docs.aws.amazon.com
Open in
urlscan Pro
65.9.66.44
Public Scan
Submitted URL: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#ensure-topics-not-publicly-accessible
Effective URL: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html
Submission: On June 17 via api from US — Scanned from DE
Effective URL: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html
Submission: On June 17 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use cookies and similar tools to enhance your experience, provide our
services, deliver relevant advertising, and make improvements. Approved third
parties also use these tools to help us deliver advertising and provide certain
site features.
CustomizeAccept all
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice
.
CancelSave preferences
English
Sign In to the Console
1. AWS
2. ...
3. Documentation
4. Amazon Simple Notification Service
5. Developer Guide
Feedback
Preferences
Amazon Simple Notification Service
Developer Guide
* What is Amazon SNS?
* Features and capabilities
* Related services
* Accessing Amazon SNS
* Pricing for Amazon SNS
* Common Amazon SNS scenarios
* Working with AWS SDKs
* Amazon SNS event sources and destinations
* Event sources
* Event destinations
* Setting up
* Getting started
* Configuring Amazon SNS
* Creating a topic
* Subscribing to a topic
* Deleting a subscription and topic
* Tagging
* Configuring tags
* Message ordering and deduplication (FIFO topics)
* FIFO topics use case
* Message ordering details
* Message grouping
* Message delivery
* Message filtering
* Message deduplication
* Message security
* Message durability
* Code examples
* Message publishing
* Large message payloads
* Message attributes
* Message batching
* Message filtering
* Subscription filter policies
* Example filter policies
* Filter policy constraints
* Attribute string value matching
* Attribute numeric value matching
* Attribute key matching
* AND/OR logic
* Applying a subscription filter policy
* Removing a subscription filter policy
* Message delivery
* Raw message delivery
* Cross-account delivery
* Cross-region delivery
* Message delivery status
* Message delivery retries
* Dead-letter queues (DLQs)
* Configuring a dead-letter queue
* Message archiving and analytics
* Application-to-application (A2A) messaging
* Fanout to Kinesis Data Firehose delivery streams
* Prerequisites
* Subscribing a delivery stream to a topic
* Delivery stream destinations
* Amazon S3 destinations
* Archived message format
* Analyzing messages
* OpenSearch Service destinations
* Archived message format
* Analyzing messages
* Amazon Redshift destinations
* Archive table structure
* Analyzing messages
* HTTP destinations
* Delivered message format
* Example use case
* Creating the initial resources
* Creating the delivery stream
* Subscribing the delivery stream to the topic
* Testing and querying
* Example (AWS CloudFormation)
* Fanout to Lambda functions
* Prerequisites
* Subscribing a function to a topic
* Fanout to Amazon SQS queues
* Subscribing a queue to a topic
* Example (AWS CloudFormation)
* Fanout to HTTP/S endpoints
* Subscribing an endpoint to a topic
* Make sure your endpoint is ready to process messages
* Subscribe the HTTP/HTTPS endpoint to the topic
* Confirm the subscription
* Set the delivery retry policy for the subscription
* Give users permissions to publish to the topic
* Send messages to the HTTP/HTTPS endpoint
* Verifying message signatures
* Parsing message formats
* Fanout to AWS Event Fork Pipelines
* Deploying and testing AWS Event Fork Pipelines
* Example AWS Event Fork Pipelines use case
* To deploy the sample application
* To execute the sample application
* To verify the execution of the sample application and its pipelines
* To simulate an issue and replay events for recovery
* Subscribing an event pipeline to a topic
* To deploy and subscribe the event storage and backup pipeline
* To deploy and subscribe the event search and analytics pipeline
* To deploy and subscribe the event replay pipeline
* Application-to-person (A2P) messaging
* Mobile text messaging (SMS)
* SMS sandbox
* Adding and verifying phone numbers
* Deleting phone numbers
* Moving out of the SMS sandbox
* Origination identities
* Sender IDs
* Origination numbers
* 10DLC
* Registering a company
* Editing or deleting a registered company
* Registering a 10DLC campaign
* Editing or deleting a 10DLC campaign
* Associating a long code with a 10DLC campaign
* 10DLC cross-account access
* Getting information about 10DLC registration issues
* Toll-free numbers
* Short codes
* Person-to-person (P2P) long codes
* Requesting SMS support
* Requesting short codes
