diff --git a/pages/deploy/deploy_aws.md b/pages/deploy/deploy_aws.md
index 051929bba..1904dd871 100644
--- a/pages/deploy/deploy_aws.md
+++ b/pages/deploy/deploy_aws.md
@@ -171,38 +171,38 @@ have listed and defined all the parameters of the cdk.json file. If you still ha
and find 2 examples of cdk.json files.
-| **General Parameters** | **Optional/Required** | **Definition** |
-|-----------------------------------------------|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| tooling_vpc_id | Optional | The VPC ID for the tooling account. If not provided, **a new VPC** will be created. |
-| tooling_region | Optional | The AWS region for the tooling account where the AWS CodePipeline pipeline will be created. (default: eu-west-1) |
-| tooling_vpc_restricted_nacl | Optional | If set to **true**, VPC NACLs added to restrict network traffic on the subnets of the data.all provisioned tooling VPC (default: false) |
-| git_branch | Optional | The git branch name can be leveraged to deploy multiple AWS CodePipeline pipelines to the same tooling account. (default: main) |
-| git_release | Optional | If set to **true**, CI/CD pipeline RELEASE stage is enabled. This stage releases a version out of the current branch. (default: false) |
-| quality_gate | Optional | If set to **true**, CI/CD pipeline quality gate stage is enabled. (default: true) |
-| resource_prefix | Optional | The prefix used for AWS created resources. It must be in lower case without any special character. (default: dataall) |
-| **Deployment environments Parameters** | **Optional/Required** | **Definition** |
-| ---------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| envname | REQUIRED | The name of the deployment environment (e.g dev, qa, prod,...). It must be in lower case without any special character. |
-| account | REQUIRED | The AWS deployment account (deployment account N) |
-| region | REQUIRED | The AWS deployment region |
-| with_approval | Optional | If set to **true** an additional step on AWS CodePipeline to require user approval before proceeding with the deployment. (default: false) |
-| vpc_id | Optional | The VPC ID for the deployment account. If not provided, **a new VPC** will be created. |
-| vpc_endpoints_sg | Optional | The VPC endpoints security groups to be use by AWS services to connect to VPC endpoints. If not assigned, NAT outbound rule is used. |
-| vpc_restricted_nacl | Optional | If set to **true**, VPC NACLs added to restrict network traffic on the subnets of the data.all provisioned deployment VPC (default: false) |
-| internet_facing | Optional | If set to **true** CloudFront is used for hosting data.all UI and Docs and APIs are public. If false, ECS is used to host static sites and APIs are private. (default: true) |
-| custom_domain | Optional* | Custom domain configuration: `hosted_zone_name`, `hosted_zone_id`, `certificate_arn`, and `email_notification_sender_email_id`. If internet_facing parameteris **false** or `share_notifications.email` is active in `config.json` then custom_domain is REQUIRED for ECS ALB integration with ACM and HTTPS. It is optional when internet_facing is true. |
-| ip_ranges | Optional | Used only when internet_facing parameter is **false** to allow API Gateway resource policy to allow these IP ranges in addition to the VPC's CIDR block. |
-| apig_vpce | Optional | Used only when internet_facing parameter is **false**. If provided, it will be used for API Gateway otherwise a new VPCE will be created. |
-| prod_sizing | Optional | If set to **true**, infrastructure sizing is adapted to prod environments. Check additional resources section for more details. (default: true) |
-| enable_cw_rum | Optional | If set to **true** CloudWatch RUM monitor is created to monitor the user interface (default: false) |
-| enable_cw_canaries | Optional | If set to **true**, CloudWatch Synthetics Canaries are created to monitor the GUI workflow of principle features (default: false) |
-| enable_quicksight_monitoring | Optional | If set to **true**, RDS security groups and VPC NACL rules are modified to allow connection of the RDS metadata database with Quicksight in the infrastructure account (default: false) |
-| shared_dashboard_sessions | Optional | Either 'anonymous' or 'reader'. It indicates the type of Quicksight session used for Shared Dashboards (default: 'anonymous') |
-| enable_pivot_role_auto_create | Optional | If set to **true**, data.all creates the pivot IAM role as part of the environment stack. If false, a CloudFormation template is provided in the UI and AWS account admins need to deploy this stack as pre-requisite to link a data.all environment (default: false) |
-| enable_update_dataall_stacks_in_cicd_pipeline | Optional | If set to **true**, CI/CD pipeline update stacks stage is enabled for the deployment environment. This stage triggers the update of all environment and dataset stacks (default: false) |
-| enable_opensearch_serverless | Optional | If set to **true** Amazon OpenSearch Serverless collection is created and used instead of Amazon OpenSearch Service domain (default: false) |
-| cognito_user_session_timeout_inmins | Optional | The number of minutes to set the refresh token validity time for user session's in Cognito before a user must re-login to the data.all UI (default: 43200 - i.e. 30 days) |
-| reauth_config | Optional | A dictionary containing a list of API operations that require a user to re-authenticate before proceedind (`reauth_apis`) and a time to live (`ttl`) for how long a user's re-auth session is valid to perform re-auth APIs before having to re-authenticate again |
+| **General Parameters** | **Optional/Required** | **Definition** |
+|-----------------------------------------------|-----------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| tooling_vpc_id | Optional | The VPC ID for the tooling account. If not provided, **a new VPC** will be created. |
+| tooling_region | Optional | The AWS region for the tooling account where the AWS CodePipeline pipeline will be created. (default: eu-west-1) |
+| tooling_vpc_restricted_nacl | Optional | If set to **true**, VPC NACLs added to restrict network traffic on the subnets of the data.all provisioned tooling VPC (default: false) |
+| git_branch | Optional | The git branch name can be leveraged to deploy multiple AWS CodePipeline pipelines to the same tooling account. (default: main) |
+| git_release | Optional | If set to **true**, CI/CD pipeline RELEASE stage is enabled. This stage releases a version out of the current branch. (default: false) |
+| quality_gate | Optional | If set to **true**, CI/CD pipeline quality gate stage is enabled. (default: true) |
+| resource_prefix | Optional | The prefix used for AWS created resources. It must be in lower case without any special character. (default: dataall) |
+| **Deployment environments Parameters** | **Optional/Required** | **Definition** |
+| ---------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| envname | REQUIRED | The name of the deployment environment (e.g dev, qa, prod,...). It must be in lower case without any special character. |
+| account | REQUIRED | The AWS deployment account (deployment account N) |
+| region | REQUIRED | The AWS deployment region |
+| with_approval | Optional | If set to **true** an additional step on AWS CodePipeline to require user approval before proceeding with the deployment. (default: false) |
+| vpc_id | Optional | The VPC ID for the deployment account. If not provided, **a new VPC** will be created. |
+| vpc_endpoints_sg | Optional | The VPC endpoints security groups to be use by AWS services to connect to VPC endpoints. If not assigned, NAT outbound rule is used. |
+| vpc_restricted_nacl | Optional | If set to **true**, VPC NACLs added to restrict network traffic on the subnets of the data.all provisioned deployment VPC (default: false) |
+| internet_facing | Optional | If set to **true** CloudFront is used for hosting data.all UI and Docs and APIs are public. If false, ECS is used to host static sites and APIs are private. (default: true) |
+| custom_domain | Optional* | Custom domain configuration: `hosted_zone_name`, `hosted_zone_id`, `certificate_arn`, and `email_notification_sender_email_id`. If internet_facing parameter is **false** or `share_notifications.email` is active in `config.json` then custom_domain is REQUIRED for ECS ALB integration with ACM and HTTPS. It is optional when internet_facing is true. |
+| ip_ranges | Optional | Used only when internet_facing parameter is **false** to allow API Gateway resource policy to allow these IP ranges in addition to the VPC's CIDR block. |
