Sending an SMS Message from a Lambda Function: First Attempt

ACM.54 Getting a phone number from Pinpoint

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Lambda Security | Cybersecurity

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TL;DR — I’m not using this option. Pinpoint is more for marketing than notifications for system administration.

I used to use this option for sending messages using SNS:

I thought the above was not available anymore for some reasons but I’m still seeing the documentation here now so I’m going to revert back to what I had and see if I can get it working. If I cannot get it working the way I had it, I’ll look for an alternate solution. Also, I’m not even sure I’m going to use SNS. TBD.

Pinpoint ~ for marketing and similar use cases

If you want to know more about phone numbers from Pinpoint, you can keep reading…but I’m not using any of this below. even if the above doesn’t work the information below is too complicated for my use case and I’d seek another option.

In the last post my train of thought was derailed by a comment. Yes, I suppose I can be easily distracted, but I thought it was a good comment to address, despite the tone of the subsequent comments. I like learning about new things and I had never considered “energy-efficient programming” so I was happy to explore the topic.

Note: this blog series is truly a real-time workin progress. See the bottom of the post before you submit your request.

In the last post we created a Lambda function that generates a Job ID. Now we need to so do something with it. In this post we’re going to add the capability to send a text message to a batch job administrator with the batch job ID. In order to do that we’ll make use of AWS SNS.

I created a user and group I called SecurityMetricsOperators. This is the group that is going to execute the batch jobs related to tracking security metrics in our organization. The SecurityMetricsOperator user I created would be a user name in an actual environment I’m just naming it this way for clarity as I mentioned before. That is the user that I want to allow to run our security metrics batch jobs.

I want to send this user a message with the batch job code in this post. For now we are just going to hard code a phone number into the code for testing purposes. We’ll look at other options later as this is not a good option in an organization where employees may come and go and likely you’ll have more than one person monitoring security-related batch jobs.

AWS Simple Notification Service (SNS)

The SNS service basically lets you send messages to endpoints which at the time of this writing are emails and phone numbers.

We’re going to leverage this AWS documentation to send a text message using SNS. Except that the documentation is not straightforward or step by step in process at all. Before you can use SNS to send a text message there’s a link in the fine print about obtaining a number from which to send text messages (which has a weird name: Origin Identity).

I had this functionality working before and let’s just say it was a lot simpler than it is now. I have a request to AWS and that is — you need options for internal use other than the options listed below. Some people do not want to send text messages for marketing and branding and these options below either don’t make sense or cost more when an organization only needs to send a small amount of text messages. The whole integration with Pinpoint is confusing for people who just want to be able to alert internal administrators of system issues. #awswishlist

Origin Identities (The number from which you send messages)

You need to contact AWS support or submit an online request for one of the following before you can send messages using SNS:

You won’t be able to proceed with the rest of the configuration below until you get a phone number from which you can send messages from AWS.

Navigate to the SNS dashboard.

Click Originating numbers. Then Provision numbers in Pinpoint.

Request a phone number.

Choose these settings (and note the cost):

• Toll free number because it gets deployed immediately.
• SMS only so uncheck Voice.
• Transactional (we want our messages to go out right away)

Click Next. Click Request.

The number is provisioned immediately.

You have to register your new phone number before you can use it.

The documentation seems overly wordy at this point. I clicked on Toll-free registration at the top of the page, then Create registration.

Choose your number. Register existing toll-free number.

Fill out all the information an submit your registration:

At this point our registration and number is pending.

The process says it can take up to 15 days. Well, let’s see what happens. This was supposed to be the quick option. What other options do we have?

Request a 10DLC

We can request a non-800 number. That requires registering our “brand”. Great. We don’t really want this for marketing purposes. What does a “brand” entail?

Click the link and you’ll get sent over to this site:

You can read up on it. But I really don’t want to publish private company information and processes in the name of marketing and branding to send a text message to internal employees. This option really doesn’t make sense.

Also:

Request a short code

Well, let’s see we can also request a short code.

Short codes cost more than an 800 number and a 10DLC.

