Amazon Internal Setup

Setup guides for Amazonians using internal infrastructure (SuperNova domains, ADA credentials, internal Slack workspaces). For general setup, see Getting Started and Slack Bot Tutorial.

AWS Credentials (ADA)

For internal Amazon users, use the AWS Developer Account (ADA) CLI tool. ADA runs as a background daemon and keeps your credentials refreshed automatically — no hardcoded keys.

  1. Install the AWS CLI if you don't have it: brew install awscli
  2. Install ADA: follow the instructions at Configure AWS CLI Credentials on Mac using ADA.
  3. Add a profile:
    ada profile add --profile my_profile --provider conduit --account <your-account-id>
    Find your account ID on Conduit AWS Accounts.
  4. Set the profile:
    export AWS_PROFILE=my_profile
  5. Verify: aws sts get-caller-identity

Email Setup

This covers setting up inbound/outbound email using Amazon SES and S3 with a SuperNova domain. This is for personal/pre-prod use.

Throughout this guide, replace these placeholders with your values:

Placeholder Example
DOMAIN yourname.people.aws.dev
ACCOUNT_ID 123456789012
ZONE_ID Z085235211UHTJ787HWN1
BUCKET yourname-agent-email-inbox

1. Get a SuperNova Domain

SuperNova provides *.people.aws.dev domains for personal pre-prod use.

Create the Nova IAM Role

cat > /tmp/nova-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": {
    "Sid": "",
    "Effect": "Allow",
    "Principal": { "Service": "nova.aws.internal" },
    "Action": "sts:AssumeRole"
  }
}
EOF

aws iam create-role --role-name Nova-DO-NOT-DELETE \
  --assume-role-policy-document file:///tmp/nova-policy.json

aws iam attach-role-policy --role-name Nova-DO-NOT-DELETE \
  --policy-arn arn:aws:iam::aws:policy/AmazonRoute53FullAccess

aws iam attach-role-policy --role-name Nova-DO-NOT-DELETE \
  --policy-arn arn:aws:iam::aws:policy/SecurityAudit

Note the Role ARN from the output.

Request the domain

  1. Go to the SuperNova self-service UI
  2. Select people as your organization
  3. Request your domain (e.g., yourname.people.aws.dev)
  4. Provide your AWS account ID and the Nova-DO-NOT-DELETE role ARN

Verify delegation

Wait ~30-60 minutes for DNS propagation, then verify:

dig DOMAIN NS +short

You should see four ns-*.awsdns-* nameservers.

Find your hosted zone ID

aws route53 list-hosted-zones-by-name --dns-name DOMAIN \
  --query 'HostedZones[0].Id' --output text

The part after /hostedzone/ is your ZONE_ID.

2. Add DMARC Record

Required for all SuperNova domains — prevents email spoofing.

aws route53 change-resource-record-sets \
  --hosted-zone-id ZONE_ID \
  --change-batch '{
    "Changes": [{
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "_dmarc.DOMAIN",
        "Type": "TXT",
        "TTL": 300,
        "ResourceRecords": [{"Value": "\"v=DMARC1; p=reject\""}]
      }
    }]
  }'

3. Verify Domain in SES

aws ses verify-domain-dkim --domain DOMAIN --region us-east-1
aws ses verify-domain-identity --domain DOMAIN --region us-east-1

Add the DKIM CNAMEs and verification TXT record to Route 53 (replace tokens from the commands above):

aws route53 change-resource-record-sets \
  --hosted-zone-id ZONE_ID \
  --change-batch '{
    "Changes": [
      {
        "Action": "UPSERT",
        "ResourceRecordSet": {
          "Name": "TOKEN1._domainkey.DOMAIN",
          "Type": "CNAME",
          "TTL": 1800,
          "ResourceRecords": [{"Value": "TOKEN1.dkim.amazonses.com"}]
        }
      },
      {
        "Action": "UPSERT",
        "ResourceRecordSet": {
          "Name": "TOKEN2._domainkey.DOMAIN",
          "Type": "CNAME",
          "TTL": 1800,
          "ResourceRecords": [{"Value": "TOKEN2.dkim.amazonses.com"}]
        }
      },
      {
        "Action": "UPSERT",
        "ResourceRecordSet": {
          "Name": "TOKEN3._domainkey.DOMAIN",
          "Type": "CNAME",
          "TTL": 1800,
          "ResourceRecords": [{"Value": "TOKEN3.dkim.amazonses.com"}]
        }
      },
      {
        "Action": "UPSERT",
        "ResourceRecordSet": {
          "Name": "_amazonses.DOMAIN",
          "Type": "TXT",
          "TTL": 1800,
          "ResourceRecords": [{"Value": "\"VERIFICATION_TOKEN\""}]
        }
      }
    ]
  }'

Wait for verification (5-10 minutes):

aws ses get-identity-dkim-attributes --identities DOMAIN --region us-east-1
aws ses get-identity-verification-attributes --identities DOMAIN --region us-east-1

Both must show Success before proceeding.

SES sandbox: New SES accounts start in sandbox mode, which only allows sending to verified email addresses. For testing, this is fine — the assistant receives email regardless. To send to arbitrary addresses, request production access.

4. Set Up Inbound Email

Create an S3 bucket (must be in a region that supports SES receiving):

aws s3api create-bucket --bucket BUCKET --region us-east-1

Allow SES to write to it:

aws s3api put-bucket-policy --bucket BUCKET --policy '{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"Service": "ses.amazonaws.com"},
    "Action": "s3:PutObject",
    "Resource": "arn:aws:s3:::BUCKET/*",
    "Condition": {"StringEquals": {"AWS:SourceAccount": "ACCOUNT_ID"}}
  }]
}'

Add MX record:

aws route53 change-resource-record-sets \
  --hosted-zone-id ZONE_ID \
  --change-batch '{
    "Changes": [{
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "DOMAIN",
        "Type": "MX",
        "TTL": 300,
        "ResourceRecords": [{"Value": "10 inbound-smtp.us-east-1.amazonaws.com"}]
      }
    }]
  }'

Create SES receipt rule:

aws ses create-receipt-rule-set \
  --rule-set-name agent-email-rules --region us-east-1

aws ses create-receipt-rule --region us-east-1 \
  --rule-set-name agent-email-rules \
  --rule '{
    "Name": "agent-inbox",
    "Enabled": true,
    "Recipients": ["agent@DOMAIN"],
    "Actions": [{
      "S3Action": {
        "BucketName": "BUCKET",
        "ObjectKeyPrefix": "incoming/"
      }
    }]
  }'

aws ses set-active-receipt-rule-set \
  --rule-set-name agent-email-rules --region us-east-1

Verify DNS:

dig DOMAIN MX +short
dig _dmarc.DOMAIN TXT +short

5. Configure and Run

---
name: email-assistant
metadata:
  role: main
  paths: [./skills]
  model:
    id: us.anthropic.claude-sonnet-4-6
    region: us-east-1
    persistent: true
  email:
    region: us-east-1
    bucket: BUCKET
    prefix: incoming/
    from: agent@DOMAIN
    allowed-senders: []
    poll-interval: 30s
  trust:
    rules: "file-write code shell"
    store: file
  allowed-tools: "*"
---
You are an email assistant. Read incoming messages and respond helpfully.

agent-apps

Send an email to agent@DOMAIN to test.

Cleanup

aws ses set-active-receipt-rule-set --region us-east-1
aws ses delete-receipt-rule \
  --rule-set-name agent-email-rules --rule-name agent-inbox --region us-east-1
aws ses delete-receipt-rule-set \
  --rule-set-name agent-email-rules --region us-east-1
aws ses delete-identity --identity DOMAIN --region us-east-1
aws s3 rb s3://BUCKET --force

To decommission the domain, use the SuperNova deletion guidenever delete the Route 53 hosted zone manually (domain sniping vulnerability, Sev-2).

To remove the Nova IAM role:

aws iam detach-role-policy --role-name Nova-DO-NOT-DELETE \
  --policy-arn arn:aws:iam::aws:policy/AmazonRoute53FullAccess
aws iam detach-role-policy --role-name Nova-DO-NOT-DELETE \
  --policy-arn arn:aws:iam::aws:policy/SecurityAudit
aws iam delete-role --role-name Nova-DO-NOT-DELETE

Slack Setup (Amazon Workspaces)

Follow the standard Slack Bot tutorial, with one additional step:

Before installing the app to your workspace, go to Settings → Collaborators and add opus-amazon-prod as a collaborator. This is required for Slack apps in Amazon workspaces.

Ask AI