I subscribed to a SNS topic with an endpoint of an email address.
I have received notice of unsubscribing from the topic lastnight, I asked all who had access to the inbox, nobody clicked the unsubscribe link.
I recreated the subscription and this morning it unsub itself again.
How could that be? And how can I prevent this from happening again? I looked up in CloudTrail but unsubscribe action is not logged unless they are made with in the console or via the API.
Any indicator would be helpful , thanks.
Subscription will be in 'Deleted state' as the subscriber unsubscribe the email subscription likely due to clicking the Unsubscribe URL from within the email notification.
It is recommended that we subscribe the email endpoint, manually copy the subscription URL and paste it in the SNS console. That way the subscription can only be deleted/removed by the SNS topic owner and not by clicking the unsubscribe url from email.
once we manually copy the link to the SNS console and confirm the subscription, we will have control over that subscription and a trace will be generated for audit purposes in CloudTrail.
It might indeed be the gmail automatic spam filter, but since there are no logs available this is hard to verify.
From the AWS Documentation I see that you can enable authentication for deletion. This should prevent it being deleted by gmail.
Deletes a subscription. If the subscription requires authentication for deletion, only the owner of the subscription or the topic's owner can unsubscribe, and an AWS signature is required. If the Unsubscribe call does not require authentication and the requester is not the subscription owner, a final cancellation message is delivered to the endpoint, so that the endpoint owner can easily resubscribe to the topic if the Unsubscribe request was unintended.
To change this permission, Go to your SNS topic overview and select the topic you want. Click on Edit topic policy. If you click on Advanced view, make sure something like this is added:
"Action": [
"SNS:Unsubscribe"
],
"Resource": "arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:<SNS_TOPIC>",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "<AWS_ACCOUNT_ID>"
}
}
That will make sure only the account owner will be able to unsbuscrive, and not everyone. Change the vars between <> to your needs.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With