Part 4: Create AWS Identity and Access Management Policies and Roles - connect-group/terraform-aws-ses-dashboard GitHub Wiki

To ensure the security of your AWS account, you must create an AWS Identity and Access Management (IAM) policy and role. The policy and role define the ways that the components of this solution can interact with each other. This procedure describes how to configure these policies and roles.

To create a new IAM policy and role

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
In the column on the left side of the screen, choose Policies.
Choose Create policy.
On the Create Policy window, next to Create Your Own Policy, choose Select.
On the Review Policy window, complete the following sections:
- For Policy Name, type a name for the policy.
- For Description, type a brief description of the policy.
- For Policy Document, paste the following code:

Code

    {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Sid": "AllowSendEmail",
              "Effect": "Allow",
              "Action": [
                  "ses:SendEmail"
              ],
              "Resource": [
                  "*"
              ]
          },
          {
              "Sid": "s3allow",
              "Effect": "Allow",
              "Action": [
                  "s3:PutObject",
                  "s3:PutObjectAcl"
              ],
              "Resource": [
                  "arn:aws:s3:::BUCKET_NAME/*"
              ]
          },
          {
              "Sid": "AllowQueuePermissions",
              "Effect": "Allow",
              "Action": [
                  "sqs:ChangeMessageVisibility",
                  "sqs:ChangeMessageVisibilityBatch",
                  "sqs:DeleteMessage",
                  "sqs:DeleteMessageBatch",
                  "sqs:GetQueueAttributes",
                  "sqs:GetQueueUrl",
                  "sqs:ReceiveMessage"
              ],
              "Resource": [
                  "SQS_QUEUE_ARN"
              ]
          },
          {
              "Effect": "Allow",
              "Action": [
                  "logs:CreateLogGroup",
                  "logs:CreateLogStream",
                  "logs:PutLogEvents",
                  "logs:DescribeLogStreams"
              ],
              "Resource": [
                  "arn:aws:logs:*:*:*"
              ]
          }
      ]
   }

In the pasted code, change the following attributes:

Replace BUCKET_NAME with the name of the Amazon S3 bucket you created in Part 3: Create an Amazon Simple Storage Service Bucket.
Replace SQS_QUEUE_ARN with the ARN of the Amazon SQS queue you created in Part 2: Create a Queue in Amazon Simple Queue Service.

NOTE You can quickly obtain the ARN of the Amazon SQS queue by doing the following:

In the Amazon SQS console, choose the queue you created in Part 2: Create a Queue in Amazon Simple Queue Service.
In the Details section, copy the value shown next to ARN. The format of the ARN should resemble the following example: arn:aws:sqs:us-east-1:999623213###:sample-queue-name

Choose Create Policy.
In the column on the left side of the screen, choose Roles.
Choose Create role.
Under Select type of trusted entity, choose Lambda, and then choose Next: Permissions.
On the Attach permissions policies screen, check the box next to the name of the policy you created in Part 4: Create AWS Identity and Access Management Policies and Roles, and then choose Next: Review.
On the Review screen, for Role name, type a name for the role, and then choose Create role.
Proceed to Part 5: Configure Bounce and Complaint Notifications in Amazon SES.