---
title: SES policy with allowed IAM actions
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > SES policy with allowed IAM actions
---

# SES policy with allowed IAM actions

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-aws-ses-policy-with-allowed-iam-actions` 

**Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/community/aws/ses_identity_policy_module.html#parameter-policy)

### Description{% #description %}

SES identity policies must not grant Allow permissions for all actions to all principals. A wildcard Action (`*`) combined with a wildcard Principal (`*`) lets any actor perform any API operation on the identity, enabling email spoofing, unauthorized sending, and potential privilege escalation.

This rule checks Ansible resources of type `community.aws.ses_identity_policy` and `aws.aws_ses_identity_policy`. The `policy` document must not contain statements with `"Effect": "Allow"` where `Action` is `"*"` (or contains `"*"`) and `Principal` is a wildcard (for example `"*"` or `{"AWS":"*"}`). Resources with such statements are flagged.

Specify explicit principals (AWS account ARNs or service principals) and restrict `Action` to the minimum required SES API operations. Secure example showing a restricted policy:

```yaml
- name: Attach SES identity policy
  community.aws.ses_identity_policy:
    identity: "example.com"
    policy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
            "Action": [ "ses:SendEmail", "ses:SendRawEmail" ],
            "Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com"
          }
        ]
      }
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: add sending authorization policy to email identity2
  community.aws.ses_identity_policy:
    identity: example@example.com
    policy_name: ExamplePolicy
    policy: >
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "*",
            "Principal": {
              "AWS": "arn:aws:iam::987654321145:root"
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
          }
        ]
      }
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: add sending authorization policy to email identityyy
  community.aws.ses_identity_policy:
    identity: example@example.com
    policy_name: ExamplePolicy
    policy: >
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": "*",
            "Principal": {
              "AWS": "*"
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
          }
        ]
      }
    state: present
```