AWS SNS subscription keeps deleting the subscription itself

Question

I subscribed to a SNS topic with an endpoint of an email address.

I have received notice of unsubscribing from the topic lastnight, I asked all who had access to the inbox, nobody clicked the unsubscribe link.

I recreated the subscription and this morning it unsub itself again.

How could that be? And how can I prevent this from happening again? I looked up in CloudTrail but unsubscribe action is not logged unless they are made with in the console or via the API.

Any indicator would be helpful , thanks.

Well I do not think it is possible that it is deleting itself. What I do think is likely is that someone is actually unsubscribing and probably don't want to own up to it. — , Apr 21 '18 at 16:40
no that is not the case. it happened twice already and there are only 2 people with access to the mailbox to begin with. I suspect this is GMail automatic spam filter. — Gapton, Apr 22 '18 at 03:16
Hello @Gapton How did you resolve the issue? I am facing the same problem SNS subscription deletes automatically. — Shashank Shah, Nov 18 '22 at 09:05

score 3 · Answer 1 · answered Aug 07 '20 at 18:07

Subscription will be in 'Deleted state' as the subscriber unsubscribe the email subscription likely due to clicking the Unsubscribe URL from within the email notification.

It is recommended that we subscribe the email endpoint, manually copy the subscription URL and paste it in the SNS console. That way the subscription can only be deleted/removed by the SNS topic owner and not by clicking the unsubscribe url from email.

once we manually copy the link to the SNS console and confirm the subscription, we will have control over that subscription and a trace will be generated for audit purposes in CloudTrail.

Thanks, this worked for me. AWS support [article about it](https://aws.amazon.com/premiumsupport/knowledge-center/prevent-unsubscribe-all-sns-topic/). — Denis Isaev, Aug 29 '21 at 10:55

score 1 · Answer 2 · answered Nov 16 '22 at 04:54

There are different reasons why this could happen:

AWS has documented that if there are more than 10 emails per second then it will automatically unsubscribe the subscription to avoid spam (solution is to add filter options to your topic so that you are not spamming anyone)
Anyone receiving the email has unsubscribed (you have already ruled this one out)
What appears to be a bug with AWS SNS Email subscriptions (simple workaround is to use Email-JSON instead of plain Email, more complicated workaround it to use a Lambda function to send the emails - and note this might not be a bug at all as maybe an automatic spam filter is doing this, which is why the Email-JSON option avoids that)

ThomasVdBerge · Answer 3 · 2018-11-28T15:33:35.747

0

It might indeed be the gmail automatic spam filter, but since there are no logs available this is hard to verify.

From the AWS Documentation I see that you can enable authentication for deletion. This should prevent it being deleted by gmail.

Deletes a subscription. If the subscription requires authentication for deletion, only the owner of the subscription or the topic's owner can unsubscribe, and an AWS signature is required. If the Unsubscribe call does not require authentication and the requester is not the subscription owner, a final cancellation message is delivered to the endpoint, so that the endpoint owner can easily resubscribe to the topic if the Unsubscribe request was unintended.

To change this permission, Go to your SNS topic overview and select the topic you want. Click on Edit topic policy. If you click on Advanced view, make sure something like this is added:

  "Action": [
    "SNS:Unsubscribe"
  ],
  "Resource": "arn:aws:sns:<AWS_REGION>:<AWS_ACCOUNT_ID>:<SNS_TOPIC>",
  "Condition": {
    "StringEquals": {
      "AWS:SourceOwner": "<AWS_ACCOUNT_ID>"
    }
  }

That will make sure only the account owner will be able to unsbuscrive, and not everyone. Change the vars between <> to your needs.

edited Nov 28 '18 at 15:33

answered Apr 29 '18 at 16:55

ThomasVdBerge

7,483
4
44
62

1

I would give this answer a up vote but it doesn't specify how to enable authentication for deletion or neither the AWS documentation does it specify it. – VaTo Nov 27 '18 at 20:19
I have two questions here: This policy will apply to all the subscriptions in the topic not just one specific and second, regarding the SNS_Topic, do you mean the Topic ARN or the Display name? – VaTo Nov 28 '18 at 18:32
3

dismiss my previous command: I get this error: `Invalid parameter: Policy statement action out of service scope! (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID:xxxxxxxxx)` – VaTo Nov 28 '18 at 18:39
If I understand right, only the subscriber (not the topic owner) can add the authentication requirement, they can add it only WHEN they subscribe, and it must be done by CLI or SDK invocation. For example in CLI: https://docs.aws.amazon.com/cli/latest/reference/sns/confirm-subscription.html – hiljusti Apr 06 '19 at 02:36
1

@hiljusti you are right, but not only by cli - it [can also be done](https://aws.amazon.com/premiumsupport/knowledge-center/prevent-unsubscribe-all-sns-topic/) in aws console. – Denis Isaev Aug 29 '21 at 10:47

AWS SNS subscription keeps deleting the subscription itself

3 Answers3