AWS Simple Email Service (AWS SES)
Cloud.gov brokers AWS SES within AWS GovCloud (US), allowing platform users to send email securely via SMTP or the SES HTTP API.
Usage and service plans
AWS SES currently offers one plan, domain. The domain plan supports sending
email from a verified domain. You can provide a domain like agency.gov or
allow Cloud.gov to generate a temporary domain for you.
If you provide a domain, you must create DNS records in your agency DNS system to send mail. Once the service instance is created, bind an application to it or create a service key. The binding or service key will include instructions for creating the required DNS records.
If you do not provide a domain, Cloud.gov will generate one. When generating a domain, Cloud.gov manages all DNS records, making this feature useful for testing and debugging.
For instructions on creating and binding to AWS SES service instances, examples, and the full plan and parameter reference, see Cloud.gov Services Reference: AWS Simple Email Service.
Reputation protection
Cloud.gov monitors sender reputation on brokered SES identities. If bounce or complaint rates exceed a threshold, the identity's ability to send email will be disabled.
You must provide an administrative email via the admin_email parameter when
creating an AWS SES instance. Cloud.gov will send warning notifications to this
address if your identity is approaching the bounce or complaint threshold, and
critical alarms if the identity has reached the threshold.
The thresholds are:
| Metric | Warning | Critical |
|---|---|---|
| Bounce rate | 2 % | 4 % |
| Complaint rate | 0.04 % | 0.08 % |
These thresholds are based on AWS SES's reputation monitoring policies. For more information about monitoring sender reputation, see the AWS Developer Guide.
To be notified of complaints, bounces, or successful delivery of emails sent
from your identity, set "enable_feedback_notifications": "true" when creating
your SES service instance and provide a webhook when binding. See
Cloud.gov Services Reference: AWS Simple Email Service
for full details.
If sending is disabled on your domain, contact support@cloud.gov for help.
Credential Rotation
Each service binding or service key creates a new IAM user scoped to your SES identity.
To rotate credentials:
- Unbind and rebind your application, or
- Delete and recreate the corresponding service key.
This ensures new credentials are generated and old ones revoked.
The broker in GitHub
AWS SES is provisioned through the Cloud Service Broker (CSB). Cloud.gov’s SES brokerpak and CSB configuration source code are published at: github.com/cloud-gov/csb.