Verifying the Signatures of Amazon SNS Messages
You should verify the authenticity of a notification, subscription confirmation, or unsubscribe confirmation message sent by Amazon SNS. Using information contained in the Amazon SNS message, your endpoint can recreate the string to sign and the signature so that you can verify the contents of the message by matching the signature you recreated from the message contents with the signature that Amazon SNS sent with the message.
To help prevent spoofing attacks, you should do the following when verifying messages sent by Amazon SNS:
Always use HTTPS when getting the certificate from Amazon SNS.
Validate the authenticity of the certificate.
Verify the certificate was received from Amazon SNS.
When possible, use one of the supported AWS SDKs for Amazon SNS to validate and verify messages. For example, with the AWS SDK for PHP you would use the
isValidmethod from the
For example code for a Java servlet that handles Amazon SNS messages , see Example Code for an Amazon SNS Endpoint Java Servlet.
To verify the signature of an Amazon SNS message when using HTTP query-based requests
Extract the name/value pairs from the JSON document in the body of the HTTP POST request that Amazon SNS sent to your endpoint. You'll be using the values of some of the name/value pairs to create the string to sign. When you are verifying the signature of an Amazon SNS message, it is critical that you convert the escaped control characters to their original character representations in the
Subjectvalues. These values must be in their original forms when you use them as part of the string to sign. For information about how to parse the JSON document, see Step 1: Make sure your endpoint is ready to process Amazon SNS messages.
SignatureVersiontells you the signature version. From the signature version, you can determine the requirements for how to generate the signature. For Amazon SNS notifications, Amazon SNS currently supports signature version 1. This section provides the steps for creating a signature using signature version 1.
Get the X509 certificate that Amazon SNS used to sign the message. The
SigningCertURLvalue points to the location of the X509 certificate used to create the digital signature for the message. Retrieve the certificate from this location.
Extract the public key from the certificate. The public key from the certificate specified by
SigningCertURLis used to verify the authenticity and integrity of the message.
Determine the message type. The format of the string to sign depends on the message type, which is specified by the
Create the string to sign. The string to sign is a newline character–delimited list of specific name/value pairs from the message. Each name/value pair is represented with the name first followed by a newline character, followed by the value, and ending with a newline character. The name/value pairs must be listed in byte-sort order.
Depending on the message type, the string to sign must have the following name/value pairs.
Notification messages must contain the following name/value pairs:
Message MessageId Subject (if included in the message) Timestamp TopicArn Type
The following example is a string to sign for a
Message My Test Message MessageId 4d4dc071-ddbf-465d-bba8-08f81c89da64 Subject My subject Timestamp 2012-06-05T04:37:04.321Z TopicArn arn:aws:sns:us-east-1:123456789012:s4-MySNSTopic-1G1WEFCOXTC0P Type Notification
- SubscriptionConfirmation and UnsubscribeConfirmation
UnsubscribeConfirmationmessages must contain the following name/value pairs:
Message MessageId SubscribeURL Timestamp Token TopicArn Type
The following example is a string to sign for a
Message My Test Message MessageId 3d891288-136d-417f-bc05-901c108273ee SubscribeURL https://sns.us-west-2.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-west-2:123456789012:s4-MySNSTopic-1G1WEFCOXTC0P&Token=2336412f37fb687f5d51e6e241d09c8058323f60b964268bfe08ce35640228c208a66d3621bd9f7b012918cfdcfe65e153df551f76df58ed147f1245e330ce77ceff06dedab9f051f7028657e6c42750bf64bc9ef711d494e9f7637b86e690779eb5568f72466806b246bd244fa9392b1bc01eeb1c5e420847a745b7aa4b0085 Timestamp 2012-06-03T19:25:13.719Z Token 2336412f37fb687f5d51e6e241d09c8058323f60b964268bfe08ce35640228c208a66d3621bd9f7b012918cfdcfe65e153df551f76df58ed147f1245e330ce77ceff06dedab9f051f7028657e6c42750bf64bc9ef711d494e9f7637b86e690779eb5568f72466806b246bd244fa9392b1bc01eeb1c5e420847a745b7aa4b0085 TopicArn arn:aws:sns:us-west-2:123456789012:s4-MySNSTopic-1G1WEFCOXTC0P Type SubscriptionConfirmation
Signaturevalue from Base64 format. The message delivers the signature in the
Signaturevalue, which is encoded as Base64. Before you compare the signature value with the signature you have calculated, make sure that you decode the
Signaturevalue from Base64 so that you compare the values using the same format.
Generate the derived hash value of the Amazon SNS message. Submit the Amazon SNS message, in canonical format, to the same hash function used to generate the signature.
Generate the asserted hash value of the Amazon SNS message. The asserted hash value is the result of using the public key value (from step 3) to decrypt the signature delivered with the Amazon SNS message.
Verify the authenticity and integrity of the Amazon SNS message. Compare the derived hash value (from step 7) to the asserted hash value (from step 8). If the values are identical, then the receiver is assured that the message has not been modified while in transit and the message must have originated from Amazon SNS. If the values are not identical, it should not be trusted by the receiver.