AWS policy that limit the IAM user to send SES emails from a specific sender

Question

It is possible to use IAM credentials to allow to send mails from specific sender?

I mean, for example, I have two different domains and senders configurated into SES: info@example1.com and info@example2.com. Is there any way to limit a IAM user and its credentials to just send mails from info@example1.com?

I tried to specify a condition in a IAM policy defined into to the user permissions. However I could not find a condition that can solve my problem.

Also I tried to solve the issue using STMP credentials, but I have the same problem. Any ideas?

Answer 1

It is possible to use IAM credentials to allow to send mails from specific sender?

NO

See: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html

You can't specify a particular Amazon SES resource in an IAM policy. You only control access to Amazon SES actions. Therefore, Amazon SES does not use Amazon Resource Names (ARNs), which identify resources in a policy. When you write a policy to control access to Amazon SES actions, you use * as the resource.

(emphasis mine)

You can control what API calls IAM accounts can make(like ses:SendEmail), but you can not restrict what parameters they can use with those API calls(like the source email address)

Answer 2

This may have changed since the original answer. You can now do something like:

{
    "Version": "2012-10-17",
    "Statement": [
     {
       "Effect": "Allow",
       "Action": ["ses:SendEmail"],
       "Resource":"*",
           "Condition": {
             "StringEquals": {
               "ses:FromAddress": "here@somewhere.com"
             }
         }
       }
    ] 
}

The AWS docs now reflect this: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html