On-campus developers are used to having applications send email via appsmtp.mail.cornell.edu. Currently, there is no similar Cornell service in AWS for developers to use. This page shows how to setup the AWS Simple Email Service (SES) to send email from applications.
Step 1. Validate Your Sender Address with SES
This solution uses SES in limited or sandbox mode, where you validate sender (i.e., "from") email addresses one at a time. This convinces SES that you are the owner of the email address so it will send email from the address on your behalf. For this example, we assume that you own or control the myapp-support@cornell.edu email address.
Verify the myapp-support@cornell.edu email address following instructions in AWS documentation: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses.html.
Step 2. Create IAM Resources for Using SES
In this step, you create an IAM role, group, and user to facilitate sending email using Simple Email Service using a CloudFormation Template.
- If you are unfamiliar with using CloudFormation, take a look at AWS documentation to orient yourself: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/GettingStarted.Walkthrough.html
- Use the provided CloudFormation template to create the CloudFormation stack that creates the required AWS resources: iam-ses.yaml
- Recommended name for your stack: "myapp-iam-ses-stack"
- You can override the default names for each of the resources created when providing parameter values for the template to CloudFormation.
- The output of the stack will include the credentials (access key and secret access key) and they will be shown in the CloudFormation Console UI. While this isn't ideal, those credentials allow only the newly created IAM user to send email using SES.
Step 3. Configure SMTP Parameters in your Application
| From Address | In sandbox or limited mode, all of the emails sent via SES must use one of the sender (i.e. "from") addresses previously validated with SES (in step 1). |
|---|---|
| To Address | any desired |
| Host | email-smtp.us-east-1.amazonaws.com (i.e., email-smtp.<AWS_REGION>.amazonaws.com) |
| Port | 587 |
| Use TLS? | yes |
| User name | This is the access key produced by the iam-ses.yaml CloudFormation template. It will look something like "AKIAI42SV3U3D465DCGA" |
| Password | This is the secret access key produced by the iam-ses.yaml CloudFormation template. |
Step 4. Sending Email from Additional Applications
We recommend creating an IAM user for each application (or project) that you wish to send email via SES. The second and further IAM users can use the same IAM role and group created by the CloudFormation template we use here. I may be easiest to manually create these additional users:
- Create a new IAM user
- Add the user to the group created by the CloudFormation template above. E.g., ses-email-senders.
- Don't configure a password for this IAM user.
- Do create a access key credentials for the user.
Step 5. Rotate Access Keys
Ideally, you want to rotate the access keys for all your IAM users periodically. This includes the keys used by these IAM users created for SES access. Here's some AWS documentation on how to do that: https://aws.amazon.com/blogs/security/how-to-rotate-access-keys-for-iam-users/