Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS SNS subscription keeps deleting the subscription itself

Tags:

amazon-web-services

amazon-sns

I subscribed to a SNS topic with an endpoint of an email address.

I have received notice of unsubscribing from the topic lastnight, I asked all who had access to the inbox, nobody clicked the unsubscribe link.

I recreated the subscription and this morning it unsub itself again.

How could that be? And how can I prevent this from happening again? I looked up in CloudTrail but unsubscribe action is not logged unless they are made with in the console or via the API.

Any indicator would be helpful , thanks.

like image 381
Gapton Avatar asked Apr 20 '18 04:04

Gapton

2 Answers

Subscription will be in 'Deleted state' as the subscriber unsubscribe the email subscription likely due to clicking the Unsubscribe URL from within the email notification.

It is recommended that we subscribe the email endpoint, manually copy the subscription URL and paste it in the SNS console. That way the subscription can only be deleted/removed by the SNS topic owner and not by clicking the unsubscribe url from email.

once we manually copy the link to the SNS console and confirm the subscription, we will have control over that subscription and a trace will be generated for audit purposes in CloudTrail.

like image 187
james Avatar answered Sep 20 '22 16:09

james

It might indeed be the gmail automatic spam filter, but since there are no logs available this is hard to verify.

From the AWS Documentation I see that you can enable authentication for deletion. This should prevent it being deleted by gmail.

Deletes a subscription. If the subscription requires authentication for deletion, only the owner of the subscription or the topic's owner can unsubscribe, and an AWS signature is required. If the Unsubscribe call does not require authentication and the requester is not the subscription owner, a final cancellation message is delivered to the endpoint, so that the endpoint owner can easily resubscribe to the topic if the Unsubscribe request was unintended.

To change this permission, Go to your SNS topic overview and select the topic you want. Click on Edit topic policy. If you click on Advanced view, make sure something like this is added:

  "Action": [
    "SNS:Unsubscribe"
  ],
  "Resource": "arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:<SNS_TOPIC>",
  "Condition": {
    "StringEquals": {
      "AWS:SourceOwner": "<AWS_ACCOUNT_ID>"
    }
  }

That will make sure only the account owner will be able to unsbuscrive, and not everyone. Change the vars between <> to your needs.

like image 23
ThomasVdBerge Avatar answered Sep 21 '22 16:09

ThomasVdBerge
Sign in to Comment

Related questions

Cloud-front backed with Nginx (which proxies to S3) randomly missing already cached items?
How do I upgrade my Amazon Elastic Beanstalk MySQL RDS instance to 5.6?
How do I delete from DynamoDB List of Maps, by Map attribute value in said List?
What is the difference between volume and blockdevicemapping tags in EC2 CloudFormation
Copy S3 Bucket including versions
How does multi-line logging work in Lambda -> CloudWatch
aws fargate docker container instances not able to get local hostname
using AWS Glue with Apache Avro on schema changes
Aws load balancer for Server Sent Events or Websockets
Ansible deployment to windows host behind bastion
Heroku multi region support
Deploy to elasticbeanstalk via CLI deploy command with Dockerrun.aws.json
Python: AWS Lambda "errorMessage": "Unable to import module '<module_name>'"
IAM Role limit sts:AssumeRole to one AWS Lambda function
AWS Elasticsearch & VPC - configuring network access from my fixed IP
Cloudformation KeyValuePair List as a parameter
API Gateway custom domain certificate error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!