Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 78 discussion

B is correct. https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html STARTTLS supports ports 25, 587, and 2587 TLSWRAPPER supports ports 465 and 2465

In this scenario, you should use Amazon SES SMTP interface to send emails because the application can use SMTP only. https://docs.aws.amazon.com/ses/latest/dg/send-email-smtp.html https://docs.aws.amazon.com/ses/latest/dg/smtp-credentials.html https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html

B. Configure the application to connect to Amazon SES by using STARTTLS. Obtain Amazon SES SMTP credentials. Use the credentials to authenticate with Amazon SES.

Here's why option B is the correct choice: STARTTLS Support: Amazon SES supports STARTTLS, a protocol command used to upgrade an existing insecure connection to a secure connection using TLS (Transport Layer Security). This is crucial since the legacy SMTP server does not support TLS, and STARTTLS can be used to initiate a secure connection. SMTP Credentials: Amazon SES requires authentication to send emails through its SMTP interface. This is achieved by using SMTP credentials, which are different from AWS access keys. SMTP credentials can be obtained from the Amazon SES console and are used to authenticate with the Amazon SES SMTP endpoint. Operational Simplicity: This approach allows the application to continue using SMTP for sending emails, which aligns with the application's existing capabilities. By using STARTTLS, the application can upgrade its connection to Amazon SES to a secure one, ensuring compliance with security best practices without significant changes to the application's email sending functionality.

Terrible Q. All answers are wrong. A is wrong because you cannot send emails through SES SMTP using SMTP credentials derived from temporary STS tokens (ie IAM roles). Must use an IAM user access keys to derive creds. B is wrong because the question imposes a constraint that prevents us from selecting an answer that requires upgrading or modifying the application itself. Could you just offload SMTP STARTTLS/AUTH to the local sendmail/postfix daemon? Maybe, if it were Linux, but what if it's Windows? Cygwin? WSL? C & D - wrong, for a similar rationale as B. But the question designer OBVIOUSLY doesn't know that IAM roles can't be used for SES SMTP auth, because these questions are written by inexperienced, unqualified people who are not themselves architects or engineers.

A = this sends email via SES API while application can use SMTP only B = correct C = this sends email via SES API while application can use SMTP only D = this sends email via SES SDK (API) while application can use SMTP only

The correct answer is B. A: We are unable to obtain authentication information. C,D: Does not meet SMTP requirements. B: This is the correct procedure. https://repost.aws/knowledge-center/ses-set-up-connect-smtp https://docs.aws.amazon.com/ses/latest/dg/security-protocols.html

Here's why option B is the correct choice: SMTP Protocol: The legacy SMTP server uses the SMTP protocol, and Amazon SES provides an SMTP interface for sending email, which is suitable for your application. STARTTLS: Using STARTTLS ensures that your communication with Amazon SES is encrypted, which is a best practice for secure email transmission. SMTP Credentials: Amazon SES SMTP credentials are required to authenticate your application with Amazon SES when sending emails. These credentials include an SMTP username and password.

I selecte A

It's B - to preserve SMTP protocol

B because is "legacy" app then use properties to set SMTP keyword === Obtain Amazon SES SMTP credentials

https://aws.amazon.com/blogs/big-data/query-and-visualize-aws-cost-and-usage-data-using-amazon-athena-and-amazon-quicksight/

Option A states that the company would require to do more changes in the application than a replatform migration strategy where we are supposed to migrate the application with minimal changes. In Option A using the TLS wrapper would require an additional layer of software (stunnel) to be installed and configured on the EC2 instance, which may introduce additional complexity and management overhead. In option B, we need to configure the application to connect to SES using STARTLS using SMTP credentials, since the legacy SMTP server does not support TLS encryption. This would require minimal change to the application.

To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server to announce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. The server presents its certificate, the client issues an EHLO command, and the SMTP session proceeds normally.

B. Configure the application to connect to Amazon SES by using STARTTLS.

B , https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html

B is wrong because STARTTLS uses port 25 and EC2 instances can’t send outbound traffic through port 25 (you must ask AWS to allow port 25)