Enhance email security using VPC endpoints with Amazon SES Manager

Organizations managing on-premises email infrastructure face a critical challenge: how to modernize email systems while maintaining strict security and compliance standards. For healthcare providers, financial institutions, and government agencies, email messages often contain sensitive data that must remain on private networks throughout processing.

The virtual private cloud (VPC) endpoint feature of Amazon Simple Email Service (Amazon SES) Mail Manager addresses this challenge by enabling SMTP messages to remain on your private network throughout processing, routing, and compliance logging before final delivery. This post walks you through implementing this solution to securely modernize your email infrastructure.

Consider this scenario: You’re responsible for a healthcare organization’s email infrastructure that processes thousands of patient communications daily. Your on-premises Exchange servers are aging, maintenance costs are climbing, and your organization is moving workloads to AWS. Your security team requires that email processing for sensitive patient communications—including workflow processing, temporary storage, rule-based routing, and compliance logging—remain within private, controlled networks until ready for final delivery. The Amazon SES Mail Manager VPC endpoint feature addresses this requirement by maintaining network-level isolation for email operations from generation through processing, minimizing data exposure, meeting compliance requirements, and providing defense-in-depth security before final message delivery.

This post demonstrates how to implement VPC endpoints with Amazon SES Mail Manager using exercises from the Amazon SES Mail Manager workshop. We show how to configure VPC endpoints, security groups, and ingress endpoints to maintain private network connectivity for your email processing workflows.

Solution overview

Our approach combines AWS services to create a secure, private email infrastructure:

• Amazon Virtual Private Cloud (Amazon VPC) endpoints powered by AWS PrivateLink
• AWS security groups to further limit SMTP message traffic to approved network subnets
• AWS Secrets Manager to manage the creation and rotation of SMTP passwords
• AWS Key Management Service (AWS KMS) to encrypt and decrypt the SMTP password stored in Secrets Manager

This solution requires your applications to run within a VPC or have established connectivity between your on-premises network and Amazon VPC through AWS Direct Connect or VPN. For guidance on connecting on-premises networks to AWS, refer to Hybrid network connections.

The following diagram illustrates the solution architecture.

The workflow consists of the following steps:

1. Amazon Elastic Compute Cloud (Amazon EC2) instances running the sender email application on subnet 10.0.0.0/18 connect to the Amazon SES Mail Manager ingress endpoint through a VPC endpoint.
2. Sender credentials are retrieved securely from Secrets Manager.
3. AWS KMS decrypts credentials using your managed encryption keys.
4. Authenticated email traffic flows securely to SES Amazon SES Mail Manager.

Prerequisites

Before beginning your migration, ensure you have the following:

• AWS account – Use an AWS account with appropriate permissions for creating and managing a VPC, Secrets Manager, AWS KMS, and Amazon SES. Make sure AWS Identity and Access Management (IAM) policies follow least privilege principles.
• Existing VPC infrastructure – Use a VPC that hosts your applications in the same AWS account and AWS Region as Amazon SES. For more information, see Plan your VPC.
• Amazon SES configured – Configure Amazon SES in the same Region and AWS account.
• Network connectivity – Deploy application servers either on premises with network connectivity to your VPC using Direct Connect or VPN, or already running within the VPC.
  • AWS blocks outbound SMTP traffic on port 25 across most AWS services. You can either use an alternative TCP port, such as 587 (recommended), or request port 25 exemption by submitting a request to AWS Support from your AWS account using the Request to remove email sending limitations form. This can take upwards of 7 business days to be reviewed; approval is not guaranteed.
  • Configure DNS resolution for Amazon SES Mail Manager VPC endpoints (for more details, see Resolving DNS queries between VPCs and your network).

For this example, we use Linux SMTP commands from an EC2 instance in the VPC to connect to the Amazon SES Mail Manager ingress endpoint through a VPC endpoint on port 587.

