AWS SES Permissions Policy Generator

Easily generate custom AWS SES email policies with IP and email/domain conditions.

Policy Configuration

Comma-separated or line-separated list of IP addresses or CIDR ranges allowed to send emails. IPv4 addresses are normalised to /32.
Select at least one action. Default is SendEmail + SendRawEmail. See notes on v1 vs v2 and action support.
Choose * for all SES identities, or provide explicit identity ARNs.
Comma-separated or line-separated list. Domains are expanded to *@domain.com only. Subdomain wildcards (*@*.domain.com) are not allowed.
Entering a domain name like example.com will automatically be converted to *@example.com in the policy.
Documentation

Policy Guidance

Review the core IAM policy concepts this generator applies so the resulting SES policy matches your intended scope and API usage.

The inclusion of IP addresses in your policy conditions enables you to restrict or allow actions based on the source IP.

This is particularly useful for limiting access to your AWS resources from specific network locations. For instance, you might only allow certain actions from your corporate network, enhancing the overall security of your AWS environment.

IPv4 addresses entered without a CIDR are normalised to /32.

Specifying email addresses in your policy can be instrumental in controlling who can send emails from your AWS SES.

  • StringLike: Used for including or allowing specific addresses or patterns.

By using this condition with the ses:FromAddress key, you can control specific email addresses or entire domains. This tool focuses on allowlists and does not generate blacklist rules.

Subdomain Support: To match both a domain and its subdomains, this tool automatically generates two entries: *@domain.com and *@*.domain.com.

The Resource field can target specific SES identities such as verified domains or email addresses.

Use explicit identity ARNs for tight scoping, or use * to apply to all SES identities in the account.

This policy generator supports SES v1 and v2 actions (labels indicate API version):

  • ses:SendEmail (v1 + v2): Send formatted emails.
  • ses:SendRawEmail (v1): Send raw MIME emails (common for applications and attachments).
  • ses:SendTemplatedEmail (v1): Send a single templated email.
  • ses:SendBulkTemplatedEmail (v1): Send multiple templated emails in one request.
  • ses:SendBulkEmail (v2): Send bulk email using SES v2.
  • Use v2 actions when your app uses the SES v2 API; use v1 actions for the classic SES API.
  • Some actions do not support the same resource or condition keys, so test policies against the exact API you use.
  • Inputs are not de-duplicated. If you enter duplicates, they will appear in the output.

Disclaimer

  • This tool is provided as-is without any warranty.
  • Usage is entirely at your own risk.
  • We are not liable for any policy errors or omissions.
  • We accept no responsibility for any consequences arising from policy use.
  • Ensure compliance with AWS guidelines and your organisational policies.