twtech
deep dive into Amazon Simple Email Service (Amazon
SES).
Focus:
- DevSecOps-friendly
approach.
Breakdown:
- Intro,
- Key
features of Amazon SES,
- Core Concepts & Features,
- SES System Architecture,
- Identity Management (Domain & Email Verification),
- Amazon SES Sending Options,
- SES Deliverability Features,
- SES Configuration Sets & Event Destinations,
- SES Inbound Email Processing (Email Receiving),
- SES Security (DevSecOps Focus),
- SES Throughput & Quotas,
- SES Pricing,
- SES Architecture Diagrams,
- SES Best Practices,
- SES + Infrastructure as Code (IaC),
- twtech
Insights,
- Amazon SES Interview Questions & Answers (Basic → Expert)
Intro:
- Amazon
Simple Email Service (Amazon SES) is a
cost-effective, flexible, and scalable cloud-based email service provided by Amazon Web Services (AWS) that enables developers to send mail from
within any application.
- Amazon Simple Email Service (Amazon SES) is designed to help businesses of all sizes send both marketing and transactional emails, as well as receive incoming email
- Amazon
SES is
designed for transactional emails, marketing campaigns, and
application-generated communications.
- Amazon
Simple Email Service (Amazon SES) integrates
seamlessly with AWS services such as Lambda, SNS, S3, CloudWatch,
EventBridge, and IAM.
Key features of Amazon SES:
High
deliverability:
- Amazon SES employs features like authentication protocols (SPF, DKIM, DMARC), feedback loops (bounces, complaints), and a reputation dashboard to help ensure emails reach recipients' inboxes.
Scalability:
- The service can easily scale to handle large volumes of emails, from a few hundred per day to millions.
Cost-effectiveness:
- Users pay only for what they use, making it a budget-friendly option for various business needs.
Flexibility:
- It supports multiple sending interfaces, including an SMTP interface, the AWS SDKs, and the AWS SES API, allowing integration with different types of applications.
Email
receiving:
- In addition to sending, SES can also be configured to receive incoming emails, providing options to route, store, or trigger actions based on the content of the emails
- For
more details on implementation and pricing, visit the official Amazon
SES product page. https://docs.aws.amazon.com/ses/latest/dg/Welcome.html
1. Core Concepts & Features
1.1 Types of Emails
|
Type |
Usage |
|
Transactional Email |
Password resets, OTPs, notifications |
|
Marketing Email |
Promotions, newsletters |
|
Bulk Email |
High-volume campaigns with list management |
2. SES System Architecture
SES has three major functional components:
1.
Email Receiving
(optional)
2.
Email Sending
3.
Deliverability & Feedback Management
How Sending
Works:
- twtech app → Sends email via SMTP, SES API, or AWS SDK
- SES → Authenticates domain + verifies identity
- SES → Delivers via ISP with optimized routing
- SES → Generates delivery, complaint, bounce metrics via SNS /
EventBridge
3. Identity Management (Domain
& Email Verification)
NB:
SES requires every sending identity to be verified:
Identity
Types
- Email Address
- Domain
- Dedicated IP / IP Pool
- Configuration Set Identity
DNS
Records Required
|
Record |
Purpose |
|
SPF (TXT) |
Sender validation |
|
DKIM (CNAME) |
Message integrity & authentication |
|
DMARC (TXT) |
Spoofing/Phishing protection; policy enforcement |
|
Mail FROM Domain (MX) |
Custom envelope sender |
NB:
AWS supports Easy
DKIM (auto DKIM
creation).
4. Amazon SES Sending Options
SES supports 3 protocols:
4.1 SES API
Fastest, most
secure (SigV4), used by apps/lambdas.
4.2 SMTP Interface
Used for
legacy systems, MTA applications.
