Question 38
Domain 2: Design for New SolutionsA company recently completed the migration from an on-premises data center to the AWS Cloud by using a replatforming strategy. One of the migrated servers is running a legacy Simple Mail Transfer Protocol (SMTP) service that a critical application relies upon. The application sends outbound email messages to the company’s customers. The legacy SMTP server does not support TLS encryption and uses TCP port 25. The application can use SMTP only. The company decides to use Amazon Simple Email Service (Amazon SES) and to decommission the legacy SMTP server. The company has created and validated the SES domain. The company has lifted the SES limits. What should the company do to modify the application to send email messages from Amazon SES?
Correct answer: B
Explanation
Amazon SES supports SMTP submission with authentication, so the application must use “Amazon SES SMTP credentials” to log in before sending mail. Because the legacy server “does not support TLS encryption,” the app should connect using STARTTLS, which upgrades the SMTP session to encrypted transport while still using SMTP only.
Why each option is right or wrong
A. Configure the application to connect to Amazon SES by using TLS Wrapper. Create an IAM role that has ses:SendEmail and ses:SendRawEmail permissions. Attach the IAM role to an Amazon EC2 instance.
IAM roles are for AWS API authorization, not standard SMTP authentication to SES.
B. Configure the application to connect to Amazon SES by using STARTTLS. Obtain Amazon SES SMTP credentials. Use the credentials to authenticate with Amazon SES.
Amazon SES’s SMTP interface requires authenticated submission, and AWS provides dedicated SMTP credentials for that purpose rather than IAM user passwords; the app must use those credentials to authenticate to the SES endpoint. Because the legacy client can speak SMTP only and the server does not support TLS, the correct transport change is to use STARTTLS on the SMTP session, which upgrades the connection to TLS while still using SMTP over the standard submission path (SES SMTP endpoints support STARTTLS, typically on port 587 or 25).
C. Configure the application to use the SES API to send email messages. Create an IAM role that has ses:SendEmail and ses:SendRawEmail permissions. Use the IAM role as a service role for Amazon SES.
SES API use requires application changes beyond SMTP, which the scenario explicitly does not allow.
D. Configure the application to use AWS SDKs to send email messages. Create an IAM user for Amazon SES. Generate API access keys. Use the access keys to authenticate with Amazon SES.
AWS SDKs and API keys are for API-based sending, not an SMTP-only application path.