AWS SNS subscription keeps deleting the subscription itself

12
votes

I subscribed to a SNS topic with an endpoint of an email address.

I have received notice of unsubscribing from the topic lastnight, I asked all who had access to the inbox, nobody clicked the unsubscribe link.

I recreated the subscription and this morning it unsub itself again.

How could that be? And how can I prevent this from happening again? I looked up in CloudTrail but unsubscribe action is not logged unless they are made with in the console or via the API.

Any indicator would be helpful , thanks.

2
amazon-web-servicesamazon-sns
Well I do not think it is possible that it is deleting itself. What I do think is likely is that someone is actually unsubscribing and probably don't want to own up to it.user9244629
no that is not the case. it happened twice already and there are only 2 people with access to the mailbox to begin with. I suspect this is GMail automatic spam filter.Gapton

2 Answers

1
votes

It might indeed be the gmail automatic spam filter, but since there are no logs available this is hard to verify.

From the AWS Documentation I see that you can enable authentication for deletion. This should prevent it being deleted by gmail.

Deletes a subscription. If the subscription requires authentication for deletion, only the owner of the subscription or the topic's owner can unsubscribe, and an AWS signature is required. If the Unsubscribe call does not require authentication and the requester is not the subscription owner, a final cancellation message is delivered to the endpoint, so that the endpoint owner can easily resubscribe to the topic if the Unsubscribe request was unintended.

To change this permission, Go to your SNS topic overview and select the topic you want. Click on Edit topic policy. If you click on Advanced view, make sure something like this is added:

  "Action": [
    "SNS:Unsubscribe"
  ],
  "Resource": "arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:<SNS_TOPIC>",
  "Condition": {
    "StringEquals": {
      "AWS:SourceOwner": "<AWS_ACCOUNT_ID>"
    }
  }

That will make sure only the account owner will be able to unsbuscrive, and not everyone. Change the vars between <> to your needs.

1
votes

Subscription will be in 'Deleted state' as the subscriber unsubscribe the email subscription likely due to clicking the Unsubscribe URL from within the email notification.

It is recommended that we subscribe the email endpoint, manually copy the subscription URL and paste it in the SNS console. That way the subscription can only be deleted/removed by the SNS topic owner and not by clicking the unsubscribe url from email.

once we manually copy the link to the SNS console and confirm the subscription, we will have control over that subscription and a trace will be generated for audit purposes in CloudTrail.