4.3 AWS SDK
e.g.,
Python
boto3 → ses.send_email() or send_raw_email()
5. SES Deliverability Features
|
Feature |
Description |
|
Bounce notifications |
Temporary/permanent delivery failures |
|
Complaint notifications |
User reports spam |
|
Delivery notifications |
Success confirmations |
|
Reputation dashboard |
Sender score, bounce/complaint rates |
|
Dedicated IP Pools |
Isolation for critical workloads |
|
Warm-up automation |
Gradually increase sending rate |
|
Suppression List |
Global blocklist for invalid/complaint emails |
6. SES Configuration Sets & Event Destinations
Configuration Sets let you apply advanced rules to
outbound emails:
Options
- Open/Click tracking
- Deliverability tracking
- Event-level logging
- Auto tagging
Event
Destinations
- Amazon SNS
- Amazon Kinesis Firehose
- Amazon CloudWatch
- Amazon EventBridge
- Amazon S3 (via Firehose)
Useful for:
- Analytics
- Forensics
- Compliance
- BI dashboards
7. SES Inbound Email Processing (Email Receiving)
SES can receive emails and route them to:
- S3 bucket
- Lambda functions
- SNS topics
Common use cases:
- Ticketing systems
- Auto-responders
- Support workflows
- Parsing inbound emails
Options:
- Lambda → parse attachments
- SNS → notify system
- S3 → store raw email (MIME
format)
8. SES Security (DevSecOps Focus)
IAM
Policies
Grant least privilege:
-
ses:SendEmail -
ses:SendRawEmail -
ses:ListIdentities
Domain
Authentication
- SPF
- DKIM (Easy DKIM recommended)
- DMARC with
p=quarantineorp=reject
Email
Encryption
- TLS during
transport
- S3 bucket encryption (SSE-S3 or SSE-KMS)
- KMS encryption for message bodies (if using raw email)
Monitoring
- CloudWatch metrics:
- Bounce Rate
- Complaint Rate
- Delivery attempts
- EventBridge alerts
- SNS notifications
9. SES Throughput & Quotas
Two
Sending Modes
|
Mode |
Description |
|
Sandbox |
Restrictive. Verification required. |
|
Production |
Unlimited sending (within
quotas). |
Daily
Sending Limits
- Can be increased via Support ticket
- Factors:
- Bounce rate
- Complaint rate
- Reputation
10. SES Pricing
Pay-as-you-go, (extremely cheap).
Outbound
Email
- $0.10 per 1,000 emails
- Attachments cost extra (data
transfer)
Inbound
Email
- $0.10 per 1,000 inbound emails
- $0.12 per GB stored
Dedicated
IP
- $24.95 per IP/month
11. SES Architecture Diagrams
12. SES Best Practices
Deliverability Best Practices
- Keep bounce rate < 5%
- Keep complaint rate < 0.1%
- Use double opt-in
- Clean recipient lists regularly
- Warm-up dedicated IPs before high-volume sending
Security Best Practices
- Enforce TLS 1.2+
- Use IAM roles for apps (no
static SMTP creds)
- Enforce DMARC
p=reject - Enable reputation dashboard alerts
13. SES + Infrastructure as Code (IaC)
CloudFormation
Supports:
- Identities (domains)
- Configuration sets
- Event Destinations
- Receipt rules
- Templates & IAM roles
I can generate:
- Full CloudFormation template for SES architecture
- Terraform modules
- CDK (Python/TS)
13, twtech Insights:
A production-ready CloudFormation
(YAML) template
that provisions a complete Amazon SES setup:
- Domain
EmailIdentity(creates DKIM tokens output for twtech to add to DNS when using Easy DKIM) - A
ConfigurationSet+ConfigurationSetEventDestinationpublishing events to SNS, EventBridge, and CloudWatch - SNS Topics for bounces/complaints/deliveries
- An S3 bucket for inbound email storage + IAM role allowing SES to write to
the bucket
- A basic
ReceiptRuleSet+ReceiptRulethat saves inbound email to S3 and optionally invokes a Lambda (twtech can provide an existing Lambda ARN) - Helpful Outputs for DKIM tokens & ARNs
NB:
- CloudFormation can create SES domain identities (AWS::SES::EmailIdentity) and returns the DKIM DNS tokens for Easy DKIM.
