Amazon Simple Notification Service (SNS) | Security Flashcards
How would a user subscribe for notifications to be delivered over SMS?
Security
Amazon Simple Notification Service (SNS) | Application Integration
Please refer to the ‘SMS Related Question’ section below.
How can users secure the messages sent to my topics?
Security
Amazon Simple Notification Service (SNS) | Application Integration
All API calls made to Amazon SNS are validated for the user’s AWS Id and the signature. In addition, we recommend that users secure their data over the wire by connecting to our secure SSL end-points.
Who can create a topic?
Security
Amazon Simple Notification Service (SNS) | Application Integration
Topics can only be created by users with valid AWS IDs who have signed up for Amazon SNS. The easiest way to create a topic is to use the AWS Management Console. It can also be created through the CreateTopic API. The AWS Management Console is available at: http://aws.amazon.com/console
Can multiple users publish to a single topic?
Security
Amazon Simple Notification Service (SNS) | Application Integration
A topic owner can set explicit permissions to allow more than one user (with a valid AWS ID) to publish to a topic. By default, only topic owners have permissions to publish to a topic.
How can the owner grant/revoke publish or subscribe permissions on a topic?
Security
Amazon Simple Notification Service (SNS) | Application Integration
The AddPermission and RemovePermission APIs provide a simple interface for developers to add and remove permissions for a topic. However, for conditional access and more advanced use cases, users should use access control policies to manage permissions. The easiest way to manage permissions is to use the AWS Management Console. The AWS Management Console is available at: http://aws.amazon.com/console
How does a topic owner give access to subscribers? Do subscribers have to have valid AWS IDs?
Security
Amazon Simple Notification Service (SNS) | Application Integration
Amazon SNS makes it easy for users with and without AWS IDs to receive notifications. The owner of the topic can grant/restrict access to subscribers by setting appropriate permissions for the topic using Access Control policies. Users can receive notifications from Amazon SNS in two ways:
Users with AWS IDs: Subscribers with valid AWS IDs (please refer to this link for details on obtaining AWS IDs) can subscribe to any topic directly – as long as the topic owner has granted them permissions to do so. The AWS IDs will be validated as part of the subscription registration.
Other users: Topic owners can subscribe and register end-points on behalf of users without AWS IDs.
In both cases, the owner of the subscription endpoint needs to explicitly opt-in and confirm the subscription by replying to confirmation message sent by Amazon SNS.
How will Amazon SNS authenticate API calls?
Security
Amazon Simple Notification Service (SNS) | Application Integration
All API calls made to Amazon SNS will validate authenticity by requiring that requests be signed with the secret key of the AWS ID account and verifying the signature included in the requests.
How does Amazon SNS validate a subscription request to ensure that notifications will not be sent to users as spam?
Security
Amazon Simple Notification Service (SNS) | Application Integration
As part of the subscription registration, Amazon SNS will ensure that notifications are only sent to valid, registered subscribers/end-points. To prevent spam and ensure that a subscriber end-point is really interested in receiving notifications from a particular topic, Amazon SNS requires an explicit opt-in from subscribers using a 2-part handshake:
i. When a user first calls the Subscribe API and subscribes an end-point, Amazon SNS will send a confirmation message to the specified end-point.
ii. On receiving the confirmation message at the end-point, the subscriber should confirm the subscription request by sending a valid response. Only then will Amazon SNS consider the subscription request to be valid. If there is no response to the challenge, Amazon SNS will not send any notifications to that end-point. The exact mechanism of confirming the subscription varies by the transport protocol selected:
For HTTP/HTTPS notifications, Amazon SNS will first POST the confirmation message (containing a token) to the specified URL. The application monitoring the URL will have to call the ConfirmSubscription API with the token included token.
For Email and Email-JSON notifications, Amazon SNS will send an email to the specified address containing an embedded link. The user will need to click on the embedded link to confirm the subscription request.
For SQS notifications, Amazon SNS will enqueue a challenge message containing a token to the specified queue. The application monitoring the queue will have to call the ConfirmSubscription API with the token.
Note: The explicit “opt-in” steps described above are not required for the specific case where you subscribe your Amazon SQS queue to your Amazon SNS topic – and both are “owned” by the same AWS account.
How long will subscription requests remain pending, while waiting to be confirmed?
Security
Amazon Simple Notification Service (SNS) | Application Integration
Token included in the confirmation message sent to end-points on a subscription request are valid for 3 days.
Who can change permissions on a topic?
Security
Amazon Simple Notification Service (SNS) | Application Integration
Only the owner of the topic can change permissions for that topic.
How can users verify that notification messages are sent from Amazon SNS?
Security
Amazon Simple Notification Service (SNS) | Application Integration
To ensure the authenticity of the notifications, Amazon SNS will sign all notification deliveries using a cryptographically secure, asymmetric mechanism (private-public key pair based on certificates). Amazon SNS will publish its certificate to a well-known location (e.g. http://sns.us-east-1.amazonaws.com/SimpleNotificationService.pem for the US East region) and sign messages with the private key of that certificate. Developers/applications can obtain the certificate and validate the signature in the notifications with the certificate’s public key, to ensure that the notification was indeed sent out by Amazon SNS. For further details on certificate locations, please refer to the Amazon SNS details page.
Do publishers have to sign messages as well?
Security
Amazon Simple Notification Service (SNS) | Application Integration
Amazon SNS requires publishers with AWS IDs to validate their messages by signing messages with their secret AWS key; the signature is then validated by Amazon SNS.
Can a publisher/subscriber use SSL to secure messages?
Security
Amazon Simple Notification Service (SNS) | Application Integration
Yes, both publishers and subscribers can use SSL to help secure the channel to send and receive messages. Publishers can connect to Amazon SNS over HTTPS and publish messages over the SSL channel. Subscribers should register an SSL-enabled end-point as part of the subscription registration, and notifications will be delivered over a SSL channel to that end-point.
What permissions does a subscriber need to allow Amazon SNS to send notifications to a registered endpoint?
Security
Amazon Simple Notification Service (SNS) | Application Integration
The owner of the end-point receiving the notifications has to grant permissions for Amazon SNS to send messages to that end-point.