* Requesting 10DLC numbers, toll-free numbers, and P2P long codes
* Requesting sender IDs
* Requesting spending quota increases
* Setting SMS preferences
* Sending SMS messages
* Publishing to a topic
* Publishing to a mobile phone
* Monitoring SMS activity
* Viewing delivery statistics
* Viewing CloudWatch metrics and logs
* Viewing usage reports
* Managing SMS subscriptions
* Supported Regions and countries
* SMS best practices
* SMS requirements for Singapore
* SMS requirements for US destinations
* SMS requirements for India
* Sending SMS messages to India: task overview
* Step 1: Registering with the TRAI
* Step 2: Requesting a sender ID
* Step 3: Sending SMS messages
* Troubleshooting SMS messages sent to recipients in India
* Mobile push notifications
* Setting up a mobile app
* Prerequisites
* Creating a platform application
* Creating a platform endpoint
* Adding device tokens or registration IDs
* Apple authentication methods
* Sending mobile push notifications
* Publishing to a topic
* Publishing to a mobile device
* Publishing with platform-specific payload
* Mobile app attributes
* Mobile app events
* Mobile push API actions
* Mobile push API errors
* Mobile push TTL
* Supported Regions
* Mobile push notifications best practices
* Email notifications
* Code examples
* Actions
* Add tags to a topic
* Check whether a phone number is opted out
* Confirm an endpoint owner wants to receive messages
* Create a topic
* Delete a subscription
* Delete a topic
* Get the properties of a topic
* Get the settings for sending SMS messages
* List opted out phone numbers
* List the subscribers of a topic
* List topics
* Publish an SMS text message
* Publish to a topic
* Set a dead-letter queue for a subscription
* Set a filter policy
* Set the default settings for sending SMS messages
* Set topic attributes
* Subscribe a Lambda function to a topic
* Subscribe a mobile application to a topic
* Subscribe an HTTP endpoint to a topic
* Subscribe an email address to a topic
* Scenarios
* Create a platform endpoint for push notifications
* Create and publish to a FIFO topic
* Publish SMS messages to a topic
* Publish a large message
* Cross-service examples
* Build an app to submit data to a DynamoDB table
* Building an Amazon SNS application
* Create an Amazon Textract explorer application
* Detect people and objects in a video
* Use API Gateway to invoke a Lambda function
* Use scheduled events to invoke a Lambda function
* Security
* Data protection
* Data encryption
* Encryption at rest
* Key management
* Enabling SSE for a topic
* Enabling SSE for a topic with an encrypted queue subscribed
* Internetwork traffic privacy
* Creating a VPC endpoint
* Creating a VPC policy
* Publishing a message from a VPC
* Identity and access management
* Overview
* When to use access control
* Key concepts
* Architectural overview
* Using the Access Policy Language
* Evaluation logic
* Example cases for Amazon SNS access control
* Using identity-based policies
* Using temporary credentials
* API permissions reference
* Logging and monitoring
* Logging API calls using CloudTrail
* Monitoring topics using CloudWatch
* Compliance validation
* Resilience
* Infrastructure security
* Best practices
* Troubleshooting
* Documentation history
* AWS glossary
Amazon SNS security best practices - Amazon Simple Notification Service
AWSDocumentationAmazon Simple Notification ServiceDeveloper Guide
Preventative best practices
AMAZON SNS SECURITY BEST PRACTICES
PDFRSS
AWS provides many security features for Amazon SNS. Review these security
features in the context of your own security policy.
Note
The guidance for these security features applies to common use cases and
implementations. We recommend that you review these best practices in the
context of your specific use case, architecture, and threat model.
PREVENTATIVE BEST PRACTICES
The following are preventative security best practices for Amazon SNS.
Topics
* Ensure topics aren't publicly accessible
* Implement least-privilege access
* Use IAM roles for applications and AWS services which require Amazon SNS
access
* Implement server-side encryption
* Enforce encryption of data in transit
* Consider using VPC endpoints to access Amazon SNS
* Ensure subscriptions are not configured to deliver to raw http endpoints
ENSURE TOPICS AREN'T PUBLICLY ACCESSIBLE
Unless you explicitly require anyone on the internet to be able to read or write
to your Amazon SNS topic, you should ensure that your topic isn't publicly
accessible (accessible by everyone in the world or by any authenticated AWS
user).
* Avoid creating policies with Principal set to "".
* Avoid using a wildcard (*). Instead, name a specific user or users.
