docs.aws.amazon.com
Open in
urlscan Pro
108.138.36.55
Public Scan
Submitted URL: http://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#implement-least-privilege-access
Effective URL: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html
Submission: On January 31 via api from US — Scanned from DE
Effective URL: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html
Submission: On January 31 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. Amazon Simple Notification Service
5. Developer Guide
Feedback
Preferences
AMAZON SIMPLE NOTIFICATION SERVICE
DEVELOPER GUIDE
* What is Amazon SNS?
* Features and capabilities
* Related services
* Accessing Amazon SNS
* Pricing for Amazon SNS
* Common Amazon SNS scenarios
* Working with AWS SDKs
* Amazon SNS event sources and destinations
* Event sources
* Event destinations
* Setting up
* Getting started
* Configuring Amazon SNS
* Creating a topic
* Subscribing to a topic
* Deleting a subscription and topic
* Tagging
* Configuring tags
* Message ordering and deduplication (FIFO topics)
* FIFO topics use case
* Message ordering details
* Message grouping
* Message delivery
* Message filtering
* Message deduplication
* Message security
* Message durability
* Message archiving and replay
* For topic owners
* For topic subscribers
* Code examples
* Message publishing
* Large message payloads
* Extended Client Library for Java
* Extended Client Library for Python
* Message attributes
* Message batching
* Message filtering
* Subscription filter policy scope
* Subscription filter policies
* Example filter policies
* Filter policy constraints
* AND/OR logic
* Key matching
* Numeric value matching
* String value matching
* Applying a subscription filter policy
* Removing a subscription filter policy
* Message data protection
* Data protection policies
* Data protection policy operations
* Data protection policy examples
* Creating data protection policies
* Using API
* Using AWS CLI
* Using CloudFormation
* Using the AWS Management Console
* Using AWS SDK)
* Deleting data protection policies
* Data identifiers
* Managed data identifiers
* Sensitive data types: Credentials
* Sensitive data types: Devices
* Sensitive data types: Financial
* Sensitive data types: Protected health information (PHI)
* Sensitive data types: Personally identifiable information (PII)
* Custom data identifiers
* Message delivery
* Raw message delivery
* Cross-account delivery
* Cross-region delivery
* Message delivery status
* Message delivery retries
* Dead-letter queues (DLQs)
* Configuring a dead-letter queue
* Message archiving and analytics
* Application-to-application (A2A) messaging
* Fanout to Kinesis Data Firehose delivery streams
* Prerequisites
* Subscribing a delivery stream to a topic
* Delivery stream destinations
* Amazon S3 destinations
* Archived message format
* Analyzing messages
* OpenSearch Service destinations
* Archived message format
* Analyzing messages
* Amazon Redshift destinations
* Archive table structure
* Analyzing messages
* HTTP destinations
* Delivered message format
* Example use case
* Creating the initial resources
* Creating the delivery stream
* Subscribing the delivery stream to the topic
* Testing and querying
* Example (AWS CloudFormation)
* Fanout to Lambda functions
* Prerequisites
* Subscribing a function to a topic
* Fanout to Amazon SQS queues
* Subscribing a queue to a topic
* Example (AWS CloudFormation)
* Fanout to HTTP(S) endpoints
* Subscribing an endpoint to a topic
* Make sure your endpoint is ready to process messages
* Subscribe the HTTP/HTTPS endpoint to the topic
* Confirm the subscription
* Set the delivery retry policy for the subscription
* Give users permissions to publish to the topic
* Send messages to the HTTP/HTTPS endpoint
* Verifying message signatures
* Parsing message formats
* Fanout to AWS Event Fork Pipelines
* Deploying and testing AWS Event Fork Pipelines
* Example AWS Event Fork Pipelines use case
* To deploy the sample application
* To execute the sample application
* To verify the execution of the sample application and its pipelines
* To simulate an issue and replay events for recovery
* Subscribing an event pipeline to a topic
* To deploy and subscribe the event storage and backup pipeline
* To deploy and subscribe the event search and analytics pipeline
* To deploy and subscribe the event replay pipeline
* Using EventBridge Scheduler
* Application-to-person (A2P) messaging
* Mobile text messaging (SMS)
* SMS sandbox
* Adding and verifying phone numbers
* Deleting phone numbers
* Moving out of the SMS sandbox
* Origination identities
* Sender IDs
* Sender ID requirements for France
* Sender ID registration requirements for India
* Sender ID registration requirements for Singapore
* Origination numbers
* 10DLC
* Registering a company
* Editing or deleting a registered company
* Registering a 10DLC campaign
* Editing or deleting a 10DLC campaign
* Associating a long code with a 10DLC campaign