- twtech must add those CNAME records to its
DNS provider and wait for verification.
- Activating a Receipt Rule Set (making it “active”) cannot be performed by CloudFormation directly in all regions/accounts without a custom resource.
- twtech can run the CLI command
aws ses set-active-receipt-rule-set --rule-set-name twtecchses --region us-east-2. - After stack creation, twtech adds a custom resource / Lambda to
call
SetActiveReceiptRuleSet.
# SES YAML template for CloudFormation console or it can be deployed with the CLI.
# SES.yamlAWSTemplateFormatVersion: '2010-09-09'Description: > Full Amazon SES setup: - Domain Email Identity (Easy DKIM tokens output) - ConfigurationSet + Event Destinations (SNS, EventBridge, CloudWatch) - SNS Topics for bounces/complaints/deliveries - S3 bucket for inbound mail + IAM role for SES to write to S3 - ReceiptRuleSet + ReceiptRule to store inbound mail to S3 and optionally invoke a LambdaParameters: DomainName: Type: String Description: "The domain to verify with SES (twtechapp.com)" MailFromSubdomain: Type: String Default: "bounce" Description: "Optional Mail-From subdomain (e.g. 'bounce' to use bounct.twtechapp.com). Leave blank to skip MailFrom configuration." InboundLambdaArn: Type: String Default: "" Description: "Optional: ARN of an existing Lambda to invoke on inbound email. Leave empty to skip Lambda action." EnableReputationMetrics: Type: String AllowedValues: ["true","false"] Default: "true" Description: "Whether to enable reputation metrics via configuration set (CloudWatch dimensions)."Resources: # ---------------------------- # SNS Topics for notifications # ---------------------------- SesBounceTopic: Type: AWS::SNS::Topic Properties: TopicName: !Sub "${DomainName//./-}-ses-bounces" DisplayName: "SES Bounces for ${DomainName}" SesComplaintTopic: Type: AWS::SNS::Topic Properties: TopicName: !Sub "${DomainName//./-}-ses-complaints" DisplayName: "SES Complaints for ${DomainName}" SesDeliveryTopic: Type: AWS::SNS::Topic Properties: TopicName: !Sub "${DomainName//./-}-ses-deliveries" DisplayName: "SES Deliveries for ${DomainName}" # ---------------------------- # EventBridge bus for SES events # ---------------------------- SesEventBus: Type: AWS::Events::EventBus Properties: Name: !Sub "ses-${DomainName//./-}-bus" # ---------------------------- # S3 bucket for inbound emails # ---------------------------- SesInboundBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub "${AWS::AccountId}-${AWS::Region}-${DomainName//./-}-ses-inbound" VersioningConfiguration: Status: Enabled PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true LifecycleConfiguration: Rules: - Id: expire-raw-emails-90d Status: Enabled ExpirationInDays: 90 SesInboundBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: !Ref SesInboundBucket PolicyDocument: Version: '2012-10-17' Statement: - Sid: AllowSESPutObject Effect: Allow Principal: Service: ses.amazonaws.com Action: s3:PutObject Resource: !Sub "${SesInboundBucket.Arn}/*" Condition: StringEquals: aws:Referer: !Ref AWS::AccountId # IAM role that SES will assume to put objects into S3 and optionally publish SNS/KMS usage SesReceiptS3Role: Type: AWS::IAM::Role Properties: RoleName: !Sub "ses-receive-s3-role-${DomainName//./-}" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: ses.amazonaws.com Action: - sts:AssumeRole Path: "/" Policies: - PolicyName: AllowS3PutObject PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - s3:PutObject - s3:PutObjectAcl Resource: !Sub "${SesInboundBucket.Arn}/*" - Effect: Allow Action: - kms:GenerateDataKey - kms:Encrypt Resource: "*" # tighten if using a specific CMK # ---------------------------- # SES Configuration Set + Event Destination # ---------------------------- SesConfigurationSet: Type: AWS::SES::ConfigurationSet Properties: Name: !Sub "${DomainName//./-}-configset" DeliveryOptions: SendingPoolName: "" # optional: reference a Dedicated IP pool if created separately ReputationOptions: ReputationMetricsEnabled: !Equals [ !Ref EnableReputationMetrics, "true" ] SuppressionOptions: SuppressedReasons: - BOUNCE - COMPLAINT SesConfigurationSetEventDestination: Type: AWS::SES::ConfigurationSetEventDestination Properties: ConfigurationSetName: !Ref SesConfigurationSet EventDestination: Name: !Sub "${DomainName//./-}-events" Enabled: true MatchingEventTypes: - SEND - DELIVERY - BOUNCE - COMPLAINT - REJECT - OPEN - CLICK SNSDestination: TopicARN: !Ref SesBounceTopic # example: twtech can choose different topics per event in app logic & attached. EventBridgeDestination: EventBusArn: !GetAtt SesEventBus.Arn CloudWatchDestination: DimensionConfigurations: - DimensionName: "SESDomain" DimensionValueSource: "emailHeader" DefaultDimensionValue: !Ref DomainName # ---------------------------- # SES Email Identity (Domain) # ---------------------------- SesEmailIdentity: Type: AWS::SES::EmailIdentity Properties: EmailIdentity: !Ref DomainName MailFromAttributes: MailFromDomain: !If - HasMailFrom - !Sub "${MailFromSubdomain}.${DomainName}" - !Ref "AWS::NoValue" BehaviorOnMxFailure: USE_DEFAULT_VALUE DkimSigningAttributes:# Use Easy DKIM default key length (optional), comment out to accept defaults NextSigningKeyLength: RSA_2048 FeedbackAttributes: EmailForwardingEnabled: true ConfigurationSetAttributes: ConfigurationSetName: !Ref SesConfigurationSet Metadata: cfn_nag: rules_to_suppress: - id: W76 reason: "SES Email Identity requires domain string; No secrets here." # Condition to skip MailFrom config if parameter is emptyConditions: HasMailFrom: !Not [ !Equals [ !Ref MailFromSubdomain, "" ] ] # ---------------------------- # SES Receipt Rule Set & Rule (Inbound email) # ---------------------------- SesReceiptRuleSet: Type: AWS::SES::ReceiptRuleSet Properties: RuleSetName: !Sub "${DomainName//./-}-receipt-rules" SesReceiptRuleSaveToS3: Type: AWS::SES::ReceiptRule DependsOn: SesReceiptRuleSet Properties: Rule: Name: !Sub "save-to-s3-${DomainName//./-}" Enabled: true Recipients: - !Ref DomainName ScanEnabled: true Actions: - S3Action: BucketName: !Ref SesInboundBucket ObjectKeyPrefix: !Sub "inbound/${DomainName}/" IamRoleArn: !GetAtt SesReceiptS3Role.Arn # Optionally invoke Lambda if provided - !If - HasInboundLambda - LambdaAction: FunctionArn: !Ref InboundLambdaArn InvocationType: Event - !Ref "AWS::NoValue" RuleSetName: !Ref SesReceiptRuleSetConditions: HasInboundLambda: !Not [ !Equals [ !Ref InboundLambdaArn, "" ] ] # ---------------------------- # (Optional) Template Example # ---------------------------- SesTemplateWelcome: Type: AWS::SES::Template Properties: Template: TemplateName: !Sub "welcome-${DomainName//./-}" SubjectPart: "Welcome to our twtech service" HtmlPart: "<html><body><h1>Welcome</h1><p>Hello {{name}}</p></body></html>" TextPart: "Welcome to twtech SES Team, {{name}}"Outputs: EmailIdentityRef: Description: "The SES Email Identity (domain) that was created" Value: !Ref SesEmailIdentity DkimTokenName1: Description: "Easy DKIM DNS token 1 - add as CNAME to your domain" Value: !GetAtt SesEmailIdentity.DkimDNSTokenName1 DkimTokenValue1: Description: "Easy DKIM DNS token 1 value - add as CNAME to your