+| apig_vpce | Optional | Used only when internet_facing parameter is **false**. If provided, it will be used for API Gateway otherwise a new VPCE will be created. |
+| prod_sizing | Optional | If set to **true**, infrastructure sizing is adapted to prod environments. Check additional resources section for more details. (default: true) |
+| enable_cw_rum | Optional | If set to **true** CloudWatch RUM monitor is created to monitor the user interface (default: false) |
+| enable_cw_canaries | Optional | If set to **true**, CloudWatch Synthetics Canaries are created to monitor the GUI workflow of principle features (default: false) |
+| enable_quicksight_monitoring | Optional | If set to **true**, RDS security groups and VPC NACL rules are modified to allow connection of the RDS metadata database with Quicksight in the infrastructure account (default: false) |
+| shared_dashboard_sessions | Optional | Either 'anonymous' or 'reader'. It indicates the type of Quicksight session used for Shared Dashboards (default: 'anonymous') |
+| enable_pivot_role_auto_create | Optional | If set to **true**, data.all creates the pivot IAM role as part of the environment stack. If false, a CloudFormation template is provided in the UI and AWS account admins need to deploy this stack as pre-requisite to link a data.all environment (default: false) |
+| enable_update_dataall_stacks_in_cicd_pipeline | Optional | If set to **true**, CI/CD pipeline update stacks stage is enabled for the deployment environment. This stage triggers the update of all environment and dataset stacks (default: false) |
+| enable_opensearch_serverless | Optional | If set to **true** Amazon OpenSearch Serverless collection is created and used instead of Amazon OpenSearch Service domain (default: false) |
+| cognito_user_session_timeout_inmins | Optional | The number of minutes to set the refresh token validity time for user session's in Cognito before a user must re-login to the data.all UI (default: 43200 - i.e. 30 days) |
+| reauth_config | Optional | A dictionary containing a list of API operations that require a user to re-authenticate before proceedind (`reauth_apis`) and a time to live (`ttl`) for how long a user's re-auth session is valid to perform re-auth APIs before having to re-authenticate again |
**Example 1**: Basic deployment: this is an example of a minimum configured cdk.json file.
@@ -518,6 +518,24 @@ diagram.
With this pipeline we can now deploy the infrastructure to the deployment account(s). Navigate to AWS CodePipeline
in the tooling account and check the status of your pipeline.
+## 12. Setting SES for Email Notifications
+
+Please follow instructions from below only if you have enabled email notifications on share workflow by switching the email.active config ( from `config.json` file ) to `true` in the `share_notifications` feature under `datasets` module.
+
+### Moving AWS SES out of Sandbox
+If you have specified `custom_domain`, after the deployment you should see a SES identity which is formed in your AWS Account.
+You can check it by going to the AWS Console -> AWS SES -> Identities. At this time you have successfully deployed infrastructure to
+send email notifications via SES, but your AWS account is in the Sandbox mode. When in Sandbox mode, you will have to verify each
+recipient email id manually. In order to get your SES account out of Sandbox, please follow the instructions in Moving out of Sandbox .
+Once your AWS SES account is out of sandbox you can send email to any recipient email id without any prior verification.
+
+### Monitoring for Email Bounces
+When SES Stack is deployed during the pipeline stage, it will setup a configuration set
+which will send any email bounces, delivery failures, rejects & complaints to an SNS topic. In this step, you can add subscriptions to this SNS topic to monitor email delivery problems
+In order to do that go to AWS Console -> SNS -> Select the SNS topic which would look like `{resource_prefix}-{envname}-SNS-Email-Bounce-Topic` ( where resource_prefix and envname are specified in the cdk.json ) -> Create Subscription. You can attach multiple subscriptions to
+this SNS topic and monitor and take actions in case of any delivery failure.
+
+
## Additional resources - FAQs
### How does the `prod_sizing` field in `cdk.json` affect the architecture ?