Integrating AWS SES
Capabilities
DataGrail's AWS SES Integration provides the following capabilities:
| Product | Capability | ||
|---|---|---|---|
| Request Manager |
|
Before You Start
To successfully configure this integration, please ensure you have sufficient privileges:
- DataGrail User Role: Super Admin, Connections Manager
- AWS SES User Role: Admin
Create a Sender Identity
To utilize SES as your transactional mailer, you must have a verified Sender Identity in the us-east-1 or us-west-2 regions.
- Confirm with your privacy team the domain and email address that will be used to send privacy communications to Consumers/Data Subjects.
- Navigate to Amazon Simple Email Service.
- Select Identities from the Configuration section in the left-hand menu.
- Select Create Identity.
- Based on your preference, select either Domain or Email under Identity type.
- Following AWS' instructions, verify the newly created identity: Creating and verifying identities in Amazon SES.
The sender identity associated with the transactional mailer email address must show a verified status before proceeding with the remaining DataGrail setup. As the delegate sender, we do not control the DKIM keys. We recommend identity owners configure these using AWS Easy DKIM.
Create an Identity Policy
- Select the Sender Identity you created in Create a Sender Identity.
- Select the Authorization Menu and Use Policy Generator.
- Enter the Principal that should be issued the permissions:
- For AssumeRole Connections, add the ARN of the IAM Role.
- For Access Key Connections, add the
338780525468(DataGrail Account ID).
- Under Actions, select
ses:SendEmailandses:SendRawEmail. - (Optional) Expand the Specify conditions menu and create the following rule:
Restrict SES 'From' Address
- Operator:
StringEquals - Key:
ses:FromAddress - Value: The email address you wish to use with your transactional mailer.
- Select Next and create the Policy.
Connect to DataGrail
DataGrail provides two methods for securely connecting AWS SES:
One of the main security benefits of using AssumeRole is the lack of key rotation requirements. Read more about IAM Users and Roles here.
Connect With AssumeRole (Recommended)
Create The IAM Role
- Navigate to IAM within AWS and select Roles from the left menu.
- Select Create Role.
- Choose Custom trust policy.
- Enter the Recommended JSON Policy, ensuring you create and substitute an External ID.
Recommended JSON Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::338780525468:user/dg_app"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "SUBSTITUTEME"
}
}
}
]
}
Ensure you create and substitute an External ID for SUBSTITUTEME.
The External ID is, in effect, a password. Keep it secure. We recommend using a secure password generator with a long length (32+ alphanumeric characters, no symbols). Save the External ID for later; it will be used to set up the DataGrail connection to this role.
- Ensure the IAM Role ARN is populated in the Identity Policy you created in Create an Identity Policy.
- Please send the ARN of the newly created role to support@datagrail.io. Our support team will work with you to assume the necessary permissions on this role.
Connect to DataGrail
- Navigate back to DataGrail.
- Under Sender Email, enter the email address you wish to use with your mailer.
- Under AWS Region, enter the name of the AWS region used with the newly created Sender Identity.
- Select AWS Assume Role under Authentication Type.
- Under Identity ARN, enter the ARN of the Sender Identity.
- Under AssumeRole ARN, enter the name of the IAM Role you just created.
- Under AssumeRole External ID, enter the External ID of the IAM Role you just created.
- Select Configure Integration.
Connect With an Access Key
- Navigate back to DataGrail.
- Under Sender Email, enter the email address you wish to use with your mailer.
- Under AWS Region, enter the name of the AWS region used with the newly created Sender Identity.
- Select AWS Access Key under Authentication Type.
- Under Identity ARN, enter the ARN of the Sender Identity.
- Select Configure Integration.
Next Steps
Now that you've successfully connected the integration, check out the following resources:
Troubleshooting
If you are unable to successfully connect the integration, review these common troubleshooting steps:
Ensure your SES account is not in sandbox mode.
The DataGrail SES Integration requires a production AWS SES account. By default, AWS places all new accounts in sandbox mode.
Ensure you have sent the IAM Role ARN to DataGrail Support.
For AssumeRole connections, the DataGrail Support Team needs the ARN of the IAM role you created to assume the necessary permissions.
Please send the ARN of the newly created role to support@datagrail.io.
Ensure all placeholder values in JSON policies are populated.
All JSON policies in this documentation contain multiple placeholders for credentials you have created during the setup process. Please review the JSON policies for the IAM Users, Roles, or Resources.
Ensure a configuration set is not applied to the identity.
Configuration sets may interfere with DataGrail's ability to send mail through your Verified Identity. Ensure no configuration sets are applied to the Sender Identity associated with DataGrail.
Ensure Required Permissions Are Granted on API Keys/Resources
DataGrail checks required permissions and scopes on API keys/resources used by each integration. If all necessary permissions are not granted, new connections will fail.
Review Required Account Types and User Roles
If users do not have the necessary permissions or the minimum required user role in the connecting system, the connection to DataGrail will fail. Additionally, connections will fail if your account type does not match the one required by the integration.
See Before You Start to review these requirements.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.