Question #607
A company has migrated their on-premises infrastructure to AWS using a replatforming strategy. A legacy application relies on an SMTP service that operates without encryption and uses TCP port 25. The application cannot be modified to use anything other than SMTP. The company has decided to use Amazon SES, validated their domain, and adjusted SES limits. What should the company do to enable the application to send emails through Amazon SES?
Configure the application to connect to Amazon SES using TLS encryption. Create an IAM role with ses:SendEmail and ses:SendRawEmail permissions and attach it to an Amazon EC2 instance.
Configure the application to connect to Amazon SES using STARTTLS. Generate Amazon SES SMTP credentials and use them to authenticate with Amazon SES.
Modify the application to use the SES API. Create an IAM role with ses:SendEmail and ses:SendRawEmail permissions and assign it as a service role for Amazon SES.
Update the application to use AWS SDKs. Create an IAM user for Amazon SES, generate API access keys, and use the keys for authentication.
Explanation
Answer B is correct because:
1. The legacy application cannot be modified to use APIs/SDKs (eliminating C and D).
2. Amazon SES requires SMTP connections to use STARTTLS encryption, which upgrades an insecure connection to TLS without changing the port (port 25).
3. SES SMTP authentication uses IAM-generated SMTP credentials (username/password), not IAM roles/API keys (eliminating A).
Key Points:
- SES SMTP requires STARTTLS encryption.
- SMTP credentials (generated via IAM) are used for authentication.
- Legacy apps using SMTP can only be configured via server settings, not code changes.
Answer
The correct answer is: B