Fun fact: you can make an unsubscribable subscription to an SNS topic

Every email AWS SNS sends has an unsubscribe link. If the recipient clicks on that link, their subscription is removed from the topic:

Here's an unintuitive feature that I learned recently: you can make that link not work.

From the answer to How do I keep mailing list recipients from unsubscribing everyone on the list from my Amazon SNS topic emails?:

To prevent the unsubscribe action, create a subscription that requires authentication to unsubscribe. This allows only the topic owner and subscription owner to unsubscribe. All other subscribers who choose the link receive the following error:

"Subscription not removed Your subscription could not be removed because of an error. If you wish to unsubscribe but do not have AWS credentials, or have any other questions about Amazon SNS, please contact Amazon at sns-question@amazon.com."

The answer links to the ConfirmSubscription API documentation:

AuthenticateOnUnsubscribe

Disallows unauthenticated unsubscribes of the subscription. If the value of this parameter is true and the request has an AWS signature, then only the topic owner and the subscription owner can unsubscribe the endpoint. The unsubscribe action requires AWS authentication.

That's an interesting feature. The answer then goes and gives the steps to how to make such a protected subscription.

I have to admit I needed to read it a couple of times to spot the magic sauce. But here is how it works.

When a subscription is added, the recipient gets a message with the confirm link:

The first instinct is to click on it, but copy the link instead:

Then use the "Confirm subscription" button on the SNS console and paste the link:

The subscription is confirmed in a way that denies unsubscriptions. When the recipient wants to unsubscribe, they get the error: