I have the impression this should be simple: I want to create a Bucket that my SES rule will use to store emails. However, I need to apply a Bucket policy to allow SES to use it. If I create this bucket through the SES dashboard, it attached these policies:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSESPuts-1629654011154",
      "Effect": "Allow",
      "Principal": {
        "Service": "<http://ses.amazonaws.com|ses.amazonaws.com>"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::mailtosheet-emails/*",
      "Condition": {
        "StringEquals": {
          "aws:Referer": "326317869239"
        }
      }
    }
  ]
}

How could I do the same if I create the bucket using SST? I went as far as this:

this.mailBucket = new sst.Bucket(this, "mts-emails");

const SESPolicy = new iam.PolicyStatement({
      actions: ["s3:PutObject"],
      effect: iam.Effect.ALLOW,
      resources: [this.mailBucket.bucketArn],
      principals: [new iam.ServicePrincipal("<http://ses.amazonaws.com|ses.amazonaws.com>")],
      conditions: {
        StringEquals: {
          "aws:Referer": "326317869239",
        },
      },
});

But then, I got lost on how to apply this policy to the bucket… reading into

attachPermissions

did not make it very clear where to insert `SESPolicy`…. Anyone knows? 🙏

@Daniel da Rocha give this a try

this.mailBucket.addToResourcePolicy(SESPolicy)