How do I verify that SNS messages sent to HTTP and HTTPS endpoints are authentic?

2 minute read

I use Amazon Simple Notification Service (Amazon SNS) to send notifications to an HTTPS or HTTP endpoint. I want to verify that the Amazon SNS messages sent to the endpoints are authentic to prevent spoofing attacks.

Resolution

It's a best practice to use certificate-based signature validation when you verify the authenticity of an Amazon SNS notification. For more information, see Verifying the signatures of Amazon SNS messages.

To help prevent spoofing attacks when you verify Amazon SNS message signatures, complete the following actions:

Always use HTTPS to get the certificate from Amazon SNS.
Validate the authenticity of the certificate.
Verify that Amazon SNS sent the certificate.
Use one of the supported AWS SDKs for Amazon SNS to validate and verify messages when possible.

Example message body

The following is an example message payload string sent from Amazon SNS:

{"Type" : "Notification",
"MessageId" : "e1f2a232-e8ce-5f0a-b5d3-fbebXXXXXXXX",
"TopicArn" : "arn:aws:sns:us-east-1:XXXXXXXX:SNSHTTPSTEST",
"Subject" : "Test",
"Message" : "TestHTTPS",
"Timestamp" : "2021-10-07T18:55:19.793Z",
"SignatureVersion" : "1",
"Signature" : "VetoDxbYMh0Ii/87swLEGZt6FB0ZzGRjlW5BiVmKK1OLiV8B8NaVlADa6ThbWd1s89A4WX1WQwJMayucR8oYzEcWEH6//VxXCMQxWD80rG/NrxLeoyas4IHXhneiqBglLXh/R9nDZcMAmjPETOW61N8AnLh7nQ27O8Z+HCwY1wjxiShwElH5/+2cZvwCoD+oka3Gweu2tQyZAA9ergdJmXA9ukVnfieEEinhb8wuaemihvKLwGOTVoW/9IRMnixrDsOYOzFt+PXYuKQ6KGXpzV8U/fuJDsWiFa/lPHWw9pqfeA8lqUJwrgdbBS9vjOJIL+u2c49kzlei8zCelK3n7w==",
"SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-7ff5318490ec183fbaddaa2aXXXXXXXX.pem",
"UnsubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:XXXXXXXX:SNSHTTPSTEST:b5ab2db8-7775-4852-bd1a-2520XXXXXXXX",
"MessageAttributes" : {
"surname" : {"Type":"String","Value":"SNSHTTPSTest"}
}
}

For more information, see Parsing Amazon SNS message formats.

Related information

Fanout Amazon SNS notifications to HTTPS endpoints

What's the Amazon SNS IP address range?

Topics: Application Integration
Tags: Amazon Simple Notification Service (SNS)
Language: English

AWS OFFICIALUpdated 3 months ago

No comments

Relevant content

Can SMS message be sent via SNS using a REST API endpoint (HTTP)?
AWS-User-8706605
asked 3 years ago
Best Practices for Securing SNS Endpoint
snail
asked a year ago
How to verify if we migrated correctly on FCM Http V1 api
mayuroza
asked 2 years ago
Integrating DLT Registered Sender ID and Template with SNS and Cognito for OTP SMS in India
jona
asked a year ago
AWS SNS SES notifications to basic-auth HTTPS endpoint always sent twice
Markus
asked 3 years ago
What's the Amazon SNS IP address range?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot issues when I subscribe an HTTP(S) endpoint to my Amazon SNS topic?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot IO exception for HTTP or HTTPS endpoint?
AWS OFFICIALUpdated 3 years ago
What are the best practices for sending SMS messages?
AWS OFFICIALUpdated 3 years ago
Simple Notification Service (SNS) - Incident Detection and Response Alarming Best Practices
EXPERT
AWS - Ben Harding
published a year ago