feat(client-ses): Enable email receiving customers to provide SES with access to their S3 buckets via an IAM role for "Deliver to S3 Action"

awstools · awstools · commit aafc6ebdecf9 · 2024-08-21T18:23:46.000Z
diff --git a/clients/client-ses/src/commands/CreateReceiptRuleCommand.ts b/clients/client-ses/src/commands/CreateReceiptRuleCommand.ts
@@ -55,6 +55,7 @@ export interface CreateReceiptRuleCommandOutput extends CreateReceiptRuleRespons
  *           BucketName: "STRING_VALUE", // required
  *           ObjectKeyPrefix: "STRING_VALUE",
  *           KmsKeyArn: "STRING_VALUE",
+ *           IamRoleArn: "STRING_VALUE",
  *         },
  *         BounceAction: { // BounceAction
  *           TopicArn: "STRING_VALUE",
diff --git a/clients/client-ses/src/commands/DescribeActiveReceiptRuleSetCommand.ts b/clients/client-ses/src/commands/DescribeActiveReceiptRuleSetCommand.ts
@@ -63,6 +63,7 @@ export interface DescribeActiveReceiptRuleSetCommandOutput
  * //             BucketName: "STRING_VALUE", // required
  * //             ObjectKeyPrefix: "STRING_VALUE",
  * //             KmsKeyArn: "STRING_VALUE",
+ * //             IamRoleArn: "STRING_VALUE",
  * //           },
  * //           BounceAction: { // BounceAction
  * //             TopicArn: "STRING_VALUE",
diff --git a/clients/client-ses/src/commands/DescribeReceiptRuleCommand.ts b/clients/client-ses/src/commands/DescribeReceiptRuleCommand.ts
@@ -59,6 +59,7 @@ export interface DescribeReceiptRuleCommandOutput extends DescribeReceiptRuleRes
  * //           BucketName: "STRING_VALUE", // required
  * //           ObjectKeyPrefix: "STRING_VALUE",
  * //           KmsKeyArn: "STRING_VALUE",
+ * //           IamRoleArn: "STRING_VALUE",
  * //         },
  * //         BounceAction: { // BounceAction
  * //           TopicArn: "STRING_VALUE",
diff --git a/clients/client-ses/src/commands/DescribeReceiptRuleSetCommand.ts b/clients/client-ses/src/commands/DescribeReceiptRuleSetCommand.ts
@@ -63,6 +63,7 @@ export interface DescribeReceiptRuleSetCommandOutput extends DescribeReceiptRule
  * //             BucketName: "STRING_VALUE", // required
  * //             ObjectKeyPrefix: "STRING_VALUE",
  * //             KmsKeyArn: "STRING_VALUE",
+ * //             IamRoleArn: "STRING_VALUE",
  * //           },
  * //           BounceAction: { // BounceAction
  * //             TopicArn: "STRING_VALUE",
diff --git a/clients/client-ses/src/commands/SendBulkTemplatedEmailCommand.ts b/clients/client-ses/src/commands/SendBulkTemplatedEmailCommand.ts
@@ -94,7 +94,7 @@ export interface SendBulkTemplatedEmailCommandOutput extends SendBulkTemplatedEm
  *   ],
  *   Template: "STRING_VALUE", // required
  *   TemplateArn: "STRING_VALUE",
- *   DefaultTemplateData: "STRING_VALUE",
+ *   DefaultTemplateData: "STRING_VALUE", // required
  *   Destinations: [ // BulkEmailDestinationList // required
  *     { // BulkEmailDestination
  *       Destination: { // Destination
diff --git a/clients/client-ses/src/commands/UpdateReceiptRuleCommand.ts b/clients/client-ses/src/commands/UpdateReceiptRuleCommand.ts
@@ -54,6 +54,7 @@ export interface UpdateReceiptRuleCommandOutput extends UpdateReceiptRuleRespons
  *           BucketName: "STRING_VALUE", // required
  *           ObjectKeyPrefix: "STRING_VALUE",
  *           KmsKeyArn: "STRING_VALUE",
+ *           IamRoleArn: "STRING_VALUE",
  *         },
  *         BounceAction: { // BounceAction
  *           TopicArn: "STRING_VALUE",
diff --git a/clients/client-ses/src/models/models_0.ts b/clients/client-ses/src/models/models_0.ts
@@ -1721,29 +1721,29 @@ export interface S3Action {
   ObjectKeyPrefix?: string;
 
   /**
-   * <p>The customer master key that Amazon SES should use to encrypt your emails before saving
-   *             them to the Amazon S3 bucket. You can use the default master key or a custom master key that
+   * <p>The customer managed key that Amazon SES should use to encrypt your emails before saving
+   *             them to the Amazon S3 bucket. You can use the default managed key or a custom managed key that
    *             you created in Amazon Web Services KMS as follows:</p>
    *          <ul>
    *             <li>
-   *                <p>To use the default master key, provide an ARN in the form of
+   *                <p>To use the default managed key, provide an ARN in the form of
    *                         <code>arn:aws:kms:REGION:ACCOUNT-ID-WITHOUT-HYPHENS:alias/aws/ses</code>.
    *                     For example, if your Amazon Web Services account ID is 123456789012 and you want to use the
-   *                     default master key in the US West (Oregon) Region, the ARN of the default master
+   *                     default managed key in the US West (Oregon) Region, the ARN of the default master
    *                     key would be <code>arn:aws:kms:us-west-2:123456789012:alias/aws/ses</code>. If
-   *                     you use the default master key, you don't need to perform any extra steps to
+   *                     you use the default managed key, you don't need to perform any extra steps to
    *                     give Amazon SES permission to use the key.</p>
    *             </li>
    *             <li>
-   *                <p>To use a custom master key that you created in Amazon Web Services KMS, provide the ARN of
-   *                     the master key and ensure that you add a statement to your key's policy to give
+   *                <p>To use a custom managed key that you created in Amazon Web Services KMS, provide the ARN of
+   *                     the managed key and ensure that you add a statement to your key's policy to give
    *                     Amazon SES permission to use it. For more information about giving permissions, see
    *                     the <a href="https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html">Amazon SES Developer
    *                         Guide</a>.</p>
    *             </li>
    *          </ul>
    *          <p>For more information about key policies, see the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html">Amazon Web Services KMS Developer Guide</a>. If
-   *             you do not specify a master key, Amazon SES does not encrypt your emails.</p>
+   *             you do not specify a managed key, Amazon SES does not encrypt your emails.</p>
    *          <important>
    *             <p>Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail
    *                 is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side
@@ -1752,12 +1752,43 @@ export interface S3Action {
    *                 Amazon Web Services KMS keys for decryption. This encryption client is currently available with
    *                 the <a href="http://aws.amazon.com/sdk-for-java/">Amazon Web Services SDK for Java</a> and
    *                     <a href="http://aws.amazon.com/sdk-for-ruby/">Amazon Web Services SDK for Ruby</a> only. For
-   *                 more information about client-side encryption using Amazon Web Services KMS master keys, see the
+   *                 more information about client-side encryption using Amazon Web Services KMS managed keys, see the
    *                     <a href="https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html">Amazon S3 Developer Guide</a>.</p>
    *          </important>
    * @public
    */
   KmsKeyArn?: string;
+
+  /**
+   * <p> The ARN of the IAM role to be used by Amazon Simple Email Service while writing to the Amazon S3 bucket,
+   *             optionally encrypting your mail via the provided customer managed key, and publishing to
+   *             the Amazon SNS topic.
+   *             This role should have access to the following APIs:
+   *         </p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>s3:PutObject</code>, <code>kms:Encrypt</code> and
+   *                     <code>kms:GenerateDataKey</code> for the given Amazon S3 bucket.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>kms:GenerateDataKey</code> for the given Amazon Web Services KMS customer managed key.
+   *                 </p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>sns:Publish</code> for the given Amazon SNS topic.</p>
+   *             </li>
+   *          </ul>
+   *          <note>
+   *             <p>If an IAM role ARN is provided, the role (and only the role) is used to access all
+   *                 the given resources (Amazon S3 bucket, Amazon Web Services KMS customer managed key and Amazon SNS topic).
