How do I resolve a 554 "Access denied" error when I send an email from my IAM user in Amazon SES?

Last updated: 2022-10-07

When I send an email from my AWS Identity and Access Management (IAM) user in Amazon Simple Email Service (Amazon SES), I receive a 554 "Access denied" error.

Short description

You send an email from your IAM user in Amazon SES, and you receive the following error:

554 Access denied: User `arn:aws:iam::123456789012:user/iam-user-name' is not authorized to perform `ses:SendRawEmail' on resource `arn:aws:ses:eu-west-1:123456789012:identity/example.com'

To troubleshoot the 554 "Access denied" error from Amazon SES, check the following:

  • The user has the right policies and access to send emails.
  • A sending authorization policy isn't attached to the email address or domain.
  • The Resource element in the IAM policy is set to the email address identity's ARN.
  • AWS Organizations service control policies (SCPs) aren't attached to the user.

Resolution

1.    Open the IAM console.

2.    Under Policy summary, check the following:

The IAM user has the right permission to send emails. For example, to permit the user to perform email-sending APIs, you must include the related actions (ses:SendEmail, ses:SendRawEmail, ses:SendTemplatedEmail, ses:SendBulkTemplatedEmail).

The IAM user has the right access to send email from the identity. If you set the IAM user policy's Resource element to *, then the user has access to send email from all identities. If the Resource element is restricted, then check that the user has two policies, or two statements in a policy. The Action element of the first policy or statement must be set to one or more of the non-email-sending APIs. The Resource element must be set to *. The Action element of the second policy or statement must be set to one or more of the email-sending APIs. The Resource element must be set to the identity's ARN.

The following is an example IAM policy with two statements. The policy permits the user to perform GetSendStatistics and GetSendQuota non-email-sending APIs, and restricts SendEmail and SendRawEmail email-sending APIs to send only from the domain.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ses:GetSendStatistics",
        "ses:GetSendQuota"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ses:SendEmail",
        "ses:SendRawEmail"
      ],
      "Resource": "arn:aws:ses:eu-west-1:123456789012:identity/example.com"
    }
  ]
}

3.    Check if there's a sending authorization policy attached to the email address or domain that's preventing the user from sending emails.

4.    If you verified the email address identity separately from the domain identity, then you must set the Resource element to the email address identity's ARN. For more information, see Creating and verifying identities in Amazon SES.

5.    Check if there's an Organizations SCP policy that the user inherited. SCPs can prevent the user from sending emails. For example, the user inherited a Deny statement to use Amazon SES, or the user has access to only certain AWS or Amazon SES Regions.

Note: Amazon SES Simple Mail Transfer Protocol (SMTP) credentials are unique to each AWS account, and specific to one Region.


Did this article help?


Do you need billing or technical support?