Create traffic policy

Create an Amazon SES Mail Manager traffic policy to filter incoming messages by a combination of recipient address, sender IP address range, and TLS protocol version (1.2 or 1.3). For more details about Amazon SES Mail Manager traffic policies, refer to Traffic policies and policy statements. In this example, we use a traffic policy with minimum TLS version of 1.2.

Complete the following steps:

1. Open the Amazon SES console in the target Region.
2. In the navigation pane, under SES Mail Manager, choose Traffic policies.
3. Choose Create traffic policy.
4. For Policy name, enter a descriptive name, such as first-traffic-policy.
5. For Default action, choose Deny.
6. Choose Add new policy statement.
7. For Allow or deny properties, choose Allow.
8. For Properties, choose TLS protocol version.
9. For Operator, choose Minimum version.
10. For Value, choose TLS 1.2.
11. Choose Create traffic policy.

Create rule set

Rule sets are containers for an ordered set of rules that determine how the messages are processed. For more information, see Rule sets and rules. In this example, we use the archive rule to archive all emails processed by Amazon SES Mail Manager.

Complete the following steps:

1. On the Amazon SES console, under Amazon SES Mail Manager in the navigation pane, choose Rule sets.
2. Choose Create rule set.
3. Name the rule (for example, first-rule-set) and choose Create rule set.
4. Choose Create new rule, then choose Create new rule again.
5. Under Rule settings, name the rule (for example, archive_all).
6. Under Actions, choose Add new action.
7. Chose Archive.
8. Choose Create archive.
9. Give the archive a name, such as archive_all.
10. Set a retention period (3 months for testing).
11. Choose Create archive.

12. For Archive resource name, choose archive_all.
13. Choose Save rule set.

Create security group

Complete the following steps to create a security group:

1. On the Amazon VPC console, under Security in the navigation pane, choose Security groups.
2. Choose Create security group.
3. For Security group name, provide a name that uniquely identifies the security group. For this example, we name the security group my-sg-mail-manager.
4. For Description, describe the purpose of this security group.
5. For VPC, choose the VPC that hosts your applications.
6. For Inbound rules, choose Add rule.
7. For Type, choose SMTP.
8. For Source, enter the IP range of your private subnet.
9. Choose Add rule again.
10. For Port range, enter 587 and the IP range of your private subnet.
11. Choose Create security group.

Create VPC endpoint

VPC endpoints make it possible to keep your email traffic within your private AWS network. Complete the following steps to create a VPC endpoint:

1. Open the Amazon VPC console in the target Region.
2. Under PrivateLink and Lattice in the navigation pane, choose Endpoints.
3. Choose Create endpoint.
4. For Name tag, enter an optional tag, such as mm-vpce-auth-ingress-endpoint.
5. Select AWS services.
6. For Services, enter mail-manager to search for Amazon SES Mail Manager VPC endpoints.
7. Select com.amazonaws.us-east-1.mail-manager-smtp.auth.fips.

8. For VPC, choose the VPC that hosts your applications.
9. For DNS name, select Enable DNS name
10. For DNS record IP type, select IPv4.
11. Under Subnets, select all Availability Zones and choose the subnet ID for each subnet.
12. For IP type, select IPv4.

13. For Security groups, select the group my-sg-mail-manager.
14. Choose Create endpoint.

Create ingress endpoint

Complete the following steps to create an authenticated ingress endpoint using Secrets Manager and AWS KMS:

1. On the Amazon SES console, under Amazon SES Mail Manager in the navigation pane, choose Ingress endpoints.
2. Choose Create ingress endpoint.
3. For Ingress endpoint name, enter a unique name for the ingress endpoint. For this example, we use my-authenticated-ingress-endpoint.
4. For Type, choose Authenticated.
5. For Authentication type, choose Secret.
6. Choose Create new, which will open a new tab.
7. For Secret type, choose Other type of secret.
8. Under Key/value pairs, enter password as the key (anything else will cause authentication to fail), then enter a password as the value.
9. For Encryption Key, choose Add new key, which will open a new tab.
10. Choose Create key.
11. Keep the default values for Key type and Key usage and choose Next.

