AWS SNS pubs from the browser - amazon-web-services

I have a lambda function i'd like to invoke from the client-side. I was going to use the API Gateway, but it occurred to me that the queuing SNS affords might be handy.
After researching, it appears the only way to publish to SNS thru the Javsacript SDK is auth thru google/facebook or AWS Cognito. I'd like users (more specifically, events) to be able to push w/o auth'ng, so that's not an option.
The last option is hard-coding an AWS key. This is pretty explicitly discouraged in the docs, but after looking into it, it looks like I can create security provisions for a specific key and limit it to publishing only to one topic.
In other words, it'd ostensibly mimic a REST API, wouldn't it?
The only drawback I can think of is malicious spamming of the SNS. I know AWS API allows for rate-throttling, but couldn't find something similar on SNS.
So, 2 related question:
Is there a way to prevent malicious spam to an SNS topic?
are there other drawbacks to using SNS instead of an AWS API for invoking lambdas?

What queueing are you wanting to get from an SNS topic? I think you may be confusing SNS with SQS.
I see no advantage to using SNS->Lambda in this instance versus API->Lambda. I do however see several drawbacks to using SNS in this instance as it adds an unnecessary complication, as well as opens up unnecessary security risks.
You literally get no advantage to using SNS here, while you get several advantages to using API Gateway such as rate limiting and API key support. Not to mention that API Gateway endpoints are much easier to access from the browser than SNS topics. This is API Gateway's intended use, why try to hack together some method using SNS and hard coded AWS keys?

Related

Is it possible for on-premise application to push(publish) messages directly to AWS Eventbridge /EventBus?

Say you have a bunch of on premise applications (that are your potential publishers).. can we have them (sitting in some private network), publish message on to an AWS eventBus/eventBridge, so that the target subscribers can take it forward from there... Does hybrid AWS help here?
If so, can you share some links on achieving the same
That should be very straight forward - you can use the put events endpoint of any AWS SDK for EventBridge.
You'll need an IAM user with which to call the API via access key/secret key.
From a networking perspective, you'll need to be able to hit the AWS API endpoints.
Here's the method to use in Python.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/events.html#EventBridge.Client.put_events

More interesting and useful API Gateway integration into AWS Services

There is instructions on how to integrate between API Gateway and SNS here but this is a bit of a toy example.
I want to know how I can subscribe to a topic via API Gateway -> SNS Integration.
And to this purpose what I'm looking is general documentation on doing this as I assume it is possible. If you can ListTopics (which the example indicates) surely you can do other things...
Edit: So I now know that when I do an integration into SNS it sends the following to SNS: https://sns.eu-west-1.amazonaws.com/?Action=CreateTopic
So that's a good start as that is how to call SNS to create a topic.
So now the question is how to I parameterise this?
I have also figured out that I can do from post to the SNS endpoint and thus include my parameters. However, the I get a signature not present error...

Subscribe AWS SNS to HTTP endpoint without confirmation?

I need to subscribe an AWS SNS topic to a HTTP endpoint that I do not control, but I am blocked by the anti-abuse measure in SNS that requires the subscribed endpoint to confirm the subscription. This would require modifying the web service.
Given that I don't have the ability to modify the web service, that is probably the end of this discussion. I will need to find another solution. But, I would like to explain my scenario in case there is a workaround:
The messages we are sending are logs.
It works like this:
log_source -> sns_topic
sns_topic -> log_endpoint*
log_endpoint* -> log_data_store
* means it is not controlled by us
AWS SNS is such a wonderful solution to our problem, it is a shame that we cannot leverage it because of this anti-abuse measure.
I believe we are stuck because we have no control with how AWS will form the magic confirmation URL, nor how the log_endpoint will process it.
If there is no workaround, perhaps there is an analogous AWS service that I could leverage?

How does AWS SNS send Application notifications?

I have a React Native application that works on iOS and Android and I am looking to integrate AWS SNS. I have some questions that I hope people with SNS experience could answer.
From my understanding, AWS SNS is merely a gateway for using GCM (Android) and APNS (iOS)
Is this correct?
If the above is correct, imagine that I have an Android-only app, what's the point of using AWS SNS when I could directly use GCM/Firebase? I can even use Firebase with iOS.
My app needs to allow a single User to send a notification to one or more Users.
Is there an RESTful API I can consume to achieve this?
Or would I need to set up API Gateway and use Lambda functions?
How do I automatically store tokens on SNS?
I read that I have to integrate AWS Cognito for this, or use a Proxy Server.
Edit:
I've managed to write a Node.js server that uses the aws-sdk to communicate with SNS.
Questions corresponding to their above question numbers
Still looking for answers
Still looking for answers
I've written a Node server, I suppose I could embed the aws-sdk code into my React Native app as it can use Node APIs
For question #4 - I used createPlatformEndpoint
I am no specialist but given you have not received an answer yet, I thought I would try to help
you can use AWS SNS to send messages via GCM, but it can do much more, since it's a pub-sub service: for example, if can be configured to receive email complaints from mails sent by AWS SES, and then you get either either a lambda function or a queue (SQS) to receive those actions emitted by SNS, allowing you to act on them
for an Android-app only I don't see a good reason to bother, and even if it was also on iOS, you could configure yourself the sending of push notifications with an if/else in your code. I could argue it's a matter of personal taste, whether you want more configuration in your code vs in the infra-structure (I know the limit can get blurry), but it seems so much easier to keep it in the code that I wouldn't believe a word I said
My app needs to allow a single User to send a notification to one or
more Users.
If it's a user writing to 1 to a few users, like in a messaging app, I would say it's easier to define (and maintain) the logic within your app and iterate over the group of recipients to send the push notifications.
If you're going to have a few people who are going to be followed by thousands of people and needs to write to them, you might have a case for using SNS Topics (each "popular user" can write - maybe via your own api - to an SNS topic to which the "followers" subscribed; keep in mind the max number of topics you can create), as SNS will take care of any scaling issue (it can take time and resources to send a push notification to your 1 million followers)
What you said if you're going to user SNS, otherwise sending a push notification via GCM/FCM is as simple as a POST request.

Control AWS Lambda concurrent execution with SNS

In SNS documentation I can see some information about delivery policies and receive rate in particular:
http://docs.aws.amazon.com/sns/latest/dg/DeliveryPolicies.html#delivery-policy-maximum-receive-rate
But is this configuration applicable only for HTTP endpoints or Lambda functions as well?
Is it somehow possible to control lambda concurrent execution with SNS?
As #mark-b pointed in the comments, this feature just got announced during AWS ReInvent 2017
Set Concurrency Limits on Individual AWS Lambda Functions:
https://aws.amazon.com/about-aws/whats-new/2017/11/set-concurrency-limits-on-individual-aws-lambda-functions/
To set the limit, navigate to your Lambda function in the Console
Scroll down, and at the very end you can set the limit.
As noted in comments, this does not appear to be implemented, currently, but there does appear to be a reasonably straightforward workaround:
SNS → API Gateway (an HTTPS endpoint) → Lambda
Arguably it's an unnecessary additional complexity and expense, but if you want a native solution with no external wizardry required, this might be the way to go.
You'd also have to handle validation of the SNS message signature, as well as the subscription confirmation, which a direct Lambda integration doesn't require... but this seems like a way to accomplish what you're looking for. Note that your optimal configuration here would be a regional endpoint for API Gateway, rather than an edge-optimized endpoint.