AWS SNS - SMS not Sending for verifying Sandbox Phone Numbers

Hi there, When first setting up the SNS SMS Sandbox, this is a common source of frustration. It's highly likely a configuration or permissions issue rather than a problem with the numbers themselves if you're not receiving the verification PIN across several numbers, carriers, and accounts. The most likely reason is that your AWS account is in SMS Sandbox mode, but it lacks the necessary IAM permissions to send SMS messages. There are two requirements for the Sandbox: 1) confirming phone numbers and 2) obtaining authorization to send SMS.

Let's go over the requirements and troubleshooting techniques. Step 1: Turn on SMS Sandbox and Verify Spending Caps Make sure the Sandbox is operational and that your spending caps aren't set to zero first. Check the status of the sandbox: Navigate to SMS Sandbox under SNS Console -> Mobile. The interface for adding phone numbers should be visible to you. If not, you might have to enable it for your area (though us-east-1 is a good option).

2. Verify Account Spending Quote: Select Mobile -> Text Messaging (SMS) -> Account settings in the SNS Console. Make sure the "Usage report source" option under SMS preferences is set to an email address or a legitimate SNS topic. Above all, ensure that the monthly spending limit is not set to zero. All SMS spending, including Sandbox verification messages, is disabled when the value is 0. For testing, set it to 1 (the minimum) or a higher value. The second prerequisite is the most popular fix, the critical IAM permissions. This is most likely the problem. To publish to SNS for SMS, your IAM user or role must have express permission. These may not be granted automatically by the Sandbox UI.

3. Identify your IAM Identity: Find out whether you are using an IAM Role or an IAM User (for example, using temporary credentials from SSO).

4. Attach the Correct Policy: Give your user or role access to an IAM policy that grants the following permissions. Either attach the managed AmazonSNSFullAccess policy (which is fine for testing but less advised for production) or create a new policy. A custom, more secure policy for SMS testing would be:

JSON { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ sns:Publish" ], "Resource": "*" ] }

Try asking for a new verification code after this policy has been added. Third Requirement: Formatting Numbers Even though you probably did this correctly, it's still a good idea to double-check. Make sure the phone number is formatted in E.164. • The correct UK format is +447123456789; take note that the leading 0 is replaced by the country code +44.

• 07123456789, 447123456789, and +4407123456789 are incorrect formats. Advanced Troubleshooting: If It's Still Not Working The following actions should be taken after you have verified that the spending cap and IAM permissions are accurate:

1. Examine the CloudWatch logs: The best way to see what's going on is like this. o Select a CloudWatch Logs group (you might need to create one called sns/sms) and enable Delivery status logs in the SNS Console (Text messaging (SMS) -> Account settings).

o Check the CloudWatch Logs a few minutes after requesting a new code. Search for log entries pertaining to your phone number. You can see from the logs whether the message was published successfully ("status": "SUCCESS") or, more crucially, whether it failed and why ("status": "FAILURE"). Here, the "provider_response" field is crucial. 2. Verify the Status in the SNS Sandbox UI: Check the Sandbox UI after submitting a PIN request. Does the phone number display an error message or the status "Pending verification"? This would be a very telling error. 3. Issues with Temporary Carriers: It's possible that a particular carrier is momentarily blocking or delaying messages from AWS's SMS originators, though this is uncommon and unlikely to impact all four of your numbers at once. The best course of action is to try a number from a different carrier, like you have.

Synopsis and Prompt Action Plan:

1. Go to SNS Account Settings and establish a $1 monthly spending cap.
2. Attach a policy with sns by going to IAM: Give your user or role permissions to publish.
3. Give the IAM policy five minutes to fully take effect.
4. In the Sandbox, ask for a fresh verification code for one of your phone numbers. In most cases, this sequence fixes the problem. The most important realization is that access to the Sandbox does not come with permission.