domain" Value: !GetAtt SesEmailIdentity.DkimDNSTokenValue1 DkimTokenName2: Description: "Easy DKIM DNS token 2 - add as CNAME to your domain" Value: !GetAtt SesEmailIdentity.DkimDNSTokenName2 DkimTokenValue2: Description: "Easy DKIM DNS token 2 value - add as CNAME to your domain" Value: !GetAtt SesEmailIdentity.DkimDNSTokenValue2 DkimTokenName3: Description: "Easy DKIM DNS token 3 - add as CNAME to your domain" Value: !GetAtt SesEmailIdentity.DkimDNSTokenName3 DkimTokenValue3: Description: "Easy DKIM DNS token 3 value - add as CNAME to your domain" Value: !GetAtt SesEmailIdentity.DkimDNSTokenValue3 ConfigurationSetName: Description: "Configuration Set name" Value: !Ref SesConfigurationSet BounceSNSTopicArn: Description: "SNS Topic ARN for bounces" Value: !Ref SesBounceTopic ComplaintSNSTopicArn: Description: "SNS Topic ARN for complaints" Value: !Ref SesComplaintTopic DeliverySNSTopicArn: Description: "SNS Topic ARN for deliveries" Value: !Ref SesDeliveryTopic InboundBucketName: Description: "S3 bucket that will hold inbound emails" Value: !Ref SesInboundBucket ReceiptRuleSetName: Description: "ReceiptRuleSet created (note: you may need to call SetActiveReceiptRuleSet to make it active)" Value: !Ref SesReceiptRuleSet ActivationNote: Description: "How to activate ReceiptRuleSet" Value: > CloudFormation cannot always make a SES receipt rule set active automatically. After stack creation run: aws ses set-active-receipt-rule-set --rule-set-name !Ref SesReceiptRuleSet --region <region> OR add a small Custom Resource that calls SetActiveReceiptRuleSet API.Mappings: {}# End of template14. Amazon SES Interview Questions
& Answers (Basic → Expert)
BASIC LEVEL (Fundamentals)
1.
What is Amazon SES?
Answer:
Amazon Simple Email Service (SES) is a scalable cloud email service used for sending
transactional emails, marketing messages, notifications, and receiving emails. It supports
SMTP, API, and AWS SDK.
2.
What are the types of emails supported by SES?
Answer:
- Transactional (password
reset, OTP)
- Marketing (newsletters)
- Bulk (large-scale campaigns)
- Inbound emails (receive,
process, store emails)
3.
What are SES sending identities?
Answer:
Identities validated by SES for sending emails:
- Email address
- Domain
- Configuration set identity
- Dedicated IP pool identity
4.
What is the SES Sandbox?
Answer:
A restrictive environment where you must verify all sender & receiver
emails.
twtech must request a production access upgrade to send to
unverified emails.
5.
How can you send email using SES?
Answer:
- SES API
- AWS SDK (Boto3, JS, Java,
etc.)
- SMTP interface
- SES Console (manual test
only)
6.
What DNS records are required for SES?
Answer:
- SPF (TXT)
- DKIM (CNAME)
- DMARC (TXT)
- MX (for inbound mail or Mail-From)
7.
What is DKIM?
Answer:
DKIM (DomainKeys Identified Mail) ensures the authenticity
& integrity of outgoing emails by digitally signing them.
8.
What is SPF?
Answer:
SPF (Sender Policy Framework) validates that the sending IP is
authorized to send emails for the domain.
9.
What is DMARC?
Answer:
A policy layer that defines how receivers handle spoofed or
unauthenticated emails using SPF/DKIM results.
10.
What is the SES global suppression list?
Answer:
A list of emails that previously generated bounces or
complaints. SES will automatically block those recipients.
INTERMEDIATE LEVEL (Architecture
& Operations)
11.
What is a Configuration Set in SES?
Answer:
A configuration set allows you to apply rules to outbound emails, including:
- Open/click tracking
- Dedicated IP pools
- Event publishing
- Tagging
12.
