Extract separate SESSuppressionListPolicy

Commit 989e0d7 didn't work, because SESSendEmailPolicy is limited to specific resources, and the suppression list permissions must apply to 'Resource: "*"': User: arn:aws:sts::...:assumed-role/.../elistman-dev-Function-... is not authorized to perform: ses:GetSuppressedDestination on resource: * because no identity-based policy allows the ses:GetSuppressedDestination action I should've noticed that previously.
mbland · May 18, 2023 · c1845d9 · c1845d9
1 parent 4d2a498
commit c1845d9
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/template.yml b/template.yml
@@ -69,12 +69,17 @@ Resources:
             Action:
               - "ses:SendRawEmail"
               - "ses:SendBounce"
-              - "ses:GetSuppressedDestination"
-              - "ses:PutSuppressedDestination"
-              - "ses:DeleteSuppressedDestination"
             Resource:
               - !Sub "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${EmailDomainName}"
               - !Sub "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:configuration-set/${AWS::StackName}"
+        - Statement:
+            Sid: SESSuppressionListPolicy
+            Effect: Allow
+            Action:
+              - "ses:GetSuppressedDestination"
+              - "ses:PutSuppressedDestination"
+              - "ses:DeleteSuppressedDestination"
+            Resource: "*"
 
       Tracing: Active
       Environment: