I subscribed the email address of a mailing list to my Amazon Simple Notification Service (Amazon SNS) topic. A member of the list chose the unsubscribe link in a message, which unsubscribed the email address of the mailing list—as well as everyone on the list. How do I prevent that from happening?

When you publish messages to an Amazon SNS topic with email subscribers, the email message that those subscribers receive has a link to unsubscribe from the topic. (That is, "If you wish to stop receiving notifications from this topic, please click or visit the link below to unsubscribe".)

When someone is subscribed to a topic with their own email address, and then they choose the link, then their email address is unsubscribed. But when a member of a mailing list—or their email spam filter—chooses the link, that action unsubscribes the email address of the mailing list. Then, everyone on the mailing list gets an "Unsubscribe Confirmation" message, which can be unexpected and confusing.

To prevent that unsubscribe action, create a subscription that requires authentication, so that only the topic owner and subscription owner can unsubscribe. Then, anyone who chooses the link receives the following error:

"Subscription not removed

Your subscription could not be removed because of an error. If you wish to unsubscribe but do not have AWS credentials, or have any other questions about Amazon SNS, please contact Amazon at sns-question@amazon.com."

To replace an existing subscription with one that requires authentication to unsubscribe, delete the existing subscription first. Then, use one of the following methods to set up the new subscription.

Important: You need access to the subscription confirmation email message to confirm the subscription and complete the setup. If you're subscribing a mailing list to your topic, add your own email address to the mailing list first.

Use the Amazon SNS console to set up an email subscription that requires authentication to unsubscribe

1.    Open the Amazon SNS console and create an email subscription to your topic.

2.    Go to your email application, and then open the subscription confirmation message from AWS Notifications.
Important: Don't confirm the subscription using the link in the subscription confirmation email.

3.    Copy the URL from the Confirm subscription link to your clipboard.

4.    In the navigation pane of the console, choose Topics.

5.    Choose the ARN of the topic that you're subscribed to.

6.    Choose Confirm subscription.

7.    In the Subscription confirmation URL text box, paste the URL that you copied.

8.    Choose Confirm subscription.

Use the AWS CLI to set up an email subscription that requires authentication to unsubscribe

1.    In the AWS Command Line Interface (AWS CLI), run this command:

aws sns list-topics --region us-east-1

Note: In this command, replace the value of region with your topic's AWS Region.

2.    In the output, find the topic you want to subscribe to, and then copy its TopicArn value to your clipboard. The topic ARN looks like this:

arn:aws:sns:us-east-1:0123456789012:my-topic

3.    Run this command:

aws sns subscribe --topic-arn arn:aws:sns:us-east-1:0123456789012:my-topic --protocol email --notification-endpoint test@amazon.com --region us-east-1

Note: In this command, replace the values of topic-arn with the topic ARN that you copied, notification-endpoint with the email address that you want to subscribe to your topic, and region with your topic's AWS Region.

4.    Go to your email application, and then open the subscription confirmation message from AWS Notifications.
Important: Don't confirm the subscription using the link in the subscription confirmation email.

5.    Copy the URL from the Confirm subscription link to your clipboard, paste the URL into a text editor, and then copy the token. The token is a long series of numbers and letters in the middle of the URL after "Token=" and before "&Endpoint=". For example:

https://sns.us-east-1.amazonaws.com/confirmation.html?TopicArn=arn:aws:sns:us-east-1:123456789012:my-topic&Token=2336412f37fb687f5d51e6e241da92fcfd03593fd8dfa4bd75978a2ad7255afb88e71028f6a034d06f469f6c7ef2
0a609348542a0c68a9561c03a39d59beb02e2b7112c45f7ae26c344819b39cf07f15bef6c6c09766f9caa1fa55c236e7
7c33a50870bc027c74640ff64a7e99a67117
&Endpoint=test@amazon.com

6.    Run this command using the token you copied and the same topic ARN from step 2:

aws sns confirm-subscription --token 2336412f37fb687f5d51e6e241da92fcfd03593fd8dfa4bd75978a2ad7255afb88e71028f6a034d06f469f6c7ef2
0a609348542a0c68a9561c03a39d59beb02e2b7112c45f7ae26c344819b39cf07f15bef6c6c09766f9caa1fa55c236e7
7c33a50870bc027c74640ff64a7e99a67117 --topic-arn arn:aws:sns:us-east-1:0123456789012:my-topic --authenticate-on-unsubscribe true --region us-east-1

Note: In this command, replace the values of token with the token that you copied, topic-arn with the same topic ARN from step 2, and region with your topic's AWS Region.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-01-11