What's the source IPs of AWS SNS HTTP/HTTPS notification?

StackOverflow https://stackoverflow.com/questions/23329129

Question

I have configured AWS SNS notification to call my HTTP endpoint. I need to open my firewall to allow AWS SNS to call it.

However, I cannot find any information about SNS HTTP(s) notification call IPs. I have caught a few IPs (54.240.194.1,54.240.194.65,54.240.194.129 ) by it's calls. But I'm not sure what's the full list of SNS HTTP notification source IPs.

I can open my firewall as 54.240.194.0/24. But no official information this is correct.

Thanks.

Was it helpful?

Solution

The list of IP addresses from which Amazon SNS notifications are sourced is provided in the Amazon SNS forums. We update this post as the IP information changes.

Please note that while notifications will usually be sourced from an IP in the same region where your topic was created, this is not guaranteed e.g., a notification sent from a topic created in US-EAST-1 may be sourced from either US-WEST-1 or EU-WEST-1. In other words, you should add all addresses on this list to your ingress rules, even if you only plan to use a single region.

OTHER TIPS

In this situation SQS is probably more appropriate because you will be initiating the connection to Amazon instead of asking AWS to reach out to you. This means no changes to your firewall are required and you are not poking holes in your security...

If you need SNS notifications for other end points, you can pump SNS to SQS for this specific end point:

http://docs.aws.amazon.com/sns/latest/dg/SendMessageToSQS.html

Pretty sure you can't count on any particular IP address or range.

If you want to secure your endpoint, or at least ensure that any messages sent to it actually originate from AWS, this document may help:

...you can verify the authenticity of a notification, subscription confirmation, or unsubscribe confirmation message sent by Amazon SNS. Using information contained in the Amazon SNS message, your endpoint can recreate the string to sign and the signature so that you can verify the contents of the message by matching the signature you recreated from the message contents with the signature that Amazon SNS sent with the message.

http://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.verify.signature.html

The accepted answer above is out of date/expired in the Amazon forum.

This link may be more help and, hopefully, permanent, but is for ALL IP ranges, evidently.

From https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html....

AWS IP address ranges

Here's the tool to use to filter/search that massive file https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#filter-json-file

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top