* 10DLC cross-account access
* Getting information about 10DLC registration issues
* Toll-free numbers
* Short codes
* Person-to-person (P2P) long codes
* Requesting SMS support
* Requesting short codes
* Requesting 10DLC numbers, toll-free numbers, and P2P long codes
* Requesting sender IDs
* Requesting spending quota increases
* Setting SMS preferences
* Sending SMS messages
* Publishing to a topic
* Publishing to a mobile phone
* Monitoring SMS activity
* Viewing delivery statistics
* Viewing CloudWatch metrics and logs
* Viewing usage reports
* Managing SMS subscriptions
* Supported countries and regions
* SMS best practices
* Mobile push notifications
* Setting up a mobile app
* Prerequisites
* Creating a platform application
* Creating a platform endpoint
* Adding device tokens or registration IDs
* Apple authentication methods
* FCM authentication methods
* Sending mobile push notifications
* Publishing to a topic
* Publishing to a mobile device
* Publishing with platform-specific payload
* Mobile app attributes
* Mobile app events
* Mobile push API actions
* Mobile push API errors
* Mobile push TTL
* Supported Regions
* Mobile push notifications best practices
* Email notifications
* Code examples
* Actions
* Add tags to a topic
* Check whether a phone number is opted out
* Confirm an endpoint owner wants to receive messages
* Create a topic
* Delete a subscription
* Delete a topic
* Get the properties of a topic
* Get the settings for sending SMS messages
* List opted out phone numbers
* List the subscribers of a topic
* List topics
* Publish a message with an attribute
* Publish an SMS text message
* Publish to a topic
* Set a dead-letter queue for a subscription
* Set a filter policy
* Set the default settings for sending SMS messages
* Set topic attributes
* Subscribe a Lambda function to a topic
* Subscribe a mobile application to a topic
* Subscribe an HTTP endpoint to a topic
* Subscribe an SQS queue to a topic
* Subscribe an email address to a topic
* Subscribe with a filter to a topic
* Scenarios
* Create a platform endpoint for push notifications
* Create and publish to a FIFO topic
* Publish SMS messages to a topic
* Publish a large message
* Publish messages to queues
* Serverless examples
* Invoke a Lambda function from an Amazon SNS trigger
* Cross-service examples
* Build an app to submit data to a DynamoDB table
* Building an Amazon SNS application
* Create a serverless application to manage photos
* Create an Amazon Textract explorer application
* Detect people and objects in a video
* Publish messages to queues
* Use API Gateway to invoke a Lambda function
* Use scheduled events to invoke a Lambda function
* Security
* Data protection
* Data encryption
* Encryption at rest
* Key management
* Enabling SSE for a topic
* Enabling SSE for a topic with an encrypted queue subscribed
* Internetwork traffic privacy
* Creating a VPC endpoint
* Creating a VPC policy
* Publishing a message from a VPC
* Message Data Protection security
* Identity and access management
* Overview
* When to use access control
* Key concepts
* Architectural overview
* Using the Access Policy Language
* Evaluation logic
* Example cases for Amazon SNS access control
* How Amazon Simple Notification Service works with IAM
* Identity-based policy examples
* Using identity-based policies
* Using temporary credentials
* API permissions reference
* Troubleshooting
* Logging and monitoring
* Logging API calls using CloudTrail
* Monitoring topics using CloudWatch
* Compliance validation
* Resilience
* Infrastructure security
* Best practices
* Troubleshooting
* Active tracing
* Documentation history
* AWS Glossary
Amazon SNS security best practices - Amazon Simple Notification Service
AWSDocumentationAmazon Simple Notification ServiceDeveloper Guide
Preventative best practices
AMAZON SNS SECURITY BEST PRACTICES
PDFRSS
AWS provides many security features for Amazon SNS. Review these security
features in the context of your own security policy.
NOTE
The guidance for these security features applies to common use cases and
implementations. We recommend that you review these best practices in the
context of your specific use case, architecture, and threat model.
PREVENTATIVE BEST PRACTICES
The following are preventative security best practices for Amazon SNS.
TOPICS
* Ensure topics aren't publicly accessible
* Implement least-privilege access
* Use IAM roles for applications and AWS services which require Amazon SNS
access
* Implement server-side encryption
* Enforce encryption of data in transit
* Consider using VPC endpoints to access Amazon SNS
* Ensure subscriptions are not configured to deliver to raw http endpoints
ENSURE TOPICS AREN'T PUBLICLY ACCESSIBLE
Unless you explicitly require anyone on the internet to be able to read or write
to your Amazon SNS topic, you should ensure that your topic isn't publicly
accessible (accessible by everyone in the world or by any authenticated AWS
user).
