Reputation: 2134
AWS SNS subscription keeps deleting the subscription itself
I subscribed to a SNS topic with an endpoint of an email address.
I have received notice of unsubscribing from the topic lastnight, I asked all who had access to the inbox, nobody clicked the unsubscribe link.
I recreated the subscription and this morning it unsub itself again.
How could that be? And how can I prevent this from happening again? I looked up in CloudTrail but unsubscribe action is not logged unless they are made with in the console or via the API.
Any indicator would be helpful , thanks.
Upvotes: 23
Views: 14774
Answers (4)
Reputation: 885
There are different reasons why this could happen:
- AWS has documented that if there are more than 10 emails per second then it will automatically unsubscribe the subscription to avoid spam (solution is to add filter options to your topic so that you are not spamming anyone)
- Anyone receiving the email has unsubscribed (you have already ruled this one out)
- What appears to be a bug with AWS SNS Email subscriptions (simple workaround is to use Email-JSON instead of plain Email, more complicated workaround it to use a Lambda function to send the emails - and note this might not be a bug at all as maybe an automatic spam filter is doing this, which is why the Email-JSON option avoids that)
Upvotes: 3
Reputation: 152
Subscription will be in 'Deleted state' as the subscriber unsubscribe the email subscription likely due to clicking the Unsubscribe URL from within the email notification.
It is recommended that we subscribe the email endpoint, manually copy the subscription URL and paste it in the SNS console. That way the subscription can only be deleted/removed by the SNS topic owner and not by clicking the unsubscribe url from email.
once we manually copy the link to the SNS console and confirm the subscription, we will have control over that subscription and a trace will be generated for audit purposes in CloudTrail.
Upvotes: 3
Reputation: 8140
It might indeed be the gmail automatic spam filter, but since there are no logs available this is hard to verify.
From the AWS Documentation I see that you can enable authentication for deletion. This should prevent it being deleted by gmail.
Deletes a subscription. If the subscription requires authentication for deletion, only the owner of the subscription or the topic's owner can unsubscribe, and an AWS signature is required. If the Unsubscribe call does not require authentication and the requester is not the subscription owner, a final cancellation message is delivered to the endpoint, so that the endpoint owner can easily resubscribe to the topic if the Unsubscribe request was unintended.
To change this permission, Go to your SNS topic overview and select the topic you want. Click on Edit topic policy. If you click on Advanced view, make sure something like this is added:
"Action": [
"SNS:Unsubscribe"
],
"Resource": "arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:<SNS_TOPIC>",
"Condition": {
"StringEquals": {
"AWS:SourceOwner": "<AWS_ACCOUNT_ID>"
}
}
That will make sure only the account owner will be able to unsbuscrive, and not everyone. Change the vars between <> to your needs.
Upvotes: 0
Related Questions
- AWS SNS not sending Subscription Confirmation
- How to delete a unconfirmed AWS SNS subscription
- Unable to delete the subscriptions for deleted topics
- SNS Subscription Wants a String
- AWS sns subscription filter policy limit
- Amazon SNS Policy to restrict subscriptions is not working
- SNS Delivering Messages to a Deleted Subscription
- SNS subscription never sent/received?
- AWS-SNS; How to get valid SubscriptionARN after user confirmation
- AWS SNS unsubscribe endpoint from topic during deleting endpoint