Restrict access for some users to operate only on Amazon SES and not other services

Question

How do I restrict access for some users to operate only on SES and not other services on my AWS account?

Exemple:

{
    "Version": "2021-12-16",
    "Statement": [
        {
            "Sid": "AllowsSES",
            "Effect": "Allow",
            "Action": "ses:*",
            "Resource": "*"
        },
        {
            "Sid": "DenyAllOthers", 
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Answer 1

IAM Users in AWS have no access by default. They only have access when permission is specifically granted to the via Allow policies.

This can happen via IAM policies, but some services can also grant permission directly, such as Amazon S3 bucket policies and Amazon SQS access policies.

In general, it is best to avoid using Deny policies, since they override Allow policies. It is better to simply limit what is granted via Allow policies. Sometimes, however, a Deny is required. For example, an Administrator might be granted permission over all S3 buckets, but specifically Denied access to a bucket that contains sensitive data.

For your situation, it should be sufficient simply to use your first (Allow) policy to grant them access to Amazon SES. By default, they will not have access to any other service.

Answer 2

For your case the below policy is all you need

{
"Version": "2021-12-16",
"Statement": [
    {
        "Sid": "AllowsSES",
        "Effect": "Allow",
        "Action": "ses:*",
        "Resource": "arn:aws:ses:(regiondetail):(AWSAccountNumber):identity/(AWSIAMName)"
    }
]
}

The reason is you are potentially creating a policy that is a bit contradicting. You are providing access and denying the access to everyone. So the policy when being applied in real time might not work as you expect to still give access to you.

Also use Deny policy when absolutely necessary and use it for denying access to specific users or resources as appropriate. Also when you give specific access like above, it will give access to ONLY those users.

Including Deny, you can use the below:-

{
"Version": "2021-12-16",
"Statement": [
    {
        "Sid": "AllowsSES",
        "Effect": "Allow",
        "Action": "ses:*",
        "Resource": "*"
    },
    {
        "Sid": "DenySelected", 
        "Effect": "Deny",
        "Action": "*",
        "Resource": "arn:aws:ses:(regiondetail):(AWSAccountNumber):identity/(AWSIAMName)"
    }
]
}