The aws:ses/configurationSet:ConfigurationSet resource, part of the Pulumi AWS provider, defines an SES configuration set that groups email sending settings and enables event tracking. This guide focuses on three capabilities: creating named configuration sets, enforcing TLS transport security, and customizing click tracking domains.
Configuration sets are referenced by SES sending operations and may require DNS records for custom tracking domains. The examples are intentionally small. Combine them with your own event destinations and sending infrastructure.
Create a configuration set with a name
SES configuration sets group email sending settings and enable event tracking for analytics and compliance.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.ses.ConfigurationSet("test", {name: "some-configuration-set-test"});
import pulumi
import pulumi_aws as aws
test = aws.ses.ConfigurationSet("test", name="some-configuration-set-test")
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ses"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ses.NewConfigurationSet(ctx, "test", &ses.ConfigurationSetArgs{
Name: pulumi.String("some-configuration-set-test"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.Ses.ConfigurationSet("test", new()
{
Name = "some-configuration-set-test",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ses.ConfigurationSet;
import com.pulumi.aws.ses.ConfigurationSetArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new ConfigurationSet("test", ConfigurationSetArgs.builder()
.name("some-configuration-set-test")
.build());
}
}
resources:
test:
type: aws:ses:ConfigurationSet
properties:
name: some-configuration-set-test
The name property establishes a unique identifier that sending operations reference. Without additional configuration, the set uses SES defaults: optional TLS, no custom tracking domain, and sending enabled.
Enforce TLS for all outbound email
Organizations with security requirements often mandate encrypted transport to prevent email interception.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.ses.ConfigurationSet("test", {
name: "some-configuration-set-test",
deliveryOptions: {
tlsPolicy: "Require",
},
});
import pulumi
import pulumi_aws as aws
test = aws.ses.ConfigurationSet("test",
name="some-configuration-set-test",
delivery_options={
"tls_policy": "Require",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ses"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ses.NewConfigurationSet(ctx, "test", &ses.ConfigurationSetArgs{
Name: pulumi.String("some-configuration-set-test"),
DeliveryOptions: &ses.ConfigurationSetDeliveryOptionsArgs{
TlsPolicy: pulumi.String("Require"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.Ses.ConfigurationSet("test", new()
{
Name = "some-configuration-set-test",
DeliveryOptions = new Aws.Ses.Inputs.ConfigurationSetDeliveryOptionsArgs
{
TlsPolicy = "Require",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ses.ConfigurationSet;
import com.pulumi.aws.ses.ConfigurationSetArgs;
import com.pulumi.aws.ses.inputs.ConfigurationSetDeliveryOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new ConfigurationSet("test", ConfigurationSetArgs.builder()
.name("some-configuration-set-test")
.deliveryOptions(ConfigurationSetDeliveryOptionsArgs.builder()
.tlsPolicy("Require")
.build())
.build());
}
}
resources:
test:
type: aws:ses:ConfigurationSet
properties:
name: some-configuration-set-test
deliveryOptions:
tlsPolicy: Require
The deliveryOptions block controls transport security. Setting tlsPolicy to “Require” forces SES to reject delivery attempts to mail servers that don’t support TLS, ensuring all messages travel over encrypted connections.
Redirect link tracking to a custom domain
Email campaigns track link clicks by rewriting URLs. By default, SES uses Amazon-operated domains for redirects, but you can customize the domain to match your brand.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.ses.ConfigurationSet("test", {
name: "some-configuration-set-test",
trackingOptions: {
customRedirectDomain: "sub.example.com",
},
});
import pulumi
import pulumi_aws as aws
test = aws.ses.ConfigurationSet("test",
name="some-configuration-set-test",
tracking_options={
"custom_redirect_domain": "sub.example.com",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ses"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := ses.NewConfigurationSet(ctx, "test", &ses.ConfigurationSetArgs{
Name: pulumi.String("some-configuration-set-test"),
TrackingOptions: &ses.ConfigurationSetTrackingOptionsArgs{
CustomRedirectDomain: pulumi.String("sub.example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.Ses.ConfigurationSet("test", new()
{
Name = "some-configuration-set-test",
TrackingOptions = new Aws.Ses.Inputs.ConfigurationSetTrackingOptionsArgs
{
CustomRedirectDomain = "sub.example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.ses.ConfigurationSet;
import com.pulumi.aws.ses.ConfigurationSetArgs;
import com.pulumi.aws.ses.inputs.ConfigurationSetTrackingOptionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new ConfigurationSet("test", ConfigurationSetArgs.builder()
.name("some-configuration-set-test")
.trackingOptions(ConfigurationSetTrackingOptionsArgs.builder()
.customRedirectDomain("sub.example.com")
.build())
.build());
}
}
resources:
test:
type: aws:ses:ConfigurationSet
properties:
name: some-configuration-set-test
trackingOptions:
customRedirectDomain: sub.example.com
The trackingOptions block specifies a custom redirect domain for click tracking. When recipients click links in your emails, they’re redirected through your subdomain before reaching the destination. You must configure DNS records for the custom domain before SES can use it.
Beyond these examples
These snippets focus on specific configuration set features: configuration set naming, TLS enforcement, and custom click tracking domains. They’re intentionally minimal rather than full email sending systems.
The examples may reference pre-existing infrastructure such as DNS records for custom redirect domains. They focus on configuring the set rather than provisioning event destinations or sending infrastructure.
To keep things focused, common configuration set patterns are omitted, including:
- Reputation metrics publishing (reputationMetricsEnabled)
- Sending enable/disable controls (sendingEnabled)
- Event destinations (CloudWatch, Kinesis Firehose, SNS)
- IP pool assignment
These omissions are intentional: the goal is to illustrate how each configuration set feature is wired, not provide drop-in email modules. See the SES ConfigurationSet resource reference for all available configuration options.
Let's create AWS SES Configuration Sets
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration & Lifecycle
name property is immutable. Changing it requires replacing the entire resource.sendingEnabled is true (email sending is active) and reputationMetricsEnabled is false (CloudWatch metrics are disabled).Email Delivery & Security
deliveryOptions with tlsPolicy set to "Require" to enforce TLS connections.sendingEnabled to false to disable email sending while keeping the configuration set active.Monitoring & Tracking
trackingOptions is not guaranteed to work reliably in all scenarios.reputationMetricsEnabled to true to publish bounce and complaint rates to Amazon CloudWatch.Using a different cloud?
Explore integration guides for other cloud providers: