This chapter covers SNS message filtering and fan-out, two powerful features that enable flexible, decoupled messaging architectures in AWS. For the DVA-C02 exam, understanding how to configure filter policies on SNS subscriptions and how fan-out patterns work is essential, as questions on these topics appear in roughly 15-20% of messaging-related questions. You will learn the exact mechanism of filter policy evaluation, the syntax of policy rules, and common fan-out patterns used in production. Master this content to confidently answer exam questions that ask how to route messages to different subscribers based on message attributes.
Jump to a section
Imagine a large corporate mailroom that receives all incoming packages. The mailroom has a single receiving dock (the SNS topic). When a package arrives, it must be delivered to various departments that have expressed interest. Instead of making copies of every package for every department (which wastes resources and creates clutter), the mailroom uses a smart sorting system. Each department provides a set of rules — for example, the Accounting department only wants packages marked "Invoice" or "Payment", while HR only wants packages marked "Employee" or "Payroll". The mailroom clerk (SNS filter policy) examines each incoming package's label (message attributes) and decides which distribution lists (subscriptions) should receive a copy. Only if a package matches a department's rules does the clerk place it in that department's bin (deliver to the SQS queue or Lambda). This prevents irrelevant packages from cluttering departments. If a department has no rules (no filter policy), the clerk treats it as a match-all and delivers every package to that department — this is the default behavior. The clerk can also use multiple conditions (like AND/OR logic) to refine matching. This system is efficient because it reduces unnecessary deliveries and processing, and it scales easily as more departments are added.
What is SNS Message Filtering?
Amazon SNS (Simple Notification Service) message filtering allows subscribers to a topic to receive only a subset of messages based on message attributes. Without filtering, every message published to an SNS topic is delivered to every subscriber. This can lead to unnecessary processing, increased costs, and complexity. Filter policies are JSON documents attached to a subscription that define which messages the subscriber wants to receive.
Why Filtering Exists
In a typical fan-out pattern, a single SNS topic might have multiple SQS queues, Lambda functions, and email endpoints as subscribers. For example, an e-commerce system publishes an "OrderPlaced" event. The inventory service needs only orders containing certain product categories, the shipping service needs only orders with a specific shipping method, and the analytics service needs all orders. Without filtering, each subscriber would receive all messages and must filter them internally, wasting compute and network resources. SNS filtering shifts this responsibility to the message broker, improving efficiency.
How Filter Policy Evaluation Works Internally
When a message is published to an SNS topic, SNS evaluates the message's attributes against each subscription's filter policy. The message attributes are key-value pairs where the key is a string and the value is of type String, String.Array, or Number. The filter policy consists of rules that define matching criteria. The evaluation follows these steps:
Retrieve Subscription Policies: SNS loads the filter policy for each subscription. If no filter policy exists (default), the subscription matches all messages.
Attribute Matching: For each attribute key in the message, SNS checks if there is a matching rule in the filter policy. The policy can specify exact match, prefix, suffix, numeric range, or set membership. If multiple conditions are specified for the same attribute, they are combined with AND logic (all must match). If different attributes are specified, they are combined with AND logic across attributes.
Policy Structure: A filter policy is a JSON object where each key is a message attribute name, and the value is an array of matching criteria. For example:
{
"event_type": ["order_placed", "order_shipped"],
"priority": [{"numeric": [">=", 5]}]
}This policy matches messages where event_type is either "order_placed" or "order_shipped" AND priority is a number >= 5.
4. Matching Logic:
- Exact match: The attribute value must exactly equal one of the values in the array.
- Prefix match: Use {"prefix": "start"} to match attributes that start with the given string.
- Suffix match: Use {"suffix": "end"} to match attributes that end with the given string.
- Numeric range: Use {"numeric": ["op1", value1, "op2", value2]} where operators are <, <=, >, >=, =.
- Anything-but match: Use {"anything-but": ["value1", "value2"]} to match any value except those listed.
- Exists match: Use {"exists": true} or {"exists": false} to check attribute presence.
Delivery Decision: If all conditions in the filter policy are satisfied, the message is delivered to the subscriber. If any condition fails, the message is not delivered. Note that if a message has no attributes and the policy requires an attribute, the message is rejected.
Key Components, Values, Defaults, and Limits
Filter Policy Scope: Policies are per-subscription. You can have up to 200 filter policies per topic (default limit, can be increased).
Policy Size: Maximum policy size is 150 KB (JSON).
Attribute Value Limits: Attribute names can be up to 256 characters, values up to 1024 characters (strings) or 30 digits (numbers).
Number of Conditions: The sum of all conditions across all attributes in a policy cannot exceed 100.
Default Behavior: If a subscription has no filter policy, it receives all messages.
Policy Syntax: Must be valid JSON. Invalid policies cause subscription creation to fail.
Configuration and Verification
You can attach a filter policy to a subscription using the AWS Console, AWS CLI, or SDK. Example CLI command:
aws sns subscribe --topic-arn arn:aws:sns:us-east-1:123456789012:MyTopic --protocol sqs --notification-endpoint arn:aws:sqs:us-east-1:123456789012:MyQueue --attributes '{"FilterPolicy": "{\"event_type\":[\"order_placed\"]}"}'To update an existing subscription's filter policy:
aws sns set-subscription-attributes --subscription-arn arn:aws:sns:us-east-1:123456789012:MyTopic:abc123 --attribute-name FilterPolicy --attribute-value '{"event_type": ["order_placed"]}'To verify, use get-subscription-attributes:
aws sns get-subscription-attributes --subscription-arn arn:aws:sns:us-east-1:123456789012:MyTopic:abc123Fan-Out Pattern
Fan-out is the ability of a single SNS topic to deliver messages to multiple subscribers simultaneously. This is a core messaging pattern in AWS. Combined with filtering, fan-out becomes a powerful routing mechanism.
In a fan-out architecture:
A publisher sends a message to one SNS topic.
The topic has multiple subscriptions (SQS, Lambda, HTTP, email, etc.).
Each subscription can have a filter policy to selectively receive messages.
Messages are delivered in parallel to all matching subscribers.
Interaction with Related Technologies
SQS: SNS can fan out to SQS queues. Filter policies on SNS subscriptions reduce the number of messages sent to queues, saving cost and processing.
Lambda: SNS can invoke Lambda functions. Filtering ensures Lambda only processes relevant events.
SMS/Email: Filtering can be used to send alerts only for critical events.
Kinesis Data Firehose: SNS can deliver to Firehose for streaming analytics, with filtering to select relevant data.
Exam-Relevant Details
Filter policies are subscription-level, not topic-level.
You cannot filter on message body, only on message attributes.
If a message has no attributes, it will not match any policy that requires an attribute, unless the policy uses {"exists": false}.
The anything-but operator is useful for excluding specific values.
The exists operator checks for attribute presence, not value.
Numeric comparisons support only integer and decimal values; strings cannot be compared numerically.
The maximum number of filter policies per topic is 200 (default).
Filter policies are evaluated in a best-effort order; there is no guaranteed order of delivery.
Common Pitfalls
Forgetting that a subscription without a filter policy receives all messages.
Using incorrect JSON syntax (e.g., missing quotes, extra commas).
Assuming filtering works on message body — it does not.
Exceeding the 100 condition limit per policy.
Using exists: false incorrectly: if the attribute is present but you want to match when it's absent, use {"exists": false}. But if the attribute is absent, the policy will match only if all other conditions are satisfied.
Advanced Filtering: AND/OR Logic
Within an attribute, multiple values are OR'd. For example:
{
"event_type": ["order_placed", "order_shipped"]
}Matches if event_type is either "order_placed" OR "order_shipped".
Across attributes, conditions are AND'd. For example:
{
"event_type": ["order_placed"],
"priority": [{"numeric": [">=", 5]}]
}Matches if event_type is "order_placed" AND priority >= 5.
To achieve OR across attributes, you need multiple subscriptions with different filter policies. For example, to match event_type = "order_placed" OR priority > 5, create two subscriptions: one with policy for event_type, another for priority.
Performance Characteristics
Filtering adds minimal latency (sub-millisecond) to message delivery. The evaluation is done at the SNS service side. There is no limit on the number of messages filtered per second beyond the general SNS throughput limits (which are very high).
Create SNS Topic
First, create an SNS topic that will serve as the central message broker. In the AWS Console, navigate to SNS, click 'Create topic', choose 'Standard' (not FIFO) for most use cases. Provide a name like 'OrderEvents'. Note the ARN (Amazon Resource Name) as it is needed for subscriptions. The topic will accept messages from publishers and deliver them to subscribers based on filter policies. This topic does not have any filtering configuration itself; filtering is done at the subscription level.
Create Subscriptions with Filter Policies
Create subscriptions to the topic. For each subscriber (e.g., an SQS queue for inventory, a Lambda function for shipping), subscribe to the topic. During subscription creation, you can attach a filter policy via the 'Subscription filter policy' field. For example, for the inventory queue, set a filter policy to only accept messages with attribute 'category' equal to 'electronics'. The policy is a JSON object. If you do not specify a policy, the subscription receives all messages. You can also attach or modify the policy later using the AWS CLI or SDK.
