How to Publish to an Amazon SNS topic while keeping the messages secure in a private network using CloudFormation.

Aayush Pandey
5 min readJun 26, 2021

The architecture is defined below:

Before you start, you need an Amazon Web Services (AWS) account. If you haven’t created an account already, go to, and then choose Create a Free Account.

The stack for this process includes the following resources:

  • A VPC and the associated networking resources, including a subnet, a security group, an internet gateway, and a route table.
  • An Amazon EC2 instance that’s launched into the subnet in the VPC.
  • An Amazon SNS topic.
  • Two AWS Lambda functions. These functions receive messages that are published to the Amazon SNS topic, and they log events in CloudWatch Logs.
  • Amazon CloudWatch metrics and logs.
  • An IAM role that allows the Amazon EC2 instance to use Amazon SNS, and an IAM role that allows the Lambda functions to write to CloudWatch logs.

Create the AWS resources

To set up the infrastructure, you use an AWS CloudFormation template.

Download the template file from the GitHub website.

  1. Sign in to the AWS CloudFormation console.
  2. Choose Create Stack.
  3. On the Select Template page, choose Upload a template to Amazon S3, or choose the file, and choose Next.

5. On the Specify Details page, specify stack and key names:

For Stack name, type name VPC-SNS.

For KeyName, choose KeyPair for that region if you do not have create new key pair .

For SSH Location, keep the default value of and click next.

Keep everything default here

  1. On the Review page, verify the stack details.
  2. Under Capabilities, acknowledge that AWS CloudFormation might create IAM resources with custom names.
  3. Choose Create.

Creation is in progress

Confirm that your Amazon EC2 instance lacks internet access

To connect to your Amazon EC2 instance

  1. Open the Amazon EC2 console .
  2. In the list of instances, select VPCE-Tutorial-EC2Instance as this is the instance name given in the template.
  3. Copy the hostname that’s provided in the Public DNS (IPv4) column
  4. Login to putty and ping any website to see if we are connected to internet or not.

Create an Amazon VPC endpoint for Amazon SNS

  1. Open the Amazon VPC console .
  2. In the navigation menu on the left, choose Endpoints.
  3. Choose Create Endpoint. On the Create Endpoint page, for Service category, keep the default choice of AWS services.
  4. For Service Name, choose the service name for Amazon SNS.
  5. The service names vary based on the chosen region. For example, if you chose US west (oregon), the service name is
  6. For VPC, choose the VPC that has the name VPCE-Tutorial-VPC.

Publish a message to your Amazon SNS topic

The VPC you created includes an endpoint for Amazon SNS, you can log in to the Amazon EC2 instance and publish messages to the topic.

If your terminal is no longer connected to your Amazon EC2 instance, connect again

Run the command below to publish a message to your Amazon SNS topic. You should get a message ID :

aws sns publish — region us-west-2 — topic-arn arn:aws:sns:us-west-2:392804924255:VPCE-Tutorial-Topic — message “Hello”

Change the region and the topic arn from the sns topic .

Verify your message deliveries

  1. Open the AWS Lambda console .
  2. On the Functions page, choose VPCE-Tutorial-Lambda-1.
  3. Choose Monitoring.
  4. Check the Invocation count graph. This graph shows the number of times that the Lambda function has been run.
  5. The invocation count matches the number of times you published a message to the topic.

Verify that the CloudWatch logs were updated

  1. Open the CloudWatch console.
  2. In the navigation menu on the left, choose Logs.
  3. Check the logs that were written by the Lambda functions:
  4. Choose the /aws/lambda/VPCE-Tutorial-Lambda-1/ log group.
  5. Choose the log stream.
  6. Check that the log includes the entry From SNS:HELLO
  7. Choose Log Groups at the top of the console to return the Log Groups page. Then, repeat the preceding steps for the /aws/lambda/VPCE-Tutorial-Lambda-2/ log group.

Clean up

  1. Open the Amazon VPC console .
  2. In the navigation menu on the left, choose Endpoints.
  3. Select the endpoint that you created.
  4. Choose Actions, and then choose Delete Endpoint.
  5. In the Delete Endpoint window, choose Yes, Delete.
  6. The endpoint status changes to deleting. When the deletion completes, the endpoint is removed from the page.

To delete your AWS CloudFormation stack

  1. Open the AWS CloudFormation console at
  2. Select the stack VPC-SNS
  3. Choose Actions, and then choose Delete Stack.
  4. In the Delete Stack window, choose Yes, Delete.
  5. The stack status changes to DELETE_IN_PROGRESS. When the deletion completes, the stack is removed from the page.

Thanks!!! 👏🏻