因此,我的项目在ec2实例上的服务器上运行,并使用SES发送电子邮件。当SES可以被公众访问时,我能够发送电子邮件,但是当我尝试实施安全性时,它开始给出问题。我已将以下身份策略附加到SES电子邮件地址,其中一个公开阻止访问,另一个允许ec2访问SES电子邮件地址。但是,我总是被阻塞,出现错误:允许AWS EC2访问AWS SES(简单电子邮件服务)并拒绝公众访问的身份策略
The email was not sent.Error message: User `arn_of_ec2_role' is not authorized to perform
`ses:SendEmail' on resource `arn_of_email_address' (Service: AmazonSimpleEmailService;
Status Code: 403; Error Code: AccessDenied;
Request ID: b92h2a02-4502-32g8-8334-9504941fdefd4e35)
我的策略是:
允许EC2:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "stmt8473824324",
"Effect": "Allow",
"Principal": {
"AWS": "arn_of_role_used_by_ec2"
},
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn_of_email"
}
]
}
要拒绝公开:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn_of_email"
}
]
}
编辑1 : 原来,我只需将封装{}添加到“AWS”:“arn_of_role_used_by_ec2”。但即使如此,我没有获得许可。我仍然遇到同样的错误。为了验证,我甚至使用了用户策略并尝试使用该用户访问它,但即使如此,我也遇到了同样的错误,只是现在不同的arn被拒绝了。我的政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn_of_role_used_by_ec2"
},
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn_of_email"
}
]
}
EDIT2:
很抱歉这么晚才回复,以下是我做的,以按您的更新:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "stmt1476011587135",
"Effect": "Allow",
"Principal": "*",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn_of_email",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn_of_ecs_instance"
}
}
}
]
}
和
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "stmt1476011639899",
"Effect": "Deny",
"Principal": "*",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn_of_email",
"Condition": {
"StringNotEquals": {
"aws:SourceArn": "arn_of_ecs_instance"
}
}
}
]
}
使用arn_of_ecs_instance,因为我只是用IAM用户进行验证,并且只需要访问ec2实例。但我仍然可以通过Java API发送电子邮件地址,同时使用My IAM用户凭证发送邮件。
尝试将所有策略中的资源分配给'*'。 –
@MattHouser我试过了,但出现错误 **应用策略时出错:无效ARN:ARN必须以'arn:'开头:*(请求ID:4b922926-83e8-11e6-8845-5946c19d3615)** since我将该政策附加到特定的电子邮件地址。我甚至尝试**“资源”:“arn:aws:ses:us-east-1:453679034254:identity/*”**我应用策略时出现错误**错误:预期资源为'arn_of_email',但是'arn:aws:ses:us-east-1:453679034254:identity /*'.** – Mirhawk