Mailing list recipients can unsubscribe everyone on the list from my Amazon SNS topic emails. How do I prevent that?

Last updated: 2021-01-15

When you publish messages to an Amazon SNS topic with email subscribers, the email message that those subscribers receive has a link to unsubscribe. Above the link, it says, "If you wish to stop receiving notifications from this topic, please click or visit the link below to unsubscribe."

When someone is subscribed to an Amazon SNS topic with their own email address, and they choose the unsubscribe link, only their email is unsubscribed.

When a member of an Amazon SNS topic mailing list chooses the unsubscribe link, the email address of the mailing list is unsubscribed. Then, everyone on the mailing list gets an "Unsubscribe Confirmation" message.

Note: Email spam filters can also unsubscribe the email address of the mailing list.

To prevent that unsubscribe action, create a subscription that requires authentication to unsubscribe, so that only the topic owner and subscription owner can unsubscribe. Then, anyone who chooses the link receives the following error:

"Subscription not removed
Your subscription could not be removed because of an error. If you wish to unsubscribe but do not have AWS credentials, or have any other questions about Amazon SNS, please contact Amazon at sns-question@amazon.com."

To replace an existing subscription with one that requires authentication to unsubscribe, delete the existing subscription first. Then, use either of the following methods to set up the new subscription.

Important: You need access to the subscription confirmation email message to confirm a new subscription and complete the setup. If you're subscribing a mailing list to your topic, add your own email address to the mailing list first so that you can confirm the subscription.

1.    Open the Amazon SNS console and subscribe your email address to your topic.

2.    In your email, find the subscription confirmation message from AWS Notifications. The sender is usually "no-reply@sns.amazonaws.com".

Important: Don't confirm the subscription using the link in the subscription confirmation email.

3.    Copy the URL from the Confirm subscription link to your clipboard.

4.    In the Amazon SNS console, in the left navigation menu, choose Subscriptions.

5.    On the Subscriptions page, select the subscription that's "Pending confirmation," and then choose Confirm subscription.

6.    In the Confirm subscription dialog, paste the subscription confirmation URL that you copied.

7.    Choose Confirm subscription.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    In the AWS CLI, run this command:

aws sns list-topics --region us-east-1

Important: Make sure that you replace region us-east-1 with the correct AWS Region for your topic, if the topic is in another Region.

2.    In the output, find the topic you want to subscribe to, and then copy its TopicArn value to your clipboard. The topic ARN looks like this: arn:aws:sns:us-east-1:0123456789012:my-topic

3.    Run the following command:

aws sns subscribe --topic-arn arn:aws:sns:us-east-1:0123456789012:my-topic --protocol email --notification-endpoint test@amazon.com --region us-east-1

Important: Make sure that you replace the value of topic-arn with the topic ARN that you copied. Also, replace the value of notification-endpoint with the email address that you want to subscribe to your topic, and the region with your topic's AWS Region.

4.    In your email, find the subscription confirmation message from AWS Notifications. The sender is usually "no-reply@sns.amazonaws.com".

Important: Don't confirm the subscription using the link in the subscription confirmation email.

5.    Copy the URL from the Confirm subscription link to your clipboard, paste the URL into a text editor, and then copy the token. The token is a long series of numbers and letters in the middle of the URL after "Token=" and before "&Endpoint=". For example:

https://sns.us-east-1.amazonaws.com/confirmation.html?TopicArn=arn:aws:sns:us-east-1:123456789012:my-topic&Token=2336412f37fb687f5d51e6e241da92fcfd03593fd8dfa4bd75978a2ad7255afb88e71028f6a034d06f469f6c7ef2
0a609348542a0c68a9561c03a39d59beb02e2b7112c45f7ae26c344819b39cf07f15bef6c6c09766f9caa1fa55c236e7
7c33a50870bc027c74640ff64a7e99a67117&Endpoint=test@amazon.com

6.    Run the following command using the token you copied and the same topic ARN from step 2:

aws sns confirm-subscription --token 2336412f37fb687f5d51e6e241da92fcfd03593fd8dfa4bd75978a2ad7255afb88e71028f6a034d06f469f6c7ef20a609348542a0c68a9561c03a39d59beb02e2b7112c45f7ae26c344819b39cf07f15bef6c6c09766f9caa1fa55c236e77c33a50870bc027c74640ff64a7e99a67117 --topic-arn arn:aws:sns:us-east-1:0123456789012:my-topic --authenticate-on-unsubscribe true --region us-east-1

Important: Make sure that you replace the values of token with the token that you copied. Also, replace the value of topic-arn with the same topic ARN from step 2, and region with your topic's AWS Region.