* Avoid creating policies with Principal set to "".
* Avoid using a wildcard (*). Instead, name a specific user or users.
IMPLEMENT LEAST-PRIVILEGE ACCESS
When you grant permissions, you decide who receives them, which topics the
permissions are for, and specific API actions that you want to allow for these
topics. Implementing the principle of least privilege is important to reducing
security risks. It also helps to reduce the negative effect of errors or
malicious intent.
Follow the standard security advice of granting least privilege. That is, grant
only the permissions required to perform a specific task. You can implement
least privilege by using a combination of security policies pertaining to user
access.
Amazon SNS uses the publisher-subscriber model, requiring three types of user
account access:
* Administrators – Access to creating, modifying, and deleting topics.
Administrators also control topic policies.
* Publishers – Access to sending messages to topics.
* Subscribers – Access to subscribing to topics.
For more information, see the following sections:
* Identity and access management in Amazon SNS
* Amazon SNS API permissions: Actions and resources reference
USE IAM ROLES FOR APPLICATIONS AND AWS SERVICES WHICH REQUIRE AMAZON SNS ACCESS
For applications or AWS services, such as Amazon EC2, to access Amazon SNS
topics, they must use valid AWS credentials in their AWS API requests. Because
these credentials aren't rotated automatically, you shouldn't store AWS
credentials directly in the application or EC2 instance.
You should use an IAM role to manage temporary credentials for applications or
services that need to access Amazon SNS. When you use a role, you don't need to
distribute long-term credentials (such as a username, password, and access keys)
to an EC2 instance or AWS service, such as AWS Lambda. Instead, the role
supplies temporary permissions that applications can use when they make calls to
other AWS resources.
For more information, see IAM Roles and Common Scenarios for Roles: Users,
Applications, and Services in the IAM User Guide.
IMPLEMENT SERVER-SIDE ENCRYPTION
To mitigate data leakage issues, use encryption at rest to encrypt your messages
using a key stored in a different location from the location that stores your
messages. Server-side encryption (SSE) provides data encryption at rest. Amazon
SNS encrypts your data at the message level when it stores it, and decrypts the
messages for you when you access them. SSE uses keys managed in AWS Key
Management Service. When you authenticate your request and have access
permissions, there is no difference between accessing encrypted and unencrypted
topics.
For more information, see Encryption at rest and Key management.
ENFORCE ENCRYPTION OF DATA IN TRANSIT
It's possible, but not recommended, to publish messages that are not encrypted
during transit by using HTTP. You can't, however, use HTTP when publishing to an
encrypted SNS topic.
AWS recommends that you use HTTPS instead of HTTP. When you use HTTPS, messages
are automatically encrypted during transit, even if the SNS topic itself isn't
encrypted. Without HTTPS, a network-based attacker can eavesdrop on network
traffic or manipulate it using an attack such as man-in-the-middle.
To enforce only encrypted connections over HTTPS, add the aws:SecureTransport
condition in the IAM policy that's attached to unencrypted SNS topics. This
forces message publishers to use HTTPS instead of HTTP. You can use the
following example policy as a guide:
{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublishThroughSSLOnly",
"Action": "SNS:Publish",
"Effect": "Deny",
"Resource": [
"arn:aws:sns:us-east-1:1234567890:test-topic"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
CONSIDER USING VPC ENDPOINTS TO ACCESS AMAZON SNS
If you have topics that you must be able to interact with, but these topics must
absolutely not be exposed to the internet, use VPC endpoints to limit topic
access to only the hosts within a particular VPC. You can use topic policies to
control access to topics from specific Amazon VPC endpoints or from specific
VPCs.
Amazon SNS VPC endpoints provide two ways to control access to your messages:
* You can control the requests, users, or groups that are allowed through a
specific VPC endpoint.
* You can control which VPCs or VPC endpoints have access to your topic using a
topic policy.
For more information, see Creating the endpoint and Creating an Amazon VPC
endpoint policy for Amazon SNS.
ENSURE SUBSCRIPTIONS ARE NOT CONFIGURED TO DELIVER TO RAW HTTP ENDPOINTS
Avoid configuring subscriptions to deliver to a raw http endpoints. Always have
subscriptions delivering to an endpoint domain name. For example, a subscription
configured to deliver to an endpoint, http://1.2.3.4/my-path, should be changed
to http://my.domain.name/my-path.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
Infrastructure security
Troubleshooting
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Troubleshooting
PREVIOUS TOPIC:
Infrastructure security
NEED HELP?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* Preventative best practices
DID THIS PAGE HELP YOU? - NO
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
Feedback