Using AWS CLI and SES (simple email service) to send emails for alerts
Introduction
Domain validation and AWS SES configuration
Creating a user and assigning policies in the AWS console
Creating an access key and using the AWS CLI to send an email
Introduction
Let’s say we are running a bash script and we would like to be notified of success or failure after it is executed.
We could send an email out via Amazon SES (simple email service), by using the AWS CLI binaries.
We would also need an AWS service account that has permissions to send emails.
The emails will be sent from an email address in domain that we own (alerts@georgetech.co.uk).
The alerts will be sent to a GMail email address, for example, as we do not have an email server of our own.
Domain validation and AWS SES configuration
Let’s first configure AWS SES.
Click Amazon SES > Configuration> Identities > Create identity > Identity type = domain.
In the Domain text field we will enter our domain georgetech.co.uk.
We will check the option Use a custom MAIL FROM domain, and enter alerts.georgetech.co.uk. If you don’t, then the Mail From domain will be amazonses.com.
Click on Create identity and proceed to the domain validation.
In the Configuration > Identitties section, you will have to validate your @gmail.com email address by clicking on a validation email from Amazon.
For the domain validation, you will have to add a few DNS records of the type CNAME, TXT, MX for DKIM, DMARC.
Remember to delete the domain part ._domainkey.georgetech.co.uk when adding the records via your domain registrar web console.
To check, use a tool such as dig in linux or nslookup in Windows:
$ dig @1.1.1.1 txt 6iw7i6o7cod7gqhagl4y7se23etxyqbk._domainkey.georgetech.co.uk +short
6iw7i6o7cod7gqhagl4y7se23etxyqbk.dkim.amazonses.com.
It can take a few minutes for Amazon to validate your domain.
In the Domain > Identities page, both your domain and the @gmail.com address should be validated/verified.
You can use Configuration: Identities > Your domain > Send test email to test sending an email, from alerts@georgetech.co.uk to some-email@gmail.com.
Creating a user and assigning policies in the AWS console
Let’s proceed to create the user account and policy assignment.
To create a user, go to IAM > Users > Create User.
Name your user, george-aws2-sa for example.
Choose Attach policies directly.
Select Create policy.
You can paste the below, to allow sending emails:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ses:SendEmail",
"Resource": "*"
}
]
}
Name the policy ses-send-emails for example.
Click Create policy.
Go back to the account creation tab.
Click the Refresh policies button located before the Create policy button.
Select/tick the ses-send-emails policy.
Click Next. Click Create user.
On the same window, click Create access key in the Summary tab.
Choose Command line interface, tick I understand at the bottom and click Next.
You can assign an optional tag to it.
Creating an access key and using the AWS CLI to send an email
Click Create access key.
In the next window, you have the data for the Access key and Secret access key, copy and paste the values in the file ~/.aws/credentials, into a new profile called aws2-sa.
Your file should look like this:
[aws2-sa]
aws_access_key_id = xx
aws_secret_access_key = xxx
To test via the command line, with the newly created profile:
$ aws --profile aws2-sa ses send-email --from alerts@georgetech.co.uk --to test@gmail.com --subject "Test Alert Email" --text "This is a test alert from GeorgeTech." --region eu-west-2
{
"MessageId": "010b01961185b0c6-3b300ebe-b1cc-4eb7-8246-2ecab357f532-000000"
}
We can take a look at the raw email in Gmail, to confirm proper reception:
Message ID <010b01961185b0c6-3b300ebe-b1cc-4eb7-8246-2ecab357f532-000000@eu-west-2.amazonses.com>
Created on: 7 April 2025 at 19:31 (Delivered after 0 seconds)
From: alerts@georgetech.co.uk
To: test@gmail.com
Subject: Test Alert Email
SPF: PASS with IP xx.249.yy.9
DKIM: 'PASS' with domain georgetech.co.uk
DMARC: 'PASS'