do not seem to take into account the different domains. Is it possible to use AWS SES for two separate domains like this (where the emails sent from each app have different MAIL FROM domains), and if so how does the code know which domain the emails are being sent? Is there a way to somehow link the IAM user to the domain?

CodePudding user response：

how does the code know which domain the emails are being sent?

The code you are writing has to know the FROM email address it is using. That's how your code knows which domain it is sending email with.

Is there a way to somehow link the IAM user to the domain?

This is well documented under the Controlling access section of the official AWS SES documentation. Specifically under the "Restricting the From Address" section:

The following policy permits a user to call the Amazon SES email-sending APIs, but only if the "From" address is [email protected].

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Resource":"*",
      "Condition":{
        "StringEquals":{
          "ses:FromAddress":"[email protected]"
        }
      }
    }
  ]
}

You would use conditions in the IAM policy to restrict a role to only sending emails with certain FROM email addresses.