{
"Version": "2012-10-17",
"Statement": [
/* ---------- SES (classic) – receipt rule sets & quotas ---------- */
{
"Sid": "SESClassicRulesAndQuota",
"Effect": "Allow",
"Action": [
"ses:GetSendQuota",
"ses:DescribeActiveReceiptRuleSet",
"ses:ListReceiptRuleSets",
"ses:CreateReceiptRuleSet",
"ses:SetActiveReceiptRuleSet",
"ses:DescribeReceiptRuleSet",
"ses:CreateReceiptRule",
"ses:UpdateReceiptRule",
"ses:SetReceiptRulePosition",
"ses:DeleteReceiptRule"
],
"Resource": "*"
},
/* ---------- SESv2 – identities & sending ---------- */
{
"Sid": "SESv2IdentitiesAndSend",
"Effect": "Allow",
"Action": [
"ses:SendEmail", // SESv2 send
"ses:CreateEmailIdentity",
"ses:GetEmailIdentity",
"ses:DeleteEmailIdentity",
"ses:PutEmailIdentityMailFromAttributes"
],
"Resource": "*"
},
/* ---------- S3 – create bucket, lock it down, configure notifications ---------- */
{
"Sid": "S3BucketMgmtForInbound",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:HeadBucket",
"s3:PutBucketPolicy",
"s3:PutPublicAccessBlock",
"s3:PutBucketNotificationConfiguration",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::kurrier-*-ses-inbound",
"arn:aws:s3:::kurrier-*-ses-inbound/*"
]
},
/* ---------- SNS – create topic, set policy, subscribe Kurrier webhook ---------- */
{
"Sid": "SNSMgmtForInbound",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:Subscribe"
],
"Resource": "*"
},
/* ---------- STS – used to build bucket/topic policies with your account id ---------- */
{
"Sid": "STSCallerIdentity",
"Effect": "Allow",
"Action": ["sts:GetCallerIdentity"],
"Resource": "*"
}
]
}
