Can I authorise a customer account to send email using my SES account?

If the emails your customers will be sending are to you (that is, to your verified/verifiable identities in SES), the message volumes are low, and associated costs would be correspondingly modest and perhaps not notable enough to allocate to your customers, would it be a an option for the customer accounts simply to remain in sandbox mode? That would still allow them to send 200 emails per day to verified identities.

Alternatively, would it be possible to allow them to assume a role or roles in your production account, if they're using the REST API to send the mails, or the static username/password derived from the access keys of an IAM user in your account, if they need to use SMTP? You could use the ses:FromAddress and/or ses:Recipients request context condition keys (https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html) to limit the permissions of the role/user to sending emails just to you, despite your production account otherwise having broader sending privileges.

Some really interesting ideas there, thanks!

I remembered another use case I need to cater for - each of their users need to be able to request their lambda to email them any data it's collected (saved in dynamoDB). So I guess I could have all of their email addresses verified, then they could stay in the sandbox and make do with 200 requests per day.

I suspect the simplest solution is for their lambda to collect all the data into a raw email then assume a role in my production account that allows it to use SES to send that to the requestor. I'll have to work out some way to do the reporting/accounting, maybe out of the cloudwatch logs or something.

Thanks!

David