AWS CloudFormation Script Fails - Cognito is not allowed to use your email identity

Question

I am trying to build a CloudFormation script that sets up a Cognito User Pool and configures it to use a custom email for sending users their validation code in the signup process (i.e. FROM: [email protected]).

I am getting this error when executing my AWS CloudFormation script:

"ResourceStatusReason": "Cognito is not allowed to use your email identity (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: InvalidEmailRoleAccessPolicyException; 

I have attached a Policy for Cognito to use my SES email identity e.g. [email protected]. I have manually setup and validated this email identity in SES prior to running CloudFormation script.

Here is my CloudFormation configuration for the policy to allow Cognito to send emails on my behalf e.g. From [email protected]:

  CognitoSESPolicy:
    Type: AWS::IAM::ManagedPolicy
    Description: "Allow Cognito the send email on behalf of email identity (e.g. [email protected])"
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Sid: "ucstmnt0001"
          Effect: "Allow"
          Action:
          - "ses:SendEmail"
          - "ses:SendRawEmail"
          Resource: !FindInMap [ environment, !Ref "Environment", emailARN ]

  SESRole:
    Type: AWS::IAM::Role
    Description: "An IAM Role to allow Cognito to send email on behalf of email identity"
    Properties:
      RoleName: uc-cognito-ses-role
      ManagedPolicyArns:
        - Ref: CognitoSESPolicy
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
            - sts:AssumeRole
            Principal:
              Service:
              - cognito-idp.amazonaws.com
    DependsOn: CognitoSESPolicy

I am not sure what I am doing wrong here...

Answer 1

Answering my own question for others' benefit. AWS SES has its own managed identity for emails, requiring a user to verify ownership of the email before it can be used by other AWS services. My solution was to manually setup the SES email account using AWS portal, verify the email account, then reference the ARN for the identity created in SES for email in my CloudFormation script. Maybe AWS will have a way in the future to create SES identity via CloudFormation scripts, but at this time it seems that manual process is required for initial setup.

Answer 2

Recently ran into this issue and could not find a way to add it via Cloudformation still. Was able to use aws ses put-identity-policy instead.

ses_policy=$(cat << EOM
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "cognito-idp.amazonaws.com"
            },
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "${email_arn}"
        }
    ]
}
EOM
)
aws ses put-identity-policy \
  --identity "${email_arn}" \
  --policy-name "${policy_name}" \
  --policy "${ses_policy}"

Instead of cat you can use read but my script was already using set -o errexit and not worth changing to be purist for no particular reason.