Minimal AWS Permissions needed by the FluentSMTP WordPress Plugin

FluentSMTP is a WordPress plugin that allows sending email via many different email providers. Amazon Simple Email Service (SES) is one of many that it supports.

The instructions for setting up an IAM user grant access to everything in SES and SNS by using the predefined AmazonSESFullAccess policy, and for some reason the AmazonSNSFullAccess policy. I’m not sure why they ask for SNS permissions at all!

I’m a proponent the principal of least privilege, so after some trial, I found that this policy grants access only to what is needed:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": [
                "arn:aws:ses:us-east-1:127069677361:configuration-set/enter-your-configuration-set-name-here",
                "arn:aws:ses:us-east-1:127069677361:identity/enter-your-domain-name-here"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "ses:ListIdentities",
            "Resource": "*"
        }
    ]
}

Make sure to change the placeholders enter-your-configuration-set-name-here and enter-your-domain-name-here with your actual values. If you want, you seem to be able to get rid of the separate permission for ses:ListIdentities after the Email Provider is saved. It just uses that permission to validate that the IAM credentials are valid.

I’m sure they are trying to keep the configuration steps to a minimum, and creating a separate policy would make a not-exactly-simple setup process even more complicated. But I wish that they would add these minimal permissions to their instructions as an option at least. And remove the mention of AmazonSNSFullAccess because it is not needed at all.