Amazon Web Services (AWS)¶

Simple Email Service (SES)¶

Reference: Setting up Email with Amazon SES

Verify a domain¶

Go to SES’ Domains:
1. Click Verify a New Domain
2. Enter the domain in Domain:
3. Check the Generate DKIM Settings box
4. Click Verify This Domain
Go to GoDaddy’s DNS Management:
1. Add the TXT and CNAME records. Add the MX record if none exists.
  
  Note
  
  SES’ DKIM Record Set is a scrollable table with three records.
  
  Note
  
  Omit .open-contracting.org from hostnames. GoDaddy appends it automatically.
2. Add or update the SPF record
Wait for the domain’s verification status to become “verified” on SES’ Domains

Note

AWS will notify you by email. Last time, it took a few minutes.

Reference: Verifying a Domain

Verify an email address¶

Check that the domain’s verification status is “verified” on SES’ Domains
If an MX record didn’t exist, go to SES’ Rule Sets:
1. Click Create a New Rule Set
2. Click the rule set’s name
3. Click Create Rule
4. Click Next Step
5. Select “S3” from the Add action dropdown
6. Select “Create S3 bucket” from the S3 bucket dropdown
7. Enter a bucket name in Bucket Name
8. Click Create Bucket
9. Click Next Step
10. Enter a rule name in Rule Name
11. Click Next Step
12. Click Create Rule
13. Go to SES’ Rule Sets
14. Check the rule set’s box
15. Click Set as Active Rule Set
Go to SES’ Email Addresses:
1. Click Verify a New Email Address
2. Enter the email address in Email Address:
3. Click Verify This Email Address
If an MX record didn’t exist, go to S3 (otherwise, check your email):
1. Click the bucket name
2. Click the long alpha-numeric string (if there is none, double-check the earlier steps)
3. Click Download
4. Copy the URL in the downloaded file
5. Open the URL in a web browser
Check that the email address’s verification status is “verified” on SES’ Email Addresses
If an MX record didn’t exist, cleanup:
1. Delete the bucket
2. Disable and delete the rule set
3. Remove the MX record

Reference: Verifying an Email Address

Create SMTP credentials¶

Note

You only need to do this once per AWS region.

Go to SES’ SMTP Settings:
1. Click Create My SMTP Credentials
2. Enter a user name in IAM User Name:
3. Click Create
4. Click Download Credentials
5. Click Close

Reference: Getting Your SMTP Credentials

Move out of sandbox¶

Note

You only need to do this once per AWS account.

Reference: Moving Out of the Amazon SES Sandbox

Set up MAIL FROM domain¶

Note

This optional step improves email deliverability.

Reference: Setting up a custom MAIL FROM domain

Disable account-level suppression list¶

Note

This optional step can negatively affect sender reputation.

Reference: Disabling the account-level suppression list

Set up notifications¶

Go to SNS’ Topics:
1. Click Create topic
2. Set Type to Standard
3. Enter a hyphenated address in Name (data-open-contracting-org, for example)
4. Click Create topic
Click Create subscription:
1. Select “Email” from the Protocol dropdown
2. Enter an email address in Endpoint
3. Click Create subscription
Click the email address on SES’ Email Addresses:
1. Expand Notifications
2. Click Edit configuration
3. Select the created topic from the Bounces: dropdown
4. Check the Include original headers box
5. Select the created topic from the Complaints: dropdown
6. Check the Include original headers box
7. Click Save Config

Reference: Configuring Amazon SNS notifications for Amazon SES

Check DMARC compliance¶

Check DMARC compliance, sending the email using SES.

Note

SES adds two DKIM signatures (“The extra DKIM signature, which contains d=amazonses.com, is automatically added by Amazon SES. You can ignore it”). This signature’s domain is not aligned, but according to RFC 7489 <https://tools.ietf.org/html/rfc7489#page-10>, “a single email can contain multiple DKIM signatures, and it is considered to be a DMARC “pass” if any DKIM signature is aligned and verifies.”

Debug delivery issues¶

Bounces and complaints are sent to the subscribed address. The relevant properties of the notification message are:

Reference: DNS Blackhole List (DNSBL) FAQs

Aurora Serverless¶

Note: “You can’t give an Aurora Serverless DB cluster a public IP address.”; instead, you need to use an EC2 instance as a bastion host.

Create a VPC¶

Set IPv4 CIDR block to 10.0.0.0/16
Click Create

Reference: Create a DB instance in the VPC

Create subnets¶

Set VPC to the created VPC
Set Availability Zone to any zone
Set IPv4 CIDR block to 10.0.1.0/24
Click Create

Then:

Set VPC to the created VPC
Set Availability Zone to another zone
Set IPv4 CIDR block to 10.0.2.0/24
Click Create

Create security group¶

Set Security group name to “postgresql-anywhere”
Set Description to “Allows PostgreSQL connections from anywhere”
Click Add rule under Inbound rules
Set Type to “PostgreSQL”
Set Source to “Anywhere”
Click Create security group

Create database¶

Choose a database creation method: (no changes)
Engine options
1. Engine type: Amazon Aurora
2. Edition: Amazon Aurora with PostgreSQL compatibility
3. Version: Aurora PostgreSQL (compatible with PostgreSQL 10.7)
Database features: Serverless
Settings: (no changes)
Capacity settings
1. Minimum Aurora capacity unit: 2
2. Maximum Aurora capacity unit: 2
3. Expand Additional scaling configuration
4. Check Pause compute capacity after consecutive minutes of inactivity
5. Set to 1 hours 0 minutes 0 seconds
Connectivity
1. Virtual private cloud (VPC): Select the created VPC
2. Expand Additional connectivity configuration
3. VPC security group:
  1. Select the created group
  2. Remove the default group
4. Check Data API
Additional configuration
1. Initial database name: common
2. Backup retention period: 1 day
Click Create database