+   *                 Therefore, setting up individual resource access permissions is not required.</p>
+   *          </note>
+   * @public
+   */
+  IamRoleArn?: string;
 }
 
 /**
@@ -4237,7 +4268,7 @@ export interface SendBulkTemplatedEmailRequest {
    *             the keys correspond to replacement tags in the email template.</p>
    * @public
    */
-  DefaultTemplateData?: string;
+  DefaultTemplateData: string | undefined;
 
   /**
    * <p>One or more <code>Destination</code> objects. All of the recipients in a
diff --git a/clients/client-ses/src/protocols/Aws_query.ts b/clients/client-ses/src/protocols/Aws_query.ts
@@ -5164,6 +5164,9 @@ const se_S3Action = (input: S3Action, context: __SerdeContext): any => {
   if (input[_KKA] != null) {
     entries[_KKA] = input[_KKA];
   }
+  if (input[_IRA] != null) {
+    entries[_IRA] = input[_IRA];
+  }
   return entries;
 };
 
@@ -7490,6 +7493,9 @@ const de_S3Action = (output: any, context: __SerdeContext): S3Action => {
   if (output[_KKA] != null) {
     contents[_KKA] = __expectString(output[_KKA]);
   }
+  if (output[_IRA] != null) {
+    contents[_IRA] = __expectString(output[_IRA]);
+  }
   return contents;
 };
 
@@ -8085,6 +8091,7 @@ const _HV = "HeaderValue";
 const _I = "Identity";
 const _IAMRARN = "IAMRoleARN";
 const _IF = "IpFilter";
+const _IRA = "IamRoleArn";
 const _IT = "InvocationType";
 const _ITd = "IdentityType";
 const _Id = "Identities";
diff --git a/codegen/sdk-codegen/aws-models/ses.json b/codegen/sdk-codegen/aws-models/ses.json
@@ -3150,6 +3150,16 @@
     "com.amazonaws.ses#HtmlPart": {
       "type": "string"
     },
+    "com.amazonaws.ses#IAMRoleARN": {
+      "type": "string",
+      "traits": {
+        "smithy.api#length": {
+          "min": 20,
+          "max": 2048
+        },
+        "smithy.api#pattern": "^arn:[\\w-]+:iam::[0-9]+:role/[\\w-]+$"
+      }
+    },
     "com.amazonaws.ses#Identity": {
       "type": "string"
     },
@@ -4986,7 +4996,13 @@
         "KmsKeyArn": {
           "target": "com.amazonaws.ses#AmazonResourceName",
           "traits": {
-            "smithy.api#documentation": "<p>The customer master key that Amazon SES should use to encrypt your emails before saving\n            them to the Amazon S3 bucket. You can use the default master key or a custom master key that\n            you created in Amazon Web Services KMS as follows:</p>\n         <ul>\n            <li>\n               <p>To use the default master key, provide an ARN in the form of\n                        <code>arn:aws:kms:REGION:ACCOUNT-ID-WITHOUT-HYPHENS:alias/aws/ses</code>.\n                    For example, if your Amazon Web Services account ID is 123456789012 and you want to use the\n                    default master key in the US West (Oregon) Region, the ARN of the default master\n                    key would be <code>arn:aws:kms:us-west-2:123456789012:alias/aws/ses</code>. If\n                    you use the default master key, you don't need to perform any extra steps to\n                    give Amazon SES permission to use the key.</p>\n            </li>\n            <li>\n               <p>To use a custom master key that you created in Amazon Web Services KMS, provide the ARN of\n                    the master key and ensure that you add a statement to your key's policy to give\n                    Amazon SES permission to use it. For more information about giving permissions, see\n                    the <a href=\"https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html\">Amazon SES Developer\n                        Guide</a>.</p>\n            </li>\n         </ul>\n         <p>For more information about key policies, see the <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html\">Amazon Web Services KMS Developer Guide</a>. If\n            you do not specify a master key, Amazon SES does not encrypt your emails.</p>\n         <important>\n            <p>Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail\n                is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side\n                encryption. This means that you must use the Amazon S3 encryption client to decrypt the\n                email after retrieving it from Amazon S3, as the service has no access to use your\n                Amazon Web Services KMS keys for decryption. This encryption client is currently available with\n                the <a href=\"http://aws.amazon.com/sdk-for-java/\">Amazon Web Services SDK for Java</a> and\n                    <a href=\"http://aws.amazon.com/sdk-for-ruby/\">Amazon Web Services SDK for Ruby</a> only. For\n                more information about client-side encryption using Amazon Web Services KMS master keys, see the\n                    <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html\">Amazon S3 Developer Guide</a>.</p>\n         </important>"
