Mailing list recipients can unsubscribe everyone on the list from my Amazon SNS topic emails. How do I prevent that?

Last updated: 2019-04-17

I subscribed the email address of a mailing list to my Amazon Simple Notification Service (Amazon SNS) topic. A member of the list chose the unsubscribe link in a message, which unsubscribed the email address of the mailing list, along with everyone on the list. How do I prevent that from happening?

Short Description

When you publish messages to an Amazon SNS topic with email subscribers, the email message that those subscribers receive has a link to unsubscribe from the topic. (That is, "If you wish to stop receiving notifications from this topic, please click or visit the link below to unsubscribe.")

When someone is subscribed to a topic with their own email address, and then they choose the unsubscribe link, their own email address is unsubscribed. But when a member of a mailing list—or their email spam filter—chooses the unsubscribe link, the email address of the mailing list is unsubscribed. Then, everyone on the mailing list gets an "Unsubscribe Confirmation" message, which can be unexpected and confusing.

To prevent that unsubscribe action, create a subscription that requires authentication to unsubscribe, so that only the topic owner and subscription owner can unsubscribe. Then, anyone who chooses the link receives the following error:

"Subscription not removed
Your subscription could not be removed because of an error. If you wish to unsubscribe but do not have AWS credentials, or have any other questions about Amazon SNS, please contact Amazon at sns-question@amazon.com."

Resolution

To replace an existing subscription with one that requires authentication to unsubscribe, delete the existing subscription first. Then, use either of the following methods to set up the new subscription.

Important: You need access to the subscription confirmation email message to confirm a new subscription and complete the setup. If you're subscribing a mailing list to your topic, add your own email address to the mailing list first so that you can confirm the subscription.

Set up an email subscription that requires authentication to unsubscribe (Amazon SNS console)

1.    Open the Amazon SNS console and subscribe your email address to your topic.

2.    In your email, find the subscription confirmation message from AWS Notifications. The sender ID is usually "no-reply@sns.amazonaws.com".
Important: Don't confirm the subscription using the link in the subscription confirmation email.

3.    Copy the URL from the Confirm subscription link to your clipboard.

4.    In the Amazon SNS console, in the left navigation menu, choose Subscriptions.

5.    On the Subscriptions page, select the subscription that's "Pending confirmation," and then choose Confirm subscription.

6.    In the Confirm subscription dialog, paste the subscription confirmation URL that you copied.

7.    Choose Confirm subscription.

Set up an email subscription that requires authentication to unsubscribe (AWS CLI)

1.    In the AWS Command Line Interface (AWS CLI), run this command:

aws sns list-topics --region us-east-1

Note: In this command, replace the value of region with the AWS Region for your topic.

2.    In the output, find the topic you want to subscribe to, and then copy its TopicArn value to your clipboard. The topic ARN looks like this: arn:aws:sns:us-east-1:0123456789012:my-topic

3.    Run this command:

aws sns subscribe --topic-arn arn:aws:sns:us-east-1:0123456789012:my-topic --protocol email --notification-endpoint test@amazon.com --region us-east-1

Note: In this command, replace the values of topic-arn with the topic ARN that you copied, notification-endpoint with the email address that you want to subscribe to your topic, and region with your topic's AWS Region.

4.    In your email, find the subscription confirmation message from AWS Notifications. The sender ID is usually "no-reply@sns.amazonaws.com".
Important: Don't confirm the subscription using the link in the subscription confirmation email.

5.    Copy the URL from the Confirm subscription link to your clipboard, paste the URL into a text editor, and then copy the token. The token is a long series of numbers and letters in the middle of the URL after "Token=" and before "&Endpoint=". For example:

https://sns.us-east-1.amazonaws.com/confirmation.html?TopicArn=arn:aws:sns:us-east-1:123456789012:my-topic&Token=2336412f37fb687f5d51e6e241da92fcfd03593fd8dfa4bd75978a2ad7255afb88e71028f6a034d06f469f6c7ef2
0a609348542a0c68a9561c03a39d59beb02e2b7112c45f7ae26c344819b39cf07f15bef6c6c09766f9caa1fa55c236e7
7c33a50870bc027c74640ff64a7e99a67117
&Endpoint=test@amazon.com

6.    Run this command using the token you copied and the same topic ARN from step 2:

aws sns confirm-subscription --token 2336412f37fb687f5d51e6e241da92fcfd03593fd8dfa4bd75978a2ad7255afb88e71028f6a034d06f469f6c7ef2
0a609348542a0c68a9561c03a39d59beb02e2b7112c45f7ae26c344819b39cf07f15bef6c6c09766f9caa1fa55c236e7
7c33a50870bc027c74640ff64a7e99a67117 --topic-arn arn:aws:sns:us-east-1:0123456789012:my-topic --authenticate-on-unsubscribe true --region us-east-1

Note: In this command, replace the values of token with the token that you copied, topic-arn with the same topic ARN from step 2, and region with your topic's AWS Region.


Getting Started with Amazon SNS

subscribe (AWS CLI Command Reference)

confirm-subscription (AWS CLI Command Reference)

Did this article help you?

Anything we could improve?


Need more help?