fix(ses-actions): condition should use SourceAccount (#34081)

Lilja · web-flow · commit f68b9479e6fd · 2025-05-21T18:13:18.000Z
### Issue #29811 ### Reason for this change Restricts the SES to come through the SourceAccount in question. This will change does not affect bucket policy and ses rule action race condition, reported in #30143 and introduced in #29833 and reverted in #30375. That PR introduced the rule set name into the bucket policy, which added a dependency to the policy to the rule set(while the rule set requires that the policy is created first). Doing this change made a circular dependency between the two resources. ### Description of changes Simply use SourceAccount instead of Referer. ### Describe any new or updated permissions being added n/a ### Description of how you validated changes n/a ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ses-actions/test/integ.actions.js.snapshot/aws-cdk-ses-receipt.template.json
@@ -86,7 +86,7 @@
        "Action": "s3:PutObject",
        "Condition": {
         "StringEquals": {
-         "aws:Referer": {
+         "aws:SourceAccount": {
           "Ref": "AWS::AccountId"
          }
         }
diff --git a/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts b/packages/aws-cdk-lib/aws-ses-actions/lib/s3.ts
@@ -55,7 +55,7 @@ export class S3 implements ses.IReceiptRuleAction {
       resources: [this.props.bucket.arnForObjects(`${keyPattern}*`)],
       conditions: {
         StringEquals: {
-          'aws:Referer': cdk.Aws.ACCOUNT_ID,
+          'aws:SourceAccount': cdk.Aws.ACCOUNT_ID,
         },
       },
     });
diff --git a/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts b/packages/aws-cdk-lib/aws-ses-actions/test/actions.test.ts
@@ -190,7 +190,7 @@ test('add s3 action', () => {
           Action: 's3:PutObject',
           Condition: {
             StringEquals: {
-              'aws:Referer': {
+              'aws:SourceAccount': {
                 Ref: 'AWS::AccountId',
               },
             },
diff --git a/packages/aws-cdk-lib/aws-ses/README.md b/packages/aws-cdk-lib/aws-ses/README.md
@@ -103,6 +103,12 @@ new ses.AllowListReceiptFilter(this, 'AllowList', {
 
 This will first create a block all filter and then create allow filters for the listed ip addresses.
 
+### AWS Service Principal permissions
+
+When adding an s3 action to a receipt rule, the CDK will automatically create a policy statement that allows the ses service principal to get write access to the bucket. This is done with the `SourceAccount` condition key, which is automatically added to the policy statement.
+Previously, the policy used the `Referer` condition key, which caused confused deputy problems when the bucket policy allowed access to the bucket for all principals.
+See more information in [this github issue](https://github.com/aws/aws-cdk/issues/29811)
+
 ## Email sending
 
 ### Dedicated IP pools

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@`
`86`	`86`	`"Action": "s3:PutObject",`
`87`	`87`	`"Condition": {`
`88`	`88`	`"StringEquals": {`
`89`		`- "aws:Referer": {`
	`89`	`+ "aws:SourceAccount": {`
`90`	`90`	`"Ref": "AWS::AccountId"`
`91`	`91`	`}`
`92`	`92`	`}`