12. For Alias, enter a unique name for your custom managed key. For this example, we use my-mail-manager-key.
13. For Description, describe the purpose of the key.
14. Choose Next.

15. For Key administrators, choose any users (other than yourself) or roles you want to permit to administer the key, then choose Next.
16. For Key users, choose any users (other than yourself) or roles you want to permit to use the key, then choose Next.
17. For Key policy, choose Edit, then enter the following KMS key policy into the key policy JSON text editor at the "statement" level by adding it as an additional statement separated by a comma. Replace the Region and account number with your own.

{
    "Effect": "Allow",
    "Principal": {
        "Service": "ses.amazonaws.com"
    },
    "Action": "kms:Decrypt",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
           "kms:ViaService": "secretsmanager.us-east-1.amazonaws.com",
            "aws:SourceAccount": "000000000000"
        },
        "ArnLike": {
            "aws:SourceArn": "arn:aws:ses:us-east-1:000000000000:mailmanager-ingress-point/*"
        }
    }
}

18. Choose Next.
19. Review and choose Finish.
20. Switch to the Secrets Manager tab and choose the refresh icon.
21. Choose the KMS key you just created, then choose Next.

22. For Secret name, provide a unique name for the secret. For this example, we use my-mail-manager-secret.
23. For Description, describe the purpose for the secret.
24. For Resource permissions, replace the example JSON code in the editor with the following policy. Replace the Region and the account number with your own.

{
    "Version": "2012-10-17",
    "Id": "Id",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "000000000000"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:ses:us-east-1:000000000000:mailmanager-ingress-point/*"
                }
            }
        }
    ]
}

25. Choose Save, then choose Next.
26. Configuring automatic rotation is optional. We skip this step and choose Next.
27. Review and choose Store.
28. Switch back to the Amazon SES console tab to finish creating the ingress endpoint.
29. For Secret ARN, choose Refresh list, then choose the secret you just created.
30. For Rule set, choose first-rule-set.
31. For Traffic policy, choose first-traffic-policy.
32. For Network type, select Private.
33. For VPC endpoint ID, choose mm-vpce-auth-ingress-endpoint.
34. Choose Create ingress endpoint.

Test configuration

Complete the following steps to test your configuration:

1. Open the Amazon VPC console in the target Region.
2. Under PrivateLink and Lattice in the navigation pane, choose Endpoints.
3. Choose the VPC endpoint ID of mm-vpce-auth-ingress-endpoint to open the details page.
4. Find the DNS names for the VPC endpoint. The first DNS name on this list is the Regional DNS name of the VPC endpoint; copy this DNS name and save it on a notepad for later use.

5. Open the Amazon SES console in the target Region.
6. Under Amazon SES Mail Manager in the navigation pane, choose Ingress endpoints.
7. Choose my-authenticated-ingress-endpoint.
8. In the Authentication section, locate the SMTP user name (typically starts with inp-).

9. Connect to your EC2 instance using SSH.
10. Use the command line to send an email using the Amazon SES SMTP interface to test the connectivity. Replace the endpoint with the DNS name of the VPC endpoint you copied earlier.

The message 250 OK esllb73q6bd94cnq004ujd544f169sog39bc9ug1 indicates the message was successfully accepted by Amazon SES Mail Manager.

Clean up

When you’re done with this solution, clean up the resources you created including Mail Manager configurations, security groups, VPC endpoints, KMS keys, and Secrets Manager secrets to avoid additional charges.

Conclusion

In this post, we showed how to enhance email security by implementing Amazon SES Mail Manager with VPC endpoints. This solution can help you modernize your email infrastructure while maintaining network-level isolation and meeting enterprise compliance requirements.

To learn more about Amazon SES, see the Amazon SES Developer Guide. For additional security best practices, refer to AWS Best Practices for Security, Identity, & Compliance. To get started using Amazon SES Mail Manager, participate in an Amazon SES Mail Manager workshop event, explore the advanced workflow features of Amazon SES Mail Manager, and consider integrating with your existing monitoring and alerting systems.

About the authors