AWS sns medium security documentation change
Summary
Added section about email address normalization in SNS endpoint policies
Security assessment
Addresses potential policy misconfiguration vulnerabilities by documenting case sensitivity requirements, which could prevent unauthorized access if misunderstood
Diff
diff --git a/sns/latest/dg/sns-using-identity-based-policies.md b/sns/latest/dg/sns-using-identity-based-policies.md index 9e615a73e..888d60968 100644 --- a//sns/latest/dg/sns-using-identity-based-policies.md +++ b//sns/latest/dg/sns-using-identity-based-policies.md @@ -5 +5 @@ -IAM & Amazon SNS policiesResource ARN formatAPI actionsPolicy keysExample policies +IAM & Amazon SNS policiesResource ARN formatAPI actionsPolicy keysExample policiesEmail endpoints @@ -177,0 +178,26 @@ We also want to prevent the WidgetCo group from doing anything else with topics, +## Amazon SNS Policies for Email Endpoints + +Amazon SNS normalizes email addresses in endpoint access policies by removing leading and trailing whitespace, converting all characters to lowercase, and normalizing special characters and escape sequences. Because of that, you must use lowercase email addresses in your policy definitions to ensure proper matching of subscription requests. + +Example policy: + + + { + "Condition": { + "StringEquals": { + "sns:Endpoint": "[email protected]" + } + } + } + +The following email addresses match the above condition: + + * `[email protected]` + + * `[email protected]` + + * `User.N\[email protected]` + + + +