AWS Simple Email Service (AWS SES)
AWS Simple Email Service (AWS SES) is a new Cloud.gov service currently offered as an invite-only beta.
To request access or share feedback, email support@cloud.gov.
Cloud.gov brokers AWS SES within AWS GovCloud (US), allowing platform users to send email securely via SMTP or the SES HTTP API.
Usage and service plans
AWS SES currently offers one plan, domain. The domain plan supports sending email from a verified domain. You can provide a domain like agency.gov or allow Cloud.gov to generate a temporary domain for you.
If you provide a domain, you must create DNS records in your agency DNS system to send mail. Once the service instance is created, bind an application to it or create a service key. The binding or service key will include instructions for creating the required DNS records.
If you do not provide a domain, Cloud.gov will generate one. When generating a domain, Cloud.gov manages all DNS records, making this feature useful for testing and debugging.
For instructions on creating and binding to AWS SES service instances, examples, and the full plan and parameter reference, see Cloud.gov Services Reference: AWS Simple Email Service.
Reputation protection
Cloud.gov monitors sender reputation on brokered SES identities. If bounce or complaint rates exceed a threshold, the identity's ability to send email will be disabled.
You must provide an administrative email via the admin_email parameter when creating an AWS SES instance. Cloud.gov will send warning notifications to this address if your identity is approaching the bounce or complaint threshold, and critical alarms if the identity has reached the threshold.
The thresholds are:
| Metric | Warning | Critical |
|---|---|---|
| Bounce rate | 2 % | 4 % |
| Complaint rate | 0.04 % | 0.08 % |
These thresholds are based on AWS SES's reputation monitoring policies. For more information about monitoring sender reputation, see the AWS Developer Guide.
To be notified of complaints, bounces, or successful delivery of emails sent from your identity, set "enable_feedback_notifications": "true" when creating your SES service instance and provide a webhook when binding. See Cloud.gov Services Reference: AWS Simple Email Service for full details.
If sending is disabled on your domain, contact support@cloud.gov for help.
Credential Rotation
Each service binding or service key creates a new IAM user scoped to your SES identity.
To rotate credentials:
- Unbind and rebind your application, or
- Delete and recreate the corresponding service key.
This ensures new credentials are generated and old ones revoked.
Feedback
AWS SES remains in limited beta.
Email support@cloud.gov for access, bug reports, or feature requests.
The broker in GitHub
AWS SES is provisioned through the Cloud Service Broker (CSB).
Cloud.gov’s SES brokerpak and CSB configuration source code are published at:
github.com/cloud-gov/csb.