What are SES Event Destinations?
Answer:
Where SES sends event data:
- SNS
- CloudWatch
- EventBridge
- Kinesis Firehose
- Pinpoint analytics
13.
What events can SES track?
Answer:
- Sends
- Deliveries
- Bounces
- Complaints
- Rejects
- Opens
- Clicks
14.
How does SES handle bounce notifications?
Answer:
SES can send bounce notifications to:
- SNS topics
- EventBridge
- CloudWatch metrics
Applications
use these to react (ex: remove invalid
emails).
15.
What is a Dedicated IP (DIP) in SES?
Answer:
An IP address reserved exclusively for your SES
account to isolate reputation from other users.
16.
What is IP warm-up?
Answer:
Gradually increasing email volume to establish a good sender
reputation for new IP addresses.
17.
How do you receive emails with SES?
Answer:
With Receipt
Rules and Rule Sets, email can
be routed to:
- S3
- Lambda
- SNS
- WorkMail
- Step Functions
18.
What is a Receipt Rule Set?
Answer:
A set of rules that define how inbound email is processed.
19.
How do you store inbound emails?
Answer:
Using an S3 action in a Receipt
Rule.
SES will store the raw MIME email in S3.
20.
What protocol does SES SMTP use?
Answer:
SMTP over TLS — typically:
- TLS (port 587)
- STARTTLS (port 25 / 587)
- SSL (port 465, varies)
ADVANCED LEVEL (DevOps, Deliverability, Security)
21.
How do you improve email deliverability in SES?
Answer:
- Enable DKIM
- Setup SPF & DMARC
- Maintain low bounce/complaint rates
- Warm-up IPs
- Use Configuration Sets
- Clean recipient lists
- Avoid spammy content
- Maintain SMTP reputation
22.
What is a Feedback Loop (FBL)?
Answer:
A mechanism where ISPs send complaint/bounce data back to SES, which forwards
it to SNS/EventBridge.
23.
How do you secure an SES sending application?
Answer:
- Use IAM Roles instead of
SMTP credentials
- Enforce TLS 1.2+
- Restrict sending permissions
- Encrypt emails using KMS (via RawEmail)
- Avoid storing SMTP passwords in code
24.
How do you track email opens/clicks?
Answer:
Enable open & click tracking in:
- Configuration Sets
- Or explicitly through tags
SES inserts:
- A 1×1 tracking pixel
- Link rewriting for click tracking
25.
How do you integrate SES with CloudWatch?
Answer:
Use a CloudWatch Destination inside a
Configuration Set to generate:
- Metrics (bounce rate, complaint rate)
- Alarms
- Dashboards
26.
How do you prevent spam using SES?
Answer:
- Enable DMARC with p=reject
- Enable DKIM
- Remove unengaged users
- Monitor reputation
- Use verified domains
- Throttle suspicious senders
27.
How does SES handle high-volume sending?
Answer:
SES auto-scales but applies:
- Send limits (per-second
& per-day)
- Reputation-based throttling
- Rate limits based on bounce/complaint rate
28.
When would you use SendRawEmail?
Answer:
When you need:
- Attachments
- Custom headers
- Multi-part MIME
- DKIM-signing manually
- Complex HTML templates
29.
What causes SES to block your account?
Answer:
- Complaint rate > 0.1%
- Bounce rate > 5%
- Spam or phishing reports
- Blacklisted IPs
- Violating anti-abuse policies
30.
How do you migrate from SMTP servers to SES?
Answer:
- Replace MTA with SES SMTP endpoint
- Add SPF, DKIM, DMARC
- Import lists after hygiene cleaning
- Use configuration sets
- Enable metrics + event destinations
- Gradually warm-up new domains/IPs
EXPERT LEVEL (Architecture, Compliance,
Scaling, Strategy)
31.
Explain the full SES outbound architecture.
Answer:
1.
App sends email → SES API/SMTP
2.
SES authenticates identity
3.
DKIM/SPF evaluation
4.
