diff --git a/docker-compose/email/local.env.dist b/docker-compose/email/local.env.dist
index eb1fbbb8..ad868833 100644
--- a/docker-compose/email/local.env.dist
+++ b/docker-compose/email/local.env.dist
@@ -1,3 +1,5 @@
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
 MAILER_USEFILES=
 MAILER_HOST=
 MAILER_USERNAME=
diff --git a/terraform/031-email-service/README.md b/terraform/031-email-service/README.md
index 43ca1950..c84c2f6f 100644
--- a/terraform/031-email-service/README.md
+++ b/terraform/031-email-service/README.md
@@ -6,6 +6,7 @@ This module is used to create an ECS service running email-service.
  - Create task definition and ECS service for email-service API
  - Create task definition and ECS service for email-service cron
  - Create Cloudflare DNS record
+ - Create ECS task role to send email via SES
 
 ## Required Inputs
 
@@ -23,9 +24,6 @@ This module is used to create an ECS service running email-service.
  - `idp_name` - Short name of IdP for use in logs and email alerts
  - `internal_alb_dns_name` - DNS name for the IdP-in-a-Box's internal Application Load Balancer
  - `internal_alb_listener_arn` - ARN for the IdP-in-a-Box's internal ALB's listener
- - `mailer_host` - SMTP hostname
- - `mailer_password` - SMTP password
- - `mailer_username` - SMTP username
  - `mysql_host` - Address for RDS instance
  - `mysql_pass` - MySQL password for email-service
  - `mysql_user` - MySQL username for email-service
@@ -44,6 +42,9 @@ This module is used to create an ECS service running email-service.
  - `email_queue_batch_size` - How many queued emails to process per run
  - `enable_cron` - Set to false to disable the cron instance
  - `from_name` - Name to use when sending emails
+ - `mailer_host` - SMTP hostname
+ - `mailer_password` - SMTP password
+ - `mailer_username` - SMTP username
  - `mailer_usefiles` - Whether or not YiiMailer should write to files instead of sending emails
  - `memory_api` - Memory (RAM) resources to allot to each API instance
  - `memory_cron` - Memory (RAM) resources to allot to the cron instance
diff --git a/terraform/031-email-service/main.tf b/terraform/031-email-service/main.tf
index f3204753..c73f97f1 100644
--- a/terraform/031-email-service/main.tf
+++ b/terraform/031-email-service/main.tf
@@ -50,6 +50,52 @@ resource "random_id" "access_token_idsync" {
   byte_length = 16
 }
 
+/*
+ * Create role for access to SES
+ */
+resource "aws_iam_role" "ses" {
+  name = "ses-${var.idp_name}-${var.app_name}-${var.app_env}-${var.aws_region}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "ECSAssumeRoleSES"
+        Effect = "Allow"
+        Principal = {
+          Service = [
+            "ses.amazonaws.com",
+            "ecs-tasks.amazonaws.com",
+          ]
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "ses" {
+  name = "ses"
+  role = aws_iam_role.ses.id
+  policy = jsonencode(
+    {
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Sid      = "SendEmail"
+          Effect   = "Allow"
+          Action   = "ses:SendEmail"
+          Resource = "*"
+          Condition = {
+            StringEquals = {
+              "ses:FromAddress" = var.from_email
+            }
+          }
+        }
+      ]
+  })
+}
+
 /*
  * Create ECS services
  */
@@ -92,6 +138,7 @@ module "ecsservice_api" {
   container_def_json = local.task_def_api
   desired_count      = var.desired_count_api
   tg_arn             = aws_alb_target_group.email.arn
+  task_role_arn      = aws_iam_role.ses.arn
   lb_container_name  = "api"
   lb_container_port  = "80"
 }
@@ -130,6 +177,7 @@ module "ecsservice_cron" {
   service_name       = "${var.idp_name}-${var.app_name}-cron"
   service_env        = var.app_env
   container_def_json = local.task_def_cron
+  task_role_arn      = aws_iam_role.ses.arn
   desired_count      = var.enable_cron ? 1 : 0
 }
 
diff --git a/terraform/031-email-service/vars.tf b/terraform/031-email-service/vars.tf
index fa0d4d00..5e6555d0 100644
--- a/terraform/031-email-service/vars.tf
+++ b/terraform/031-email-service/vars.tf
@@ -91,20 +91,27 @@ variable "internal_alb_listener_arn" {
 }
 
 variable "mailer_host" {
-  type = string
+  description = "SMTP hostname - if omitted, SES will be used"
+  type        = string
+  default     = ""
 }
 
 variable "mailer_password" {
-  type = string
+  description = "password, used with mailer_username for authentication to SMTP server"
+  type        = string
+  default     = ""
 }
 
 variable "mailer_usefiles" {
-  type    = string
-  default = "false"
+  description = "Controls whether YiiMailer should write to files instead of sending emails"
+  type        = string
+  default     = "false"
 }
 
 variable "mailer_username" {
-  type = string
+  description = "username, used with mailer_password for authentication to SMTP server"
+  type        = string
+  default     = ""
 }
 
 variable "memory_api" {