You have to submit a request to AWS support to get one. I already did this once before but apparently I forgot to request a spending limit increase. I didn’t respond to AWS soon enough and the case got closed. Plus I’m not sure if I was in the same account, so I could repeat this process again:

First, a look at the pricing. Always a good time. When I say “pricing” I mean the cost of the phone number for starters. So that should be Pinpoint pricing.

We will end up paying some usage charges:

In addition, there are carrier charges. Check your location and inbound if you plan to use that. I don’t. Short codes have the highest carrier fees.

The difference between short code and toll-free is minimal considering the amount of messages I plan to send.

So what I want to know now, is how do I submit the limit increase for the short code at the same time I submit the request to get one? I don’t want to have the same problem I had before.

The instructions on this page don’t say anything about increasing pricing limits:

One thing I didn’t notice when I clicked the link to create an origin number in SNS is that it kicked me over to us-east-1 or the AWS North Virginia region. I was in a different region at the time where all my other resources are created. To get to Pinpoint I had to switch back over to that region to see my number.

When I look at the Pinpoint dashboard I see there that $1 spending limit and a link to instructions.

Here’s now to request a spending limit increase. I read you could do both in one ticket. Let’s try it.

Navigate to AWS Support and click Create case.

Click limit increase link (why isn’t this on the home page??)

Oh. Apparently there’s a new service quota dashboard. Looks like some documentation needs to be updated.

Note the URL below is for us-east-1. I don’t know if that’s different for each region but I presume it is.

https://us-east-1.console.aws.amazon.com/servicequotas/home

For now we’ll continue where we are at. Fill out and submit the form.

I chose a number in two regions:

Submit the second request for the spending limits. Follow the steps in the documentation and make sure you provide all the required information.

I described the application same as above, explained that I would be sending one to two lines of text, 1 message per second, and that I just requested a short code. There is some other information you’ll need to add.

Wait.

And now we wait. Last time I did this I got messages at an alternate email and didn’t see them. In addition, I got very busy. Hopefully I can follow up more closely this time and we’ll see which option comes through fastest for us. I think I’d rather use the short-code but we’ll see how they work and which one(s) I can get.

Update

I got two messages back. I didn’t get back to them for 6 days because I didn’t see the emails and been busy. Paying projects take priority.

Clearly I wasn’t supposed to submit two separate messages. The first one looks like this.

Both my regions were listed in the original request above. I stated that I put the dollar amount in a separate request (because the portal is a bit confusing.) The form says the link or app is optional. I just gave the app a name that ended with “-Internal Only” and provided a link to this blog. I thought the form said messages per month but I replied with messages per day.

The second request looked like this and I requested to close it because it was asking for all the information already in my request all over again:

Wait again…

Update 9/29/22

I could have sworn that I closed the case that was only pertaining to a spending limit increase and I left the request open pertaining to a short code. In both cases the support person was asking about a spending limit increase.

When I logged back in, somehow the request with the short code request got cancelled, not the limit request only. Perhaps I clicked on the wrong thing but I thought I was pretty careful about which one I closed. At any rate, the limit increase was granted. I got this message with it:

Wow, that’s a lot of caveats. I don’t understand the first point about requesting a spending limit increase before I can send messages as I thought that’s what I just did. I guess there’s still another step. I’ll take a look at that later.

We’ll definitely want to review the best practices.

We’re not sending to countries outside the US so hopefully the next comment doesn’t apply and I’m not sending PHI.

I re-requested my short code in the same request as I already closed the one that was asking me to repeat everything I submitted in the request. I may end up having to start over. I don’t know. It seems like this process could be streamlined a bit for people who are always going to too fast and make mistakes (ME) to prevent errors :) Hopefully you can avoid my fate.

I did log into pinpoint and found an 800 number there, so we can proceed with that, but I have some posts to finish on networking and development environments first.

Update:

September 30, 2022

As it turns out the cost of a short code is a $650 one time fee and $995 per month. I don’t believe I saw this pricing on the AWS pricing page but I could be wrong. I wrote about it here and posted the message I got back from AWS with the details. I will not be using a short code to send a few internal messages…

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab