AWS Messaging & Targeting Blog

Credentials and SES

Update (28 Jan 2019): We removed a reference to converting a set of existing credentials to SMTP credentials. We recommend that you use the procedures for obtaining SMTP credentials by using the Amazon SES console.


Hi SES senders,

In this blog post I’ll explain which security credentials you need to use depending on how you connect to SES. By “credentials,” I’m referring to identifiers (username/password, AWS access keys, etc.) that you use when you access SES in some way – through the API, SMTP interface, or AWS Management Console.

Credentials are important because they identify you to AWS, and (if uncompromised) protect your account from unauthorized use, but there are a couple of different types of credentials you might use depending on what you’re doing with SES. That is sometimes where people run into trouble. For example, we periodically hear from new customers who are unable to connect to SES’s SMTP interface, and often the reason is because they are using their AWS credentials instead of their SES SMTP credentials.

What do you want to do?

There are three ways you can interact with SES:

Below, we’ll look at which credentials you need to use to access SES in each of those ways.

Signing into the AWS Management Console

You can use the AWS Management Console to do things like check your sending statistics, view your sending limits, send a test email, configure your feedback settings, and so on. To sign into the console, you use one of these sets of credentials:

  • An Identity and Access Management (IAM) username and password (Recommended)
  • The email address and password associated with your root AWS account (NOT recommended, as explained shortly)

Here is a quick rundown on the difference between IAM credentials and root account credentials: When you signed up for AWS, you specified an email address and password. These root-level credentials (a.k.a. root account credentials) are associated with your AWS account, and you can use them to sign into the AWS Management Console, Support Center, etc. Your root-level credentials allow unrestricted access to your account, including your billing information and any AWS services you’re using. For security purposes, we strongly recommend that you store your root-level credentials in a safe place, and use them only when you need to access your account and billing information.

Instead of using your root-level credentials, you should create IAM users, which are identities that you give other people/processes so that they can access your resources. You can create an IAM user that is highly restricted or allowed to do most anything the root account can – it’s your choice. For example, you could create an IAM user that can sign into the console and make requests to SES, but not allow access to any other AWS service or billing information. The important thing is that you can control the IAM user’s permissions and delete the IAM user at any time. You give your IAM users a username and password, and they sign in to your AWS Management Console by going to a sign-in page specific to your account (you’d give them the URL). For a comprehensive discussion of IAM best practices, go here.

Accessing SES through the SES API (by HTTPS, AWS SDK, AWS CLI, or AWS Tools for Windows Powershell)

To call SES through its API, you need AWS access keys, which consist of an access key ID and secret access key. How you generate your AWS access keys depends on whether you want to create AWS access keys for an IAM user (highly recommended) or for your AWS root account (NOT recommended, as explained in the previous section). Here is where to go for both:

Accessing SES through the SMTP interface

You might choose to use SES’s SMTP interface because it’s one of the easiest ways to set up SES – for example, you can configure any number of SMTP-compatible programs or an email server you already use (like Sendmail/Postfix/PHPMailer) to send through SES, or you might call SES through the built-in SMTP functions of a programming language like Java.

To connect to the SES SMTP interface, you use your SES SMTP credentials. You can obtain your SES SMTP credentials by using the SES console. To obtain your SMTP credentials, click SMTP Settings in the navigation pane, and then click Create My SMTP Credentials.

Although your SES SMTP credentials look very much like AWS access keys – they are both alphanumeric strings – they aren’t the same! If you try to connect to the SES SMTP interface with your AWS credentials, the connection attempt will fail. SES SMTP and AWS credentials are related, though. SES SMTP credentials are in fact a type of IAM credentials, and if you want an existing IAM user to be able to access the SES SMTP interface, you can convert their AWS credentials to SES SMTP credentials. This requires programming, but we have an example here to get you started. Some people choose this method so that they can automate the SES SMTP credential creation process.

An IAM user can also create SMTP credentials by using the SES console, but that IAM user’s policy needs to give them permission to use IAM itself, because SES SMTP credentials are created through IAM. If the IAM user tries to create SES SMTP credentials using the console and they don’t have IAM permissions, they will get a pop-up error that says “… not authorized to perform iam:ListUsers…” In that case you would need to modify their policy so they have access to IAM.

Conclusion

Here is a summary of the credentials you use to access SES in various ways:

  • To sign into the console, you can use an IAM username and password (recommended) or root account email address and password (not recommended).
  • To use the API (HTTPS/SDK/CLI/AWS Tools for Powershell), you need an AWS access key ID and secret access key. We recommend that you create these credentials for an IAM user rather than the root account.
  • To use the SMTP interface, you need SES SMTP credentials.

For a table that lists the different types of credentials, see the Developer Guide.

Thanks for using SES!