Home - mmattioli/aws-email-forwarding GitHub Wiki
The motivation behind this is have a simple, straightforward, and cost-effective email forwarding service for use with one or multiple domains and email addresses.
Setup a domain with SES.
- Verify the domain.
- Create the necessary DNS records (e.g. DKIM, DMARC, SPF, etc.).
- Make sure your account is moved out of the sandbox.
Create and/or configure an S3 bucket.
- Allow
s3:PutObjectfromses.amazonaws.com.
Create and/or configure an IAM role and/or policy for the Lambda function.
- Log to CloudWatch (at least
logs:CreateLogStreamandlogs:PutLogEvents). - Send emails using SES (
ses:SendRawEmail). - Get objects from the S3 bucket (
s3:GetObject).
These sample policies should give you a clear understanding of what access is required.
Sample S3 bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::<bucketName>/*",
"Condition": {
"StringEquals": {
"aws:Referer": "<awsAccountId>"
}
}
}
]
}Sample IAM policy for Lambda function
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucketName>/*"
},
{
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "arn:aws:ses:<region>:<awsAccountId>:identity/*"
}
]
}