How do I verify the authenticity of Amazon SNS messages that are sent to HTTP and HTTPS endpoints?

2 minute read
0

I'm sending notifications to an HTTPS—or HTTP—endpoint using Amazon Simple Notification Service (Amazon SNS). I want to prevent spoofing attacks, so how do I verify the authenticity of the Amazon SNS messages that my endpoint receives?

Resolution

It's a best practice to use certificate-based signature validation when verifying the authenticity of an Amazon SNS notification. For instructions, see Verifying the signatures of Amazon SNS messages in the Amazon SNS Developer Guide.

To help prevent spoofing attacks, make sure that you do the following when verifying Amazon SNS message signatures:

  • Always use HTTPS to get the certificate from Amazon SNS.
  • Validate the authenticity of the certificate.
  • Verify that the certificate was sent from Amazon SNS.
  • (When possible) Use one of the supported AWS SDKs for Amazon SNS to validate and verify messages.

Example message body

The following is an example message payload string sent from Amazon SNS:

{
"Type" : "Notification",
"MessageId" : "e1f2a232-e8ce-5f0a-b5d3-fbebXXXXXXXX",
"TopicArn" : "arn:aws:sns:us-east-1:XXXXXXXX:SNSHTTPSTEST",
"Subject" : "Test",
"Message" : "TestHTTPS",
"Timestamp" : "2021-10-07T18:55:19.793Z",
"SignatureVersion" : "1",
"Signature" : "VetoDxbYMh0Ii/87swLEGZt6FB0ZzGRjlW5BiVmKK1OLiV8B8NaVlADa6ThbWd1s89A4WX1WQwJMayucR8oYzEcWEH6//VxXCMQxWD80rG/NrxLeoyas4IHXhneiqBglLXh/R9nDZcMAmjPETOW61N8AnLh7nQ27O8Z+HCwY1wjxiShwElH5/+2cZvwCoD+oka3Gweu2tQyZAA9ergdJmXA9ukVnfieEEinhb8wuaemihvKLwGOTVoW/9IRMnixrDsOYOzFt+PXYuKQ6KGXpzV8U/fuJDsWiFa/lPHWw9pqfeA8lqUJwrgdbBS9vjOJIL+u2c49kzlei8zCelK3n7w==",
"SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-7ff5318490ec183fbaddaa2aXXXXXXXX.pem",
"UnsubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:XXXXXXXX:SNSHTTPSTEST:b5ab2db8-7775-4852-bd1a-2520XXXXXXXX",
"MessageAttributes" : {
"surname" : {"Type":"String","Value":"SNSHTTPSTest"}
}
}

For more information on message formats that Amazon SNS uses, refer to Parsing message formats.


Related information

Fanout to HTTP/S endpoints

Using AWS Lamba with Amazon SNS

What's the Amazon SNS IP address range?

AWS OFFICIAL
AWS OFFICIALUpdated a year ago