How do I subscribe a private HTTP or HTTPS endpoint to my Amazon SNS topic?

Short description

To subscribe a private HTTP or HTTPS endpoint to an Amazon SNS topic, do the following:

• Create an Amazon Virtual Private Cloud (Amazon VPC) security group (LambdaSG) in the same Amazon VPC as the private endpoint.
• Create an AWS Lambda function inside the same Amazon VPC and subnet as the private endpoint and add it to the LambdaSG security group.
• Edit the private endpoint's security group's rules to allow inbound connection from the Lambda function's security group.
• Configure the Lambda function so that it passes incoming Amazon SNS notifications to the private endpoint.
• Subscribe the Lambda function to your Amazon SNS topic.

Resolution

Create an Amazon VPC security group (LambdaSG) in the same Amazon VPC as the private endpoint

1.    Open the Amazon VPC console.

2.    In the left navigation panel, under Security, choose Security Groups. Then, choose Create security group.

3.    For Security group name, enter LambdaSG.

4.    For VPC, choose the Amazon VPC that the private endpoint is in.

5.    Choose Create security group.

Create a Lambda function inside the same Amazon VPC and subnet as the private endpoint and add it to the LambdaSG security group

1.    Open the Lambda console.

2.    Choose Create function.

3.    Choose Author from scratch.

4.    For Function name, enter a name that describes the purpose of your function. For example, Private-endpoint-Amazon-SNS-topic-subscription.

5.    For Runtime, choose Python 3.8.

6.    Choose Advanced settings.

7.    For VPC - optional, choose the Amazon VPC that the private endpoint is in. Dropdown lists for Subnets and Security groups appear.

8.    For Subnets, choose the subnet that the private endpoint is in.

9.    For Security groups, choose LambdaSG.

10.    Choose Create function.

Edit the private endpoint's security group's rules to allow inbound connection from the Lambda function's security group

1.    Open the Amazon VPC console.

2.    In the left navigation panel, under Security, choose Security Groups.

3.    Choose the name of the private endpoint's security group.

4.    Choose Edit inbound rules.

5.    For Type, choose HTTP or HTTPS, depending on your use case. The Protocol and Port range fields are populated automatically.

6.    For Source, choose Custom. Then, choose the LambdaSG security group.

7.    Choose Save rules.

Configure the Lambda function so that it passes incoming Amazon SNS notifications to the private endpoint

1.    Create a Lambda deployment package that includes your Lambda function's Python requests library. Follow the instructions in Create the deployment package in Tutorial: Creating a Lambda function in Python 3.8. For step 3, replace the code provided in the tutorial with the following example code snippet.

Python code snippet that uses the requests library to post the incoming notifications from Amazon SNS to the private endpoint

Important: Replace the url value with the URL of your private endpoint.

import json
import requests
 
def lambda_handler(event, context):
    url = "<PRIVATE_HTTP/S_ENDPOINT_URL>"
 
    sns_message_payload = event["Records"][0]["Sns"]
 
    sns_message_headers = {
        "x-amz-sns-message-id": sns_message_payload['MessageId'],
        "x-amz-sns-message-type": sns_message_payload["Type"],
        "x-amz-sns-subscription-arn" : event["Records"][0]["EventSubscriptionArn"],
        "x-amz-sns-topic-arn" : sns_message_payload["TopicArn"]
    }
 
    try:
        r = requests.post(url = url, data = json.dumps(sns_message_payload), headers = sns_message_headers)
    except Exceptions as e:
        print(e)
 
    print(r.content)
 
    return {
        'statusCode': 200,
        'body': json.dumps(r.content)
    }

2.    Use the deployment package to update the Lambda function that you created earlier.

Subscribe the Lambda function to your Amazon SNS topic

Follow the instructions in How do I subscribe a Lambda function to an Amazon SNS topic in the same account?