Amazon Web Services (AWS)

Our default region is us-east-1 (N. Virginia). For large data transfer operations (like backups), use the closest region: for example, us-west-2 (London) for Linode servers in the London datacenter.

Simple Email Service (SES)

Reference: Setting up Amazon Simple Email Service


Dedicated IP addresses for Amazon SES are available. However, a dedicated IP address would take a long time to cultivate a sending reputation with our low volume. The shared IP addresses have good reputation. As describe below, SPF, DKIM and Return-Path are configured to improve deliverability.

Verify a domain

  1. Go to SES’ Verified identities:

    1. Click Create identity

    2. Check Domain

    3. Enter the domain in Domain

    4. Expand Advanced DKIM settings

    5. Check Easy DKIM

    6. Check RSA_2048_BIT

    7. Click Create identity

  2. Go to GoDaddy’s DNS Management:

    1. Add the three CNAME records. Add the MX record if none exists.


      Omit from hostnames. GoDaddy appends it automatically.

    2. Add or update the SPF record

  3. Wait for the domain’s Identity status to become “Verified” on SES’ Verified identities


    AWS will notify you by email. Last time, it took a few minutes.

Reference: Creating (and verifying) a domain identity

Verify an email address

  1. Go to SES’ Verified identities:

    1. Click Create identity

    2. Check Email address

    3. Enter the email address in Email address

    4. Click Create identity

  2. If the domain’s MX record points to AWS, go to SES’ Email receiving:

    1. Click Create rule set

    2. Enter a name in Rule set name (email-address-verification, for example)

    3. Click Create rule set

    4. Click the rule set’s name

    5. Click Create rule

    6. Enter a rule name in Rule name (deliver-to-s3-bucket, for example)

    7. Click Next

    8. Click Next

    9. Select “Deliver to S3 bucket” from the Add new action dropdown

    10. Click Create S3 bucket

    11. Enter a bucket name in Bucket name (ocp-aws-verification, for example)

    12. Click Create bucket

    13. Click Next

    14. Click Create rule

    15. Click Set as active

  3. If the domain’s MX record points to AWS, go to S3 (otherwise, check your email):

    1. Click the bucket name

    2. Click the long alphanumeric string (if there is none, double-check the earlier steps)

    3. Click Download

    4. Copy the URL in the downloaded file

    5. Open the URL in a web browser

  4. Check that the email address’ Identity status is “Verified” on SES’ Verified identities

  5. If the domain’s MX record points to AWS, cleanup:

    1. Set the rule set as inactive

Reference: Creating (and verifying) an email address identity

Use a MAIL FROM domain


This optional step improves email deliverability. Also known as the Return-Path address.

  1. Refer to Using a custom MAIL FROM domain

  2. Check that the verified identity’s MAIL FROM configuration is “Successful”

Create SMTP credentials


You only need to do this once per AWS region.

  1. Go to SES’ SMTP Settings:

    1. Click Create SMTP credentials

    2. Enter a user name in IAM User Name:

    3. Click Create

    4. Click Download Credentials

    5. Click Close

Reference: Obtaining Amazon SES SMTP credentials

Set up basic notifications

  1. Go to SNS’ Topics:

    1. Click Create topic

    2. Set Type to Standard

    3. Enter a hyphenated address in Name (data-open-contracting-org, for example)

    4. Click Create topic

  2. Click Create subscription:

    1. Select “Email” from the Protocol dropdown

    2. Enter an email address in Endpoint

    3. Click Create subscription

  3. Click the email address on SES’ Verified identities:

    1. Click the Notifications tab

    2. Click Edit in the Feedback notifications section

    3. Select the created topic from the Bounce feedback dropdown

    4. Check the Include original email headers box

    5. Select the created topic from the Complaint feedback dropdown

    6. Check the Include original email headers box

    7. Click Save changes

Reference: Configuring Amazon SNS notifications for Amazon SES

Set up advanced notifications

  1. Go to SES’ Configuration sets:

    1. Click Create set

    2. Enter a name in Configuration set name (credere, for example)

    3. Click Create set

  2. Click the configuration set’s name

  3. Click the Event destinations tab

  4. Click Add destination:

    1. Check:

      • Rendering failures, if using email templates

      • Rejects

      • Delivery delays

      Do not check, to avoid unnecessary notifications:

      • Sends

      • Deliveries (same as Delivery feedback above)

      • Hard bounces (same as Bounce feedback above)

      • Complaints (same as Complaint feedback above)

      • Subscriptions

    2. Click Next

    3. Check Amazon SES

    4. Enter a name in Name (credere-noreply-open-contracting-org, for example)

    5. Select the SNS topic for basic notifications from the SNS topic dropdown

    6. Click Next

    7. Click Add destination

  5. Go to SNS’ Subscriptions:

    1. Click Create subscription

    2. Select the SNS topic from the Topic ARN dropdown

    3. Select “Email” from the Protocol dropdown

    4. Enter the subscriber’s email address in Endpoint

    5. Click Create subscription

  6. Wait for the email to confirm the subscription

Check DMARC compliance

Check DMARC compliance, sending the email using SES.


SES adds an extra DKIM signature (“The extra DKIM signature, which contains, is automatically added by Amazon SES. You can ignore it”). It is not aligned, but according to RFC 7489, “a single email can contain multiple DKIM signatures, and it is considered to be a DMARC ‘pass’ if any DKIM signature is aligned and verifies.”

Debug delivery issues

Bounces and complaints are sent to the subscribed address. The relevant properties of the notification message are:

Disable account-level suppression list


This optional step can negatively affect sender reputation.

Reference: Disabling the account-level suppression list

Move out of sandbox


You only need to do this once per AWS account.

Reference: Moving out of the Amazon SES sandbox

Relational Database Service (RDS)


This configuration is for data analysis, where it is acceptable for the data to be lost.

  1. Go to RDS’ Databases

  2. Click Create database

    1. Set Engine type to “PostgreSQL”

    2. Set Version to the latest version

    3. Set Templates to “Free tier”

    4. Check Auto generate a password

    5. Set DB instance class to “db.t3.micro”

    6. Uncheck Enable storage autoscaling

    7. Set Public access to “Yes”

    8. Add “postgresql-anywhere” to Existing VPC security groups

    9. Remove “default” from Existing VPC security groups

    10. Expand Additional configuration

    11. Uncheck Enable automated backups

    12. Uncheck Enable encryption

    13. Uncheck Turn on Performance Insights

    14. Click Create database

  3. Wait for the database to be created

  4. Click View connection details

Amazon S3

Create bucket

  1. Go to Amazon S3 Buckets

  2. Click Create bucket

    1. Enter a Bucket name (ocp-redmine-backup, for example)

    2. Set AWS Region to the nearest region to the server

    3. Click Create bucket

  3. Click the created bucket

If the bucket is for server backups:

  1. Click Management

  2. Click Create lifecycle rule

    1. Lifecycle rule name: delete-after-30-days

    2. Choose a rule scope: Apply to all objects in the bucket

    3. Check I acknowledge that this rule will apply to all objects in the bucket.

    4. Check Expire current versions of objects

    5. Check Delete expired object delete markers or incomplete multipart uploads

    6. Days after object creation: 30

    7. Check Delete incomplete multipart uploads

    8. Number of days: 7

  3. Click Create rule

Identity and Access Management (IAM)

Create a backup policy

  1. Go to IAM Policies

  2. Click Create policy

    1. Click the JSON tab and paste the content below, replacing BUCKET_NAME:

          "Version": "2012-10-17",
          "Statement": [
                  "Effect": "Allow",
                  "Action": [
                  "Resource": [
                  "Effect": "Allow",
                  "Action": [
                  "Resource": [
    2. Click Next: Tags

    3. Click Next: Review

    4. Enter a Name (redmine-backup, for example)

    5. Click Create policy

Create a backup user

  1. Go to IAM Users

  2. Click Add Users

    1. Enter a User name (redmine-backup, for example)

    2. Check Access key - Programmatic access

    3. Click Next: Permissions

    4. Click Attach existing policies directly


      Alternatively, create a group, attach the policy to the group, and add the user to the group.

    5. Search for and check the policy above

    6. Click Next: Tags

    7. Click Next: Review

    8. Click Create user

    9. Add the Access key ID and Secret access key to the service’s Pillar file