+            "smithy.api#documentation": "<p>The customer managed key that Amazon SES should use to encrypt your emails before saving\n            them to the Amazon S3 bucket. You can use the default managed key or a custom managed key that\n            you created in Amazon Web Services KMS as follows:</p>\n         <ul>\n            <li>\n               <p>To use the default managed key, provide an ARN in the form of\n                        <code>arn:aws:kms:REGION:ACCOUNT-ID-WITHOUT-HYPHENS:alias/aws/ses</code>.\n                    For example, if your Amazon Web Services account ID is 123456789012 and you want to use the\n                    default managed key in the US West (Oregon) Region, the ARN of the default master\n                    key would be <code>arn:aws:kms:us-west-2:123456789012:alias/aws/ses</code>. If\n                    you use the default managed key, you don't need to perform any extra steps to\n                    give Amazon SES permission to use the key.</p>\n            </li>\n            <li>\n               <p>To use a custom managed key that you created in Amazon Web Services KMS, provide the ARN of\n                    the managed key and ensure that you add a statement to your key's policy to give\n                    Amazon SES permission to use it. For more information about giving permissions, see\n                    the <a href=\"https://docs.aws.amazon.com/ses/latest/dg/receiving-email-permissions.html\">Amazon SES Developer\n                        Guide</a>.</p>\n            </li>\n         </ul>\n         <p>For more information about key policies, see the <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html\">Amazon Web Services KMS Developer Guide</a>. If\n            you do not specify a managed key, Amazon SES does not encrypt your emails.</p>\n         <important>\n            <p>Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail\n                is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side\n                encryption. This means that you must use the Amazon S3 encryption client to decrypt the\n                email after retrieving it from Amazon S3, as the service has no access to use your\n                Amazon Web Services KMS keys for decryption. This encryption client is currently available with\n                the <a href=\"http://aws.amazon.com/sdk-for-java/\">Amazon Web Services SDK for Java</a> and\n                    <a href=\"http://aws.amazon.com/sdk-for-ruby/\">Amazon Web Services SDK for Ruby</a> only. For\n                more information about client-side encryption using Amazon Web Services KMS managed keys, see the\n                    <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html\">Amazon S3 Developer Guide</a>.</p>\n         </important>"
+          }
+        },
+        "IamRoleArn": {
+          "target": "com.amazonaws.ses#IAMRoleARN",
+          "traits": {
+            "smithy.api#documentation": "<p> The ARN of the IAM role to be used by Amazon Simple Email Service while writing to the Amazon S3 bucket,\n            optionally encrypting your mail via the provided customer managed key, and publishing to\n            the Amazon SNS topic.\n            This role should have access to the following APIs:\n        </p>\n         <ul>\n            <li>\n               <p>\n                  <code>s3:PutObject</code>, <code>kms:Encrypt</code> and\n                    <code>kms:GenerateDataKey</code> for the given Amazon S3 bucket.</p>\n            </li>\n            <li>\n               <p>\n                  <code>kms:GenerateDataKey</code> for the given Amazon Web Services KMS customer managed key.\n                </p>\n            </li>\n            <li>\n               <p>\n                  <code>sns:Publish</code> for the given Amazon SNS topic.</p>\n            </li>\n         </ul>\n         <note>\n            <p>If an IAM role ARN is provided, the role (and only the role) is used to access all\n                the given resources (Amazon S3 bucket, Amazon Web Services KMS customer managed key and Amazon SNS topic).\n                Therefore, setting up individual resource access permissions is not required.</p>\n         </note>"
           }
         }
       },
@@ -5227,7 +5243,8 @@
         "DefaultTemplateData": {
           "target": "com.amazonaws.ses#TemplateData",
           "traits": {
-            "smithy.api#documentation": "<p>A list of replacement values to apply to the template when replacement data is not\n            specified in a Destination object. These values act as a default or fallback option when\n            no other data is available.</p>\n         <p>The template data is a JSON object, typically consisting of key-value pairs in which\n            the keys correspond to replacement tags in the email template.</p>"
+            "smithy.api#documentation": "<p>A list of replacement values to apply to the template when replacement data is not\n            specified in a Destination object. These values act as a default or fallback option when\n            no other data is available.</p>\n         <p>The template data is a JSON object, typically consisting of key-value pairs in which\n            the keys correspond to replacement tags in the email template.</p>",
+            "smithy.api#required": {}
           }
         },
         "Destinations": {
