@@ -776,44 +776,49 @@ export class StacksCloud extends Stack {
776776 } ,
777777 } )
778778
779- const sesPolicy = new iam . PolicyStatement ( {
780- sid : `AllowSESPuts` ,
781- effect : iam . Effect . ALLOW ,
782- principals : [ sesPrincipal ] ,
783- actions : [ 's3:PutObject' ] ,
784- resources : [
785- `${ this . storage . emailBucket . bucketArn } ,
786- ] ,
787- conditions : {
788- StringEquals : {
789- 'aws:SourceAccount' : Stack . of ( this ) . account ,
790- } ,
791- ArnLike : {
792- 'aws:SourceArn' : `arn:aws:ses:${ this . region } ${ Stack . of ( this ) . account } ${ ruleSetName } ${ ruleName } ,
779+ this . storage . emailBucket . addToResourcePolicy (
780+ new iam . PolicyStatement ( {
781+ sid : `AllowSESToPutObject` ,
782+ effect : iam . Effect . ALLOW ,
783+ principals : [ sesPrincipal ] ,
784+ actions : [
785+ 's3:PutObject' ,
786+ 's3:PutObjectAcl' ,
787+ ] ,
788+ resources : [
789+ `${ this . storage . emailBucket . bucketArn } ,
790+ ] ,
791+ conditions : {
792+ StringEquals : {
793+ 'aws:SourceAccount' : Stack . of ( this ) . account ,
794+ } ,
795+ ArnLike : {
796+ 'aws:SourceArn' : `arn:aws:ses:${ this . region } ${ Stack . of ( this ) . account } ${ ruleSetName } ${ ruleName } ,
797+ } ,
793798 } ,
794- } ,
795- } )
796-
797- this . storage . emailBucket . addToResourcePolicy ( sesPolicy )
799+ } ) ,
800+ )
798801
799- this . storage . emailBucket . addToResourcePolicy ( new iam . PolicyStatement ( {
800- sid : `AllowSESToEncryptMessagesBelongingToThisAccount` ,
801- effect : iam . Effect . ALLOW ,
802- principals : [ sesPrincipal ] ,
803- actions : [
804- 'kms:Decrypt' ,
805- 'kms:GenerateDataKey' ,
806- ] ,
807- resources : [ this . storage . emailBucket . encryptionKey ?. keyArn || '*' ] ,
808- conditions : {
809- StringEquals : {
810- 'aws:SourceAccount' : Stack . of ( this ) . account ,
811- } ,
812- ArnLike : {
813- 'aws:SourceArn' : `arn:aws:ses:${ this . region } ${ Stack . of ( this ) . account } ${ ruleSetName } ${ ruleName } ,
814- } ,
815- } ,
816- } ) )
802+ // this.storage.emailBucket.addToResourcePolicy(
803+ // new iam.PolicyStatement({
804+ // sid: `AllowSESToEncryptMessagesBelongingToThisAccount`,
805+ // effect: iam.Effect.ALLOW,
806+ // principals: [sesPrincipal],
807+ // actions: [
808+ // 'kms:Decrypt',
809+ // 'kms:GenerateDataKey*',
810+ // ],
811+ // resources: ['*'],
812+ // conditions: {
813+ // StringEquals: {
814+ // 'aws:SourceAccount': Stack.of(this).account,
815+ // },
816+ // ArnLike: {
817+ // 'aws:SourceArn': `arn:aws:ses:${this.region}:${Stack.of(this).account}:receipt-rule-set/${ruleSetName}:receipt-rule/${ruleName}`,
818+ // },
819+ // },
820+ // }),
821+ // )
817822
818823 const iamGroup = new iam . Group ( this , 'IAMGroup' , {
819824 groupName : `${ this . appName } ${ appEnv } ,
@@ -1050,11 +1055,10 @@ export class StacksCloud extends Stack {
10501055 resources : [
10511056 `arn:aws:lambda:${ this . region } ${ Stack . of ( this ) . account } ${ lambdaEmailInbound . functionName } ,
10521057 `arn:aws:lambda:${ this . region } ${ Stack . of ( this ) . account } ${ lambdaEmailConverter . functionName } ,
1053- `arn:aws:lambda:${ this . region } ${ Stack . of ( this ) . account } ${ lambdaEmailOutbound . functionName } ,
10541058 ] ,
10551059 conditions : {
10561060 StringEquals : {
1057- 'aws:SourceAccount' : this . account ,
1061+ 'aws:SourceAccount' : Stack . of ( this ) . account ,
10581062 } ,
10591063 ArnLike : {
10601064 'aws:SourceArn' : `arn:aws:ses:${ this . region } ${ Stack . of ( this ) . account } ${ ruleSetName } ${ ruleName } ,
0 commit comments