Difference between two methods to confirm AWS SNS topic subscription confirmation

0
votes

I'm attempting to subscribe an SNS topic to a HTTPS endpoint I own. I'm reading the docs on how to process incoming messages from SNS and how the subscription confirmation needs to be done. I see two methods of confirmation:

I'm trying to understand what's the difference between the two methods. The most obvious one to me was this - The choice of using the API will require AWS credentials since the request needs to be signed. But seems like the same call will succeed with just the HTTP GET request?

What's the best practice out there (if any) and/or which method is the one being followed by other folks using AWS/SNS?

2
amazon-web-servicesamazon-sns

2 Answers

0
votes

Before SNS will talk to an endpoint, you need to prove that you control that endpoint. So your options are to write some code that can do it automatically (most of the SDKs support this) or to capture the token, and by returning it via the API call prove that you control it.

This is a one-time procedure, so you do not need to deploy any AWS credentials to your API endpoint - you can do it from a different system.

We generally build the confirmation handler into the application.

0
votes

There isn't a difference -- these two alternatives are in fact the same thing.

The SubscribeURL attribute is a pre-constructed (by the service) link to the ConfirmSubscription action on the SNS API endpoint.

The API accepts GET or POST. No signature is required in this case.

This call requires an AWS signature only when the AuthenticateOnUnsubscribe flag is set to "true".

https://docs.aws.amazon.com/sns/latest/api/API_ConfirmSubscription.html