Authenticating events for an EDA

Hello!

From what I understand from your question, you would like to be sure that the content of a message that is sent by a producer or publisher arrives unaltered to the destination subscriber or consumer. There are a several ways you can accomplish this depending on your requirements and existing architecture. However, here I include some of the considerations you should have when tying to achieve this integrity or verification along some recommendations on how to do it.

1. This may be an overkill for what you are needing, but this is a good blog post that describes a use case similar to what you are asking for and provides a cost-effective and integral solution for signing and verification of decoupled architectures such as the ED you mentioned.
2. For SNS you could go with a much simpler and pragmatic approach if it complies with your requirements by using the included message signatures based on Secure Hash Algorithm 256 (SHA256). This way, the subscriber (e.g.: Lambda function) can validate message integrity by adding a simple verification subroutine as recommended in this blog post. Here is the associated oficial documentation on how to implement this for SNS.
3. Consider using encryption at rest (SSE with AWS KMS) and in transit (HTTPS using aws:SecureTransport condition in the IAM policy of the SNS topics). More info about Encryption at Rest available here and about Encryption in Transit can be found here.
4. Be sure to follow al Amazon SNS security best practices enumerated here such as ensuring that topics are never publicly accessible and always implementing with least-privilege access.
5. Also, always try to restrict publication and consumption of messages to specific Principals or network endpoints. For example, by using Amazon SNS policies to control access from specific Amazon VPC endpoints or specific VPCs, you are isolating and protecting your EDA resources from outside access and unexpected manipulation of payloads. Guidance of how to accomplish this can be found here.
6. Last, but not least, always try to use the official AWS SDK's in your implementations since AWS already encrypts and signs all requests to the different services using TLS combined with AWS Signature V4 signing processes. If, for some reason, you are not able to use the SDK, you can follow these guidelines to be sure that you are securing API calls and requests adequately.

I recommend to also checking this AWS website about Zero Trust on AWS since it discusses and points to specific guidance regarding topics related to the one discussed here.

Please feel free to post any follow up questions you may deem necessary.

Regards.