AWS email requirements

Portal can send some automatic emails using Amazon Web Services (AWS). To send automatic Portal emails using AWS, you must set up the following:

• An Identity and Access Management (IAM) user

• Simple Email Service

• Simple Queue Service

• Simple Notification Service

• (Optional) Simple Storage Service

After these requirements are set up in AWS, you can enter required information in the Portal UI. See Enter email settings.

Note: We do not recommend using AWS to send Portal emails in most cases. Specialized knowledge is required for setting up email systems in AWS and an SMTP server is still required, since Portal reports and some automatic emails cannot be sent using AWS.

An Identity and Access Management (IAM) user

An IAM user with the following permissions is required for sending Portal emails using AWS:

• Send Message

• Receive Message

• Delete Message

• List Queues

The IAM user's permissions should be limited to the actions and resources required for a functional email system.

The user can have API access only (i.e., with no console access). An AWS API access key must be generated for the user.

Required IAM user permissions

{

"Action": [

"sqs:DeleteMessage",

"sqs:ListQueues",

"sqs:ReceiveMessage",

"sqs:SendMessage"

],

"Resource": "arn:aws:sqs:{region}:{accountNumber}:environmentName",

"Effect": "Allow"

}

Simple Email Service

The Simple Email Service (SES) sends emails and collects email bounces and complaints and routes them to a Simple Notification Service (SNS) topic.

New SES accounts are placed in an Amazon SES sandbox where sending limits and restrictions apply. Before granting full access to Amazon SES, Amazon requires customers to prove that they can handle email bounces and complaints. Once your email system is completely configured, you must submit a request to move your SES account out of the sandbox.

For the purpose of setting up email notifications:

• An email address must be verified in SES. You can verify one email address, or verify an entire domain so you have many email addresses to use. If you have more than one verified identity, make note of the one used to track bounces and complaints.

• A verified email address must be configured to receive feedback notifications for bounces and complaints, and point to Simple Notification Service (SNS) topics configured in Simple Notification Service. Use this email address as the "From Email Address" for Amazon email settings in Portal. See Enter email settings.

• Email feedback forwarding must be disabled in Amazon SES.

You can also set up a configuration ruleset in SES to track events like failures and rejects, and route them to another SNS topic (i.e., not the bounce and complaint SNS topics). For example, you could route errors to an S3 bucket that collects all tracked events for troubleshooting.

Simple Queue Service

The Simple Queue Service (SQS) handles cases where emails should no longer be sent to email addresses because:

• Email sending fails and the recipient server sends back a bounce response.

• A recipient flags an email as spam and the email service provider of the recipient responds with a complaint.

An SQS queue must be created for bounced emails (e.g., email-bounce-queue) and complaint emails (e.g., email-complaint-queue).

Simple Notification Service

The Simple Notification Service (SNS) is required to receive bounces and complaint messages from SES and route them to an SQS queue. SNS must have a topic with a subscription to the relevant SQS queue (e.g., email-bounce-topic with a subscription to email-bounce-queue).

No permissions are required for this service.

(Optional) Simple Storage Service

An S3 bucket is useful if you want to set up an email rule that routes bounced emails to the S3 bucket. This can be useful when troubleshooting service errors.