Simple Notification Service
- A web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients.
- You (as the owner) create a topic and control access to it by defining policies.
- In Amazon SNS, there are two types of clients—publishers and subscribers—also referred to as producers and consumers.
- Publishers communicate asynchronously with subscribers by producing and sending a message to a topic, which is a logical access point and communication channel.
- Subscribers (i.e., web servers, email addresses, Amazon SQS queues, AWS Lambda functions) consume or receive the message or notification over one of the supported protocols (i.e., Amazon SQS, HTTP/S, email, SMS, Lambda) when they are subscribed to the topic.
- A publisher sends messages to topics that they have created or to topics they have permission to publish to.
- Subscribers receive all messages published to the topics to which they subscribe, and all subscribers to a topic receive the same messages.
○A permission is the concept of allowing or disallowing some kind of access to a particular resource.
○A statement is the formal description of a single permission, written in the access policy language.
○A policy is a document (written in the access policy language) that acts as a container for one or more statements.
○The issuer is the person who writes a policy to grant permissions for a resource.
○The principal is the person or persons who receive the permission in the policy.
○The action is the activity the principal has permission to perform.
○The resource is the object the principal is requesting access to.
- Conditions and Keys
○The conditions are any restrictions or details about the permission.
○A key is the specific characteristic that is the basis for access restriction.
○The requester is the person who sends a request to an AWS service and asks for access to a particular resource.
○Evaluation is the process the AWS service uses to determine if an incoming request should be denied or allowed based on the applicable policies.
○The effect is the result that you want a policy statement to return at evaluation time.
- Default Deny
○A default deny is the default result from a policy in the absence of an allow or explicit deny.
○An allow results from a statement that has effect=allow, assuming any stated conditions are met.
- Explicit Deny
○An explicit deny results from a statement that has effect=deny, assuming any stated conditions are met.
- The following figure shows the main components that interact to provide access control for your resources.
|1||You, the resource owner.|
|4||Requesters and their incoming requests to the AWS service.|
|5||The access policy language evaluation code.|
Using the Access Policy Language
- The following figure shows the general process of how access control works with the access policy language..
|1||You write a policy for your resource.|
|2||You upload your policy to AWS.|
|3||Someone sends a request to use your resource.|
|4||The AWS service determines which policies are applicable to the request.|
|5||The AWS service evaluates the policies.|
- The evaluation logic follows several basic rules:
○By default, all requests to use your resource coming from anyone but you are denied
○An allow overrides any default denies
○An explicit deny overrides any allows
○The order in which the policies are evaluated is not important.
Amazon SNS Mobile Push
- You send push notification messages to both mobile devices and desktops.
- The following figure shows an overview of how Amazon SNS is used to send a direct push notification message to a mobile endpoint.
Amazon SNS Mobile Push
- The following figure shows a mobile endpoint as a subscriber to an Amazon SNS topic.
- The mobile endpoint communicates using push notification services where the other endpoints do not.
- Amazon SNS Mobile Push High‐Level Steps
○Step 1: Request Credentials from Mobile Platforms
○Step 2: Request Token from Mobile Platforms
○Step 3: Create Platform Application Object
○Step 4: Create Platform Endpoint Object
○Step 5: Publish Message to Mobile Endpoint
Sending Amazon SNS Messages to Amazon SQS Queues
- Amazon SNS works closely with Amazon Simple Queue Service.
- Amazon SNS allows applications to send time-critical messages to multiple subscribers through a “push” mechanism, eliminating the need to periodically check or “poll” for updates.
- Amazon SQS is a message queue service used by distributed applications to exchange messages through a polling model, and can be used to decouple sending and receiving components—without requiring each component to be concurrently available.
Sending SMS Messages with Amazon SNS
- You can use Amazon SNS to send text messages, or SMS messages, to SMS-enabled devices.
- You can send a message directly to a phone number, or you can send a message to multiple phone numbers at once by subscribing those phone numbers to a topic and sending your message to the topic.
- You can set SMS preferences for your AWS account to tailor your SMS deliveries for your use cases and budget.
- Monitoring SMS Activity
○By monitoring your SMS activity, you can keep track of destination phone numbers, successful or failed deliveries, reasons for failure, costs, and other information.
- Managing Phone Numbers and SMS Subscriptions
○Amazon SNS provides several options for managing who receives SMS messages from your account.
○With a limited frequency, you can opt in phone numbers that have opted out of receiving SMS messages from your account.
- Reserving a Dedicated Short Code for SMS Messaging
○To send SMS messages using a persistent short code, you can reserve a dedicated short code that is assigned to your account and available exclusively to you.
○A short code is a 5 or 6 digit number that you can use to send SMS messages to certain destinations.
○Short codes are often used for application-to-person (A2P) messaging, two-factor authentication (2FA), and marketing.
Sending Amazon SNS Messages to HTTP/HTTPS Endpoints
- You can use Amazon SNS to send notification messages to one or more HTTP or HTTPS endpoints.
- If you use HTTPS, then you can take advantage of the support in Amazon SNS for Server Name Indication (SNI) and Basic and Digest Access Authentication.
- Setting Amazon SNS Delivery Retry Policies for HTTP/HTTPS Endpoints
○A successful Amazon SNS delivery to an HTTP/HTTPS endpoint sometimes requires more than one attempt.
○If an initial delivery attempt doesn’t result in a successful response from the subscriber, Amazon SNS attempts to deliver the message again.
○You can use delivery policies to control not only the total number of retries, but also the time delay between each retry.
○The maximum lifetime of a message in the system is one hour.
○This one hour limit cannot be extended by a delivery policy.
- Immediate Retry Phase
- Pre-Backoff Phase
- Backoff Phase
- Post-Backoff Phase
Applying Delivery Policies to Topics and Subscriptions
The following diagram illustrates a topic with a delivery policy that applies to all three subscriptions associated with that topic
- In the following diagram, one subscription has a subscription-level delivery policy whereas the two other subscriptions do not.
- The following diagram shows a topic-level delivery policy that applies to all subscriptions, even the subscription that has its own subscription delivery policy because subscription-level policies have been specifically ignored.
Invoking Lambda functions
- Amazon SNS and AWS Lambda are integrated so you can invoke Lambda functions with Amazon SNS notifications.
- When a message is published to an SNS topic that has a Lambda function subscribed to it, the Lambda function is invoked with the payload of the published message.
Using Amazon SNS Message Attributes
- Amazon SNS provides support for delivery of message attributes to Amazon SQS endpoints.
- Message attributes allow you to provide structured metadata items about the message.
- You can also use message attributes to help structure the push notification message for mobile endpoints.
- Each message attribute consists of name, type and value.
Monitoring Amazon SNS with CloudWatch
- Amazon SNS and CloudWatch are integrated so you can collect, view, and analyze metrics for every active Amazon SNS notifications.
- Once you have configured CloudWatch for Amazon SNS, you can gain better insight into the performance of your Amazon SNS topics, push notifications, and SMS deliveries.
Logging Amazon Simple Notification Service API Calls By Using AWS CloudTrail
- Amazon SNS is integrated with CloudTrail, a service that captures API calls made by or on behalf of Amazon SNS in your AWS account and delivers the log files to an Amazon S3 bucket that you specify.
- Using the information collected by CloudTrail, you can determine what request was made to Amazon SNS, the source IP address from which the request was made, who made the request, when it was made, and so on.
- When CloudTrail logging is enabled in your AWS account, API calls made to Amazon SNS actions are tracked in log files.
- Amazon SNS records are written together with other AWS service records in a log file.
- CloudTrail determines when to create and write to a new file based on a time period and file size.