SES routes email internally
5.
MTA dispatches to ISP
6.
Receives response (success, bounce, complaint)
7.
Event → SNS/EventBridge/CloudWatch
8.
Suppression list updated
9.
Metrics → Monitoring dashboards
32.
How does SES differ from WorkMail, SNS, and Pinpoint?
Answer:
|
Service |
Purpose |
|
SES |
Email sending/receiving infrastructure |
|
WorkMail |
Managed corporate email service |
|
SNS |
Alerts, push notifications, pub/sub |
|
Pinpoint |
Multi-channel marketing automation & analytics |
33.
How do you build a fully serverless inbound email processing pipeline?
Answer:
- SES → Receipt Rule
- S3 store email
- S3 Event → Lambda
- Parse MIME
- Route to DynamoDB / SQS / Step Functions
- Apply spam filtering via Lambda
- Archive to Glacier
34.
Explain domain reputation vs. IP reputation.
Answer:
- Domain reputation: Based on
sending behavior of domain; portable across IPs.
- IP reputation: Based on
sending history of IP; depends on warm-up and ISPs.
SES manages
shared IP reputation unless using Dedicated IPs.
35.
How do you implement DMARC at scale in multi-domain systems?
Answer:
- Create organization-level policy (
_dmarc.company.com) - Subdomain inheritance
- Use rua/ruf reporting to central logs
- Automate DNS creation via IaC
- Deploy dashboards for alignment monitoring
36.
How do you set up SES across multiple AWS regions?
Answer:
- Verify domain per region
- Configure DNS for each region
- Independent sending quotas
- Sync templates, config sets
- Use Route 53 health checks for regional failover
37.
How do you integrate SES with third-party BI/Analytics systems?
Answer:
- Use Kinesis Firehose → S3
- Use Glue catalog
- Query with Athena
- Connect BI tools (Tableau/QuickSight/PowerBI)
38.
Explain soft vs hard bounce handling.
Answer:
Soft
bounce:
Temporary failure (mailbox full,
rate-limited). Retry allowed.
Hard
bounce:
Permanent failure (invalid address).
Remove address immediately.
39.
How do you design a multi-tenant SES architecture?
Answer:
- Use configuration sets per tenant
- Tags for cost allocation
- S3 prefix-by-tenant
- EventBridge rules per tenant
- Dedicated IPs for premium tenants
- Throttling via API gateways or queues
40.
How do you implement end-to-end encryption with SES?
Answer:
- Use AWS KMS to encrypt the email body
- Use SendRawEmail with
encrypted MIME parts
- Use TLS for SMTP transport
- Decrypt via Lambda on recipient side
- Ensure S3 inbound storage uses SSE-KMS
BONUS: Hands-On Architecture Questions
41.
Draw the SES inbound pipeline.
Expect
answers including:
- MX record → SES
- Receipt Rule Set
- Actions → S3 / Lambda / SNS
- IAM Role
- S3 lifecycle management
- Event-driven consumers
42.
Draw the full SES outbound delivery workflow.
Expect:
- App → SES API
- DKIM signing
- Reputation system
- Feedback loop
- Event destinations
- Suppression list
- ISP routing
43.
What happens internally when SES throttles a sender?
Answer:
- Exceeds sending rate
- SES queues the messages
- Drops if queueing too large
- Increases delay based on reputation
- May send temporarily-failed notifications
44.
Explain SES multi-account architecture for enterprises.
Answer:
- Central SES sending account
- Sub-accounts assume roles for sending
- EventBridge routing for centralized logs
- SCP enforcement for least privilege
- Shared dedicated IP pool
45.
How do you design SES for strict compliance requirements (HIPAA, PCI, FedRAMP)?
Answer:
- Use SSE-KMS and customer-managed CMKs
- Enforce TLS-only sending
- Disable SMTP passwords
- Log all events through EventBridge
- Encrypt S3 inbound mail
- Use private subdomains for Mail-From
- Apply least-privilege IAM
- Restrict cross-account sending
No comments:
Post a Comment