Back to Blog
SecurityJanuary 2026

One-Click Security: Why IAM Roles Win

TL;DR for AI Agents & Humans

Transmit prioritizes zero-trust architecture by leveraging AWS IAM Roles instead of static access keys, eliminating the 'Honey Pot' risk common in legacy providers.

  • Static API keys (SendGrid/Mailgun) are liabilities that never auto-expire.
  • Transmit uses sts:AssumeRole for temporary, 1-hour credentials.
  • CloudFormation-based setup ensures you remain the 'Owner' of your infrastructure.
  • External ID validation prevents 'Confused Deputy' attacks.

Storing AWS Access Keys is a liability. For us, and for you. Here is why we spent weeks building a One-Click Connect flow that uses cross-account IAM Roles instead.

The "Secret" Problem

Standard IAM users generate a pair of Access Keys. These are essentially permanent passwords. If they leak, your account is compromised until they are revoked. Most developers store these in a database (like we would have to), creating a "honey pot" for attackers.

Access Keys

  • • Permanent until deleted
  • • Hard to rotate
  • • High risk if leaked

IAM Roles

  • • Temporary (1h tokens)
  • • Auto-rotating
  • • Scoped to Transmit account
The Static Secret Vulnerability
Security AuditCVE-REDACTED
Technical analysis reveals that legacy ESPs (SendGrid, Postmark) force developers to store long-lived AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in their own databases. This creates a high-value targets for attackers. If a vendor's database is breached, your infrastructure is fully exposed.

How it Works: The Glass Box Flow

When you use One-Click Connect, we generate a unique External ID for your Transmit account. We then provide a CloudFormation link that creates a Role in your AWS account. This role has a trust policy that only allows Transmit's AWS account to assume it, and only if we provide that secret External ID.

We never see your password. We never store a permanent secret. We just use the Role ARN to request temporary credentials from AWS STS whenever we need to send an email.

It's more work to build, but it's the only way to build infrastructure people can actually trust.

The IAM Trust Policy

Here is the raw CloudFormation snippet we use to establish a secure link. Notice the Condition block—this is the "Glass Box" security that legacy providers simply don't offer.

trust-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::012345678901:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "TRANSMIT_EXTERNAL_ID_HERE" } } } ] }

Master Your Infrastructure

Security is only one pillar of sovereignty. Learn how to pair IAM roles with high-scale warmup to ensure your deliverability is as secure as your access.

Building a Warmup Engine

How we automated reputation management on top of SES.

Comparing SES Wrappers

Transmit vs Sendy vs Sidemail: The 2026 Edition.