How to create Amazon SES identity verification CNAME records in Route 53 across different AWS accounts using CDK?

[joaorr13]

I have two AWS accounts:

DNS Account: Contains my Route 53 hosted zone for example.com

Email Account: Where I need to send emails using Amazon SES with the domain example.com

To verify the SES email identity in the Email Account, I need to add DKIM CNAME records to the Route 53 hosted zone in the DNS Account.

Problem: CDK's CrossAccountZoneDelegationRecord only supports NS records for zone delegation, not CNAME records for SES verification.

How can I programmatically create SES verification CNAME records in the DNS Account's hosted zone from my Email Account's CDK stack?

[Sagargupta16]

CDK's CrossAccountZoneDelegationRecord only supports NS records, so it won't work for SES DKIM CNAME records. Here are two approaches:

Option 1: AwsCustomResource (recommended)

Use AwsCustomResource to call Route53's changeResourceRecordSets API in the DNS account via a cross-account IAM role:

import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from "aws-cdk-lib/custom-resources";

// In the Email Account stack:
const dnsAccountRoleArn = "arn:aws:iam::DNS_ACCOUNT_ID:role/AllowRoute53CnameUpdates";

const sesIdentity = new ses.EmailIdentity(this, "Identity", {
  identity: ses.Identity.domain("example.com"),
});

// SES generates 3 DKIM CNAME records
for (let i = 1; i <= 3; i++) {
  new AwsCustomResource(this, `DkimRecord${i}`, {
    onCreate: {
      service: "Route53",
      action: "changeResourceRecordSets",
      parameters: {
        HostedZoneId: "DNS_ACCOUNT_HOSTED_ZONE_ID",
        ChangeBatch: {
          Changes: [{
            Action: "UPSERT",
            ResourceRecordSet: {
              Name: sesIdentity.dkimDnsTokenName(i),
              Type: "CNAME",
              TTL: 300,
              ResourceRecords: [{ Value: sesIdentity.dkimDnsTokenValue(i) }],
            },
          }],
        },
      },
      physicalResourceId: PhysicalResourceId.of(`ses-dkim-${i}`),
      assumedRoleArn: dnsAccountRoleArn,
    },
    policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE }),
  });
}

Option 2: Separate stack in the DNS account

Deploy a small CDK stack in the DNS account that reads the DKIM tokens from SSM Parameter Store (written by the Email Account stack) and creates the Route53 records natively.

IAM role in DNS account

Whichever approach you use, create this role in the DNS account:

new iam.Role(this, "AllowRoute53CnameUpdates", {
  assumedBy: new iam.AccountPrincipal("EMAIL_ACCOUNT_ID"),
  inlinePolicies: {
    route53: new iam.PolicyDocument({
      statements: [new iam.PolicyStatement({
        actions: ["route53:ChangeResourceRecordSets"],
        resources: ["arn:aws:route53:::hostedzone/HOSTED_ZONE_ID"],
      })],
    }),
  },
});

Reference: SES DKIM verification