AWS SES: Cross Account Email Receiving

AWS Tutorials / Leave a Comment

Introduction

In today’s interconnected world, businesses often find themselves in situations where they need to share resources across different AWS accounts. One common challenge is setting up email-receiving capabilities across AWS accounts, a process which is commonly known as “Cross Account Email Receiving”. This enables organizations to centralize their email handling while maintaining security and compliance.

Need

The need for cross-account email receiving arises in scenarios where multiple AWS accounts are involved in a business process, but there is a desire to centralize email communication. This could be for reasons like:

  1. Security and Compliance: By consolidating email receiving into a single account, one can implement stricter security controls and compliance policies.
  2. Simplification of Management: Managing email services across multiple AWS accounts can be complex. Centralizing this process simplifies administration and reduces potential points of failure.
  3. Cost Optimization: By consolidating email handling, you can potentially reduce costs associated with email services and infrastructure.

Prerequisites:

  1. Access to multiple AWS Accounts (at least 2).
  2. A registered Domain.
  3. IAM Permissions to create resources in AWS Account.

Architecture

The architecture for AWS Cross Account Email Receiving involves the following components:

  1. AWS Account A: The account where emails are received from outside email clients.
  2. SES (Simple Email Service): A scalable and cost-effective email sending and receiving service provided by AWS.
  3. S3 Bucket in various AWS Accounts: An object storage service used for storing email contents.

Steps

Step 1: Configure AWS SES in AWS Account A

  1. Set up AWS SES Domain or Email Address:
  • In AWS Account A, access the AWS SES console.
  • Configure and verify the email-sending domain or email address that you want to receive emails for.
Verified Identities in SES
Creating & Verifying Identities in SES

Step 2: Configure AWS SES Receipt Rule in AWS Account A.

Create a Rule Set: In the AWS SES console within AWS Account A, create a Rule Set. Rule sets are containers for your receipt rules. Only one rule set can be active at a given time.

2. Create a Receipt Rule: This gives you fine-grained control over your email receiving by utilizing recipient-based control to specify a set of actions to take based on the recipient.

Receipt Rules

Specify the conditions that will trigger the receipt rule. Typically, you would want to apply this rule to all incoming emails.

In this example, I have created a receipt rule that would deliver the incoming mail to a cross-account S3 bucket.

Add S3 Action:

Configure an action to store the received email in an S3 bucket (get-emails-from-account-a) placed in a cross-account.

Configure Cross-Account Permissions on S3 Bucket in Account B:

Set permissions on the S3 bucket to allow cross-account access. Create a bucket policy that grants access to the IAM role in AWS Account B(..C, D,..Z), etc.

Bucket Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESPuts",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::<BUCKET-NAME>/*",
            "Condition": {
                "StringEquals": {
                    "AWS:SourceArn": "arn:aws:ses:us-east-1:<ACCOUNT-ID>:receipt-rule-set/<RULE-SET-NAME>:receipt-rule/RULE-NAME",
                    "AWS:SourceAccount": "<ACCOUNT-ID>"
                }
            }
        }
    ]
}
//NOTE: //Line 11: Replace Resource ARN with respective S3 bucket ARN in AWS account B. 
//NOTE: //Line 14: Replace Receipt Rule ARN in AWS Account A.
//NOTE: //Line 15: Replace Account ID with AWS Account A.

Limitations:

Amazon SES supports email receiving for the following AWS Regions:

Regions and Amazon SES

Conclusion

Cross-account email receiving using AWS SES offers the ability to segregate email processing from your application, thereby enhancing security and control.

This guide provided a detailed step-by-step process to set up cross-account email receiving with AWS SES, including configuring AWS SES in AWS Account A and creating a Receipt Rule to deliver emails to an S3 bucket in AWS Account B.

The AWS ecosystem is dynamic, and best practices can evolve. If any reader identifies corrections, updates, or improvements that could enhance the accuracy and efficacy of the methods discussed, I welcome your feedback.

Together, we can refine and optimize our approaches to cross-account email receiving, fostering a more secure and efficient cloud environment.

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top