github awspring/spring-cloud-aws v4.0.2
4.0.2
on GitHub

5 hours ago

Reference documentation

📗 https://docs.awspring.io/spring-cloud-aws/docs/4.0.2/reference/html/index.html

What's Changed

Added SNS message signature verification to protect HTTP/HTTPS notification endpoints against spoofed messages.

🔒 Security

  • Missing SNS message signature verification

SNS

⚠️ SNS Signature Verification (enabled by default)

Starting with 4.0.2, all incoming SNS messages (Notifications, SubscriptionConfirmations, and UnsubscribeConfirmations) are verified using SnsMessageManager from the AWS SDK v2. This ensures messages originate from Amazon SNS and have not been tampered with.

To disable verification:

spring.cloud.aws.sns.verification=false

Note: Verification will fail in tests where SNS messages are crafted manually without valid AWS signatures. Either disable verification in your test profile or mock the SnsMessageManager bean.

Full Changelog: v4.0.1...v4.0.2 (v4.0.1...v4.0.2)

Check out latest releases or
releases around awspring/spring-cloud-aws v4.0.2

Don't miss a new spring-cloud-aws release

NewReleases is sending notifications on new releases.

Get notifications