(aws_ses: EmailIdentity): (EmailIdentity grantSendEmail missing permission in case there is a configuration set defined)

[pitayapj]

Describe the bug

not sure if this can consider a bug. But when using EmailIdentity.grantSendEmail() in AWS CDK, the generated IAM policy does not include the ses:SendEmail and ses:SendRawEmail action with the required ConfigurationSetName condition, resulting in a failure to send emails when a configuration set is attached.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

Calling grantSendEmail() should grant permissions that allow sending emails with or without a configuration set. Specifically, it should include a policy allowing:

{
  "Action": "ses:SendEmail",
  "Effect": "Allow",
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "ses:ConfigurationSetName": "<your-config-set-name>"
    }
  }
}

Current Behavior

only permission for declared entity

{
        "Action": [
            "ses:SendEmail",
            "ses:SendRawEmail"
        ],
        "Resource": "arn:aws:ses:region:account:identity/example.com",
        "Effect": "Allow"
    }

Reproduction Steps

const mailConfigureSet = new ses.ConfigurationSet(this, 'mailConfigureSet', {
  configurationSetName: `default-mail-configure-set`,
  tlsPolicy: ses.ConfigurationSetTlsPolicy.REQUIRE,
});

const domainIdentity = new ses.EmailIdentity(this, 'domainIdentity', {
  identity: 'domain.com',
  configurationSet: mailConfigureSet,
  mailFromDomain: 'domain.com',
});
domainIdentity.grantSendEmail(taskDef.taskRole);

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.188.0

AWS CDK CLI version

2.1010.0

Node.js Version

20

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response

[ykethan]

Hey @pitayapj , thank you for reaching out and reporting this issue. I was able to reproduce this and confirm this behavior.

When using EmailIdentity.grantSendEmail() with a configuration set attached to the email identity, the generated IAM policy only includes permission to send email from the identity but doesn't include permission for using the configuration set.

When a configuration set is used in an SES request (via the X-SES-CONFIGURATION-SET header), AWS SES requires additional IAM permissions with a condition on ses:ConfigurationSetName.

Reproduction

I created a simple test CDK app:

const configSet = new ses.ConfigurationSet(this, 'ConfigSet', {
  configurationSetName: 'test-config-set',
});

const emailIdentity = new ses.EmailIdentity(this, 'EmailIdentity', {
  identity: ses.Identity.domain('example.com'),
  configurationSet: configSet,
});

// Grant send email permissions to a role
emailIdentity.grantSendEmail(role);

When synthesizing this stack, the generated IAM policy only includes:

{
  "Action": [
    "ses:SendEmail",
    "ses:SendRawEmail"
  ],
  "Effect": "Allow",
  "Resource": "arn:aws:ses:region:account:identity/example.com"
}

Code Reference

The issue is in packages/aws-cdk-lib/aws-ses/lib/email-identity.ts where the grantSendEmail() method is implemented:

public grantSendEmail(grantee: IGrantable): Grant {
  return this.grant(grantee, 'ses:SendEmail', 'ses:SendRawEmail');
}

This method only grants permissions for the ses:SendEmail and ses:SendRawEmail actions on the email identity resource but doesn't account for the configuration set that might be associated with the email identity.

Proposed Fix

Off the top, the grantSendEmail() method could be updated to check if a configuration set is associated with the email identity, and if so, include an additional permission with the appropriate condition for the configuration set name:

public grantSendEmail(grantee: IGrantable): Grant {
  // Grant permission for the identity resource first
  const grant = this.grant(grantee, 'ses:SendEmail', 'ses:SendRawEmail');
  
  // If there's a configuration set associated with this identity, add condition-based permission
  // We can get the configuration set name from the underlying CfnEmailIdentity resource
  const cfnResource = this.node.findChild('Resource') as CfnEmailIdentity;
  if (cfnResource.configurationSetAttributes?.configurationSetName) {
    const configSetName = cfnResource.configurationSetAttributes.configurationSetName;
    
    // Add an additional policy statement for the configuration set
    grantee.addToPrincipalPolicy({
      effect: iam.Effect.ALLOW,
      actions: ['ses:SendEmail', 'ses:SendRawEmail'],
      resources: ['<arn>'],
      conditions: {
        StringEquals: {
          'ses:ConfigurationSetName': configSetName,
        },
      },
    });
  }
  
  return grant;
}

Workaround

You could manually define this permission to their IAM roles/policies when using configuration sets with SES. Here's a example:

const configSet = new ses.ConfigurationSet(this, 'ConfigSet', {
  configurationSetName: 'test-config-set',
});

const emailIdentity = new ses.EmailIdentity(this, 'EmailIdentity', {
  identity: ses.Identity.domain('example.com'),
  configurationSet: configSet,
});

// Add additional permission for the configuration set
role.addToPrincipalPolicy(new iam.PolicyStatement({
  effect: iam.Effect.ALLOW,
  actions: ['ses:SendEmail', 'ses:SendRawEmail'],
  resources: ['<arn>'],
  conditions: {
    StringEquals: {
      'ses:ConfigurationSetName': configSet.configurationSetName,
    },
  },
}));

Marking as P2 bug
We greatly appreciate community contributions! If you or someone else is interested in implementing this, we'd be happy to review a Pull Request. Please check our contribution guidelines for information.