IMPLEMENT LEAST-PRIVILEGE ACCESS
When you grant permissions, you decide who receives them, which topics the
permissions are for, and specific API actions that you want to allow for these
topics. Implementing the principle of least privilege is important to reducing
security risks. It also helps to reduce the negative effect of errors or
malicious intent.
Follow the standard security advice of granting least privilege. That is, grant
only the permissions required to perform a specific task. You can implement
least privilege by using a combination of security policies pertaining to user
access.
Amazon SNS uses the publisher-subscriber model, requiring three types of user
account access:
* Administrators – Access to creating, modifying, and deleting topics.
Administrators also control topic policies.
* Publishers – Access to sending messages to topics.
* Subscribers – Access to subscribing to topics.
For more information, see the following sections:
* Identity and access management in Amazon SNS
* Amazon SNS API permissions: Actions and resources reference
USE IAM ROLES FOR APPLICATIONS AND AWS SERVICES WHICH REQUIRE AMAZON SNS ACCESS
For applications or AWS services, such as Amazon EC2, to access Amazon SNS
topics, they must use valid AWS credentials in their AWS API requests. Because
these credentials aren't rotated automatically, you shouldn't store AWS
credentials directly in the application or EC2 instance.
You should use an IAM role to manage temporary credentials for applications or
services that need to access Amazon SNS. When you use a role, you don't need to
distribute long-term credentials (such as a user name, password, and access
keys) to an EC2 instance or AWS service, such as AWS Lambda. Instead, the role
supplies temporary permissions that applications can use when they make calls to
other AWS resources.
For more information, see IAM Roles and Common Scenarios for Roles: Users,
Applications, and Services in the IAM User Guide.
IMPLEMENT SERVER-SIDE ENCRYPTION
To mitigate data leakage issues, use encryption at rest to encrypt your messages
using a key stored in a different location from the location that stores your
messages. Server-side encryption (SSE) provides data encryption at rest. Amazon
SNS encrypts your data at the message level when it stores it, and decrypts the
messages for you when you access them. SSE uses keys managed in AWS Key
Management Service. When you authenticate your request and have access
permissions, there is no difference between accessing encrypted and unencrypted
topics.
For more information, see Encryption at rest and Key management.
ENFORCE ENCRYPTION OF DATA IN TRANSIT
It's possible, but not recommended, to publish messages that are not encrypted
during transit by using HTTP. You can't, however, use HTTP when publishing to an
encrypted SNS topic.
AWS recommends that you use HTTPS instead of HTTP. When you use HTTPS, messages
are automatically encrypted during transit, even if the SNS topic itself isn't
encrypted. Without HTTPS, a network-based attacker can eavesdrop on network
traffic or manipulate it using an attack such as man-in-the-middle.
To enforce only encrypted connections over HTTPS, add the aws:SecureTransport
condition in the IAM policy that's attached to unencrypted SNS topics. This
forces message publishers to use HTTPS instead of HTTP. You can use the
following example policy as a guide:
{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublishThroughSSLOnly",
"Action": "SNS:Publish",
"Effect": "Deny",
"Resource": [
"arn:aws:sns:us-east-1:1234567890:test-topic"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
CONSIDER USING VPC ENDPOINTS TO ACCESS AMAZON SNS
If you have topics that you must be able to interact with, but these topics must
absolutely not be exposed to the internet, use VPC endpoints to limit topic
access to only the hosts within a particular VPC. You can use topic policies to
control access to topics from specific Amazon VPC endpoints or from specific
VPCs.
Amazon SNS VPC endpoints provide two ways to control access to your messages:
* You can control the requests, users, or groups that are allowed through a
specific VPC endpoint.
* You can control which VPCs or VPC endpoints have access to your topic using a
topic policy.
For more information, see Creating the endpoint and Creating an Amazon VPC
endpoint policy for Amazon SNS.
ENSURE SUBSCRIPTIONS ARE NOT CONFIGURED TO DELIVER TO RAW HTTP ENDPOINTS
Avoid configuring subscriptions to deliver to a raw http endpoints. Always have
subscriptions delivering to an endpoint domain name. For example, a subscription
configured to deliver to an endpoint, http://1.2.3.4/my-path, should be changed
to http://my.domain.name/my-path.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Infrastructure security
Troubleshooting
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Did this page help you?
YesNo
Provide feedback
Edit this page on GitHub
Next topic:Troubleshooting
Previous topic:Infrastructure security
Need help?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
On this page
--------------------------------------------------------------------------------
* Preventative best practices
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback