I'm sending notifications to an HTTPS—or HTTP—endpoint using Amazon Simple Notification Service (Amazon SNS). I want to prevent spoofing attacks, so how do I verify the authenticity of the Amazon SNS messages that my endpoint receives?
Resolution
It's a best practice to use certificate-based signature validation when verifying the authenticity of an Amazon SNS notification. For instructions, see Verifying the signatures of Amazon SNS messages in the Amazon SNS Developer Guide.
To help prevent spoofing attacks, make sure that you do the following when verifying Amazon SNS message signatures:
- Always use HTTPS to get the certificate from Amazon SNS.
- Validate the authenticity of the certificate.
- Verify that the certificate was sent from Amazon SNS.
- (When possible) Use one of the supported AWS SDKs for Amazon SNS to validate and verify messages.
Example message body
The following is an example message payload string sent from Amazon SNS:
{
"Type" : "Notification",
"MessageId" : "e1f2a232-e8ce-5f0a-b5d3-fbebXXXXXXXX",
"TopicArn" : "arn:aws:sns:us-east-1:XXXXXXXX:SNSHTTPSTEST",
"Subject" : "Test",
"Message" : "TestHTTPS",
"Timestamp" : "2021-10-07T18:55:19.793Z",
"SignatureVersion" : "1",
"Signature" : "VetoDxbYMh0Ii/87swLEGZt6FB0ZzGRjlW5BiVmKK1OLiV8B8NaVlADa6ThbWd1s89A4WX1WQwJMayucR8oYzEcWEH6//VxXCMQxWD80rG/NrxLeoyas4IHXhneiqBglLXh/R9nDZcMAmjPETOW61N8AnLh7nQ27O8Z+HCwY1wjxiShwElH5/+2cZvwCoD+oka3Gweu2tQyZAA9ergdJmXA9ukVnfieEEinhb8wuaemihvKLwGOTVoW/9IRMnixrDsOYOzFt+PXYuKQ6KGXpzV8U/fuJDsWiFa/lPHWw9pqfeA8lqUJwrgdbBS9vjOJIL+u2c49kzlei8zCelK3n7w==",
"SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-7ff5318490ec183fbaddaa2aXXXXXXXX.pem",
"UnsubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:XXXXXXXX:SNSHTTPSTEST:b5ab2db8-7775-4852-bd1a-2520XXXXXXXX",
"MessageAttributes" : {
"surname" : {"Type":"String","Value":"SNSHTTPSTest"}
}
}
For more information on message formats that Amazon SNS uses, refer to Parsing message formats.
Related information
Fanout to HTTP/S endpoints
Using AWS Lamba with Amazon SNS
What's the Amazon SNS IP address range?