Publish Message with Attributes
When publishing a message to the topic, you must include message attributes if you want filtering to work. Attributes are key-value pairs. For example, publish a message with attributes: 'category' = 'electronics', 'priority' = 'high'. The message body can be any format (JSON, text, XML). Use the AWS SDK or CLI to publish. Example CLI: `aws sns publish --topic-arn arn:aws:sns:us-east-1:123456789012:OrderEvents --message '{"orderId":"123"}' --message-attributes '{"category":{"DataType":"String","StringValue":"electronics"}}'`. SNS will store the attributes and evaluate them against filter policies.
SNS Evaluates Filter Policies
Upon receiving the message, SNS retrieves all subscriptions for the topic. For each subscription, it checks if a filter policy exists. If not, the message is queued for delivery. If a policy exists, SNS compares the message attributes against the policy rules. It performs exact matches, prefix/suffix matches, numeric comparisons, or existence checks as defined. The evaluation is deterministic and happens in parallel for all subscriptions. If the message attributes satisfy all conditions in the policy, the message is accepted for delivery; otherwise, it is silently dropped for that subscription.
Deliver to Matching Subscribers
For each subscription that passed the filter, SNS delivers the message to the endpoint. For SQS queues, the message is placed in the queue. For Lambda, SNS invokes the function with the message payload. For HTTP/HTTPS, SNS sends an HTTP POST request. The delivery is asynchronous and retries according to the subscription's retry policy (e.g., for SQS, up to 100,000 retries with exponential backoff). If the endpoint is unavailable, SNS will redrive after a configurable delay. The message body and attributes are delivered as-is. Filtered-out subscriptions receive nothing.
Scenario 1: Multi-Service Event Routing in E-commerce
An online retailer uses a single SNS topic for all order-related events. Different microservices subscribe to this topic: Inventory Service, Shipping Service, and Analytics Service. The Inventory Service only cares about events where the product category is 'electronics' to update stock. The Shipping Service only cares about events where shipping method is 'express'. The Analytics Service wants all events. Without filtering, each service would receive every event and filter internally, wasting compute and increasing latency. With SNS filtering, each subscription has a filter policy: Inventory subscription has {"category": ["electronics"]}, Shipping subscription has {"shipping_method": ["express"]}, Analytics has no filter. When an order is placed, the publisher sends a message with attributes category and shipping_method. SNS evaluates and delivers only relevant messages to each queue. This reduces SQS message volume, Lambda invocations, and processing costs. In production, this setup handles millions of events per day with sub-second delivery latency.
Scenario 2: Alerting System with Multiple Channels
A DevOps team monitors infrastructure metrics. They have an SNS topic that receives alerts from CloudWatch Alarms. Subscribers include an email list for critical alerts, a Slack webhook for warnings, and an SQS queue for all alerts for archival. They want: email only for alerts with severity 'critical', Slack only for severity 'warning' or 'critical', and SQS for all. They configure filter policies: Email subscription has {"severity": ["critical"]}, Slack has {"severity": ["warning", "critical"]}, SQS has no filter. This ensures that only the appropriate channels receive the right alerts. Misconfiguration often occurs when the email subscription accidentally receives all alerts because no filter was set, flooding inboxes.
Scenario 3: Real-time Data Pipeline with Filtering
A company streams IoT sensor data to an SNS topic. Each sensor publishes messages with attributes device_type and reading_type. Downstream, they have different consumers: a Lambda function that processes temperature readings for HVAC control, a Kinesis Firehose for all data to S3, and an SQS queue for error readings. Filter policies ensure that the Lambda only gets temperature readings, Firehose gets everything, and the SQS queue gets only messages with reading_type = 'error'. This pattern is scalable and cost-effective, as it reduces unnecessary processing. Common mistakes include using the wrong attribute name or forgetting to include attributes in the message, causing all messages to be dropped for filtered subscriptions.
What DVA-C02 Tests
The DVA-C02 exam tests SNS message filtering and fan-out under Domain 1.0: Development with AWS Services, specifically Objective 1.5: Implement event-driven architectures. You must understand:
How to create filter policies and attach them to subscriptions.
The syntax of filter policies (exact match, prefix, suffix, numeric, anything-but, exists).
The difference between topic-level and subscription-level filtering (only subscription-level).
How fan-out works with SNS and SQS/Lambda.
The default behavior when no filter policy is attached.
Limits: 200 filter policies per topic, 100 conditions per policy, 150 KB policy size.
Common Wrong Answers and Why
"Use a filter policy on the topic to filter messages before publishing." Wrong: Filter policies are only on subscriptions, not topics. Topics cannot filter; they deliver to all subscribers unless the subscriber has a filter.
"Filter policies can filter on message body content." Wrong: Filtering is based on message attributes only. To filter on body, you need to use Lambda or process at the subscriber.
"A subscription without a filter policy receives no messages." Wrong: Default is to receive all messages. This is a common trap — candidates think a missing policy means no messages.
"You can use OR logic across different attributes in a single filter policy." Wrong: Across attributes, logic is AND. To achieve OR across attributes, you need multiple subscriptions.
Specific Numbers and Terms on the Exam
"200 filter policies per topic" (default limit).
"100 conditions per filter policy."
"150 KB maximum policy size."
"Message attributes" (not message body) are used for filtering.
"Subscription filter policy" (not topic filter policy).
"Fan-out" pattern.
"Anything-but" and "exists" operators are frequently tested.
Edge Cases
If a message has no attributes, it will not match any policy that requires a specific attribute. However, it will match a subscription with no policy.
The exists: false operator matches messages where the attribute is absent. If the attribute is present, it does not match.
Numeric comparisons only work with Number data type attributes. If you send a string that looks like a number, it will not match a numeric rule.
Filter policies are case-sensitive for string comparisons.
How to Eliminate Wrong Answers
Look for keywords: if the question mentions filtering on message body, eliminate that answer. If it says "topic filter policy", eliminate. If it says "all subscribers receive all messages unless a filter policy is attached to the subscription", that is correct. If it mentions using SNS filtering to reduce Lambda invocations, that is correct. Always check if the answer implies subscription-level configuration.
SNS filter policies are subscription-level, not topic-level.
A subscription without a filter policy receives all messages.
Filtering is based on message attributes only, not message body.
Within a single policy, multiple attribute conditions are ANDed; within an attribute, multiple values are ORed.
Maximum 200 filter policies per topic, 100 conditions per policy, 150 KB per policy.
Use 'anything-but' to exclude specific values, and 'exists' to check attribute presence.
To achieve OR across attributes, create multiple subscriptions with different policies.
Fan-out with filtering reduces downstream processing and costs.
Message attributes must have DataType 'String', 'Number', or 'String.Array'.
Filter policies are case-sensitive for string comparisons.
These come up on the exam all the time. Here's how to tell them apart.
SNS Message Filtering
Filter policies are attached to SNS subscriptions.
Filters only on message attributes (key-value pairs).
Supports exact match, prefix, suffix, numeric, anything-but, exists.
No content-based filtering on message body.
Part of SNS service, tightly integrated with SQS and Lambda.
EventBridge Event Filtering
Filtering is done on event patterns at the event bus level.
Filters on event content (JSON payload) including nested fields.
Supports prefix, suffix, numeric, exists, and custom patterns.
Can filter on any part of the event, including body.
Part of EventBridge service, supports more targets and advanced routing.
Mistake
SNS filter policies can filter on message body content.
Correct
Filter policies only evaluate message attributes, not the message body. To filter based on body content, you must process the message at the subscriber (e.g., Lambda function) or use a different service like Amazon EventBridge.
Mistake
A subscription without a filter policy receives no messages.
Correct
A subscription without a filter policy receives all messages published to the topic. This is the default behavior. To restrict messages, you must attach a filter policy.
Mistake
You can attach a filter policy to the SNS topic to filter messages for all subscribers.
Correct
Filter policies are attached to subscriptions, not to the topic. Each subscription can have its own policy. The topic itself does not filter; it delivers to all subscribers.
Mistake
Filter policies support OR logic across different message attributes.
Correct
Within a single policy, conditions across different attributes are combined with AND logic. To achieve OR across attributes, you need multiple subscriptions with different filter policies.
Mistake
Message attributes are optional for filtering to work.
Correct
If a filter policy requires a specific attribute, the message must have that attribute to match. Messages without the required attribute are rejected by that subscription. However, a subscription without a policy matches all messages regardless of attributes.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, SNS filter policies only evaluate message attributes, not the message body. To filter on body content, you need to process the message at the subscriber (e.g., using a Lambda function) or use Amazon EventBridge, which supports content-based filtering on the entire event payload.
If you try to create a subscription with an invalid filter policy (e.g., malformed JSON), the subscription creation fails. If you update an existing subscription with an invalid policy via the AWS CLI or SDK, you will receive an error. Always validate your JSON before attaching.
No, filter policies are not supported for FIFO topics. FIFO topics guarantee message ordering and deduplication, but they do not support message filtering. Use standard topics for filtering.
By default, you can have up to 200 filter policies per topic. This limit can be increased by requesting a service quota increase. Each filter policy is associated with a subscription.
Filtering adds minimal latency (sub-millisecond) because it is performed server-side by SNS. The evaluation is done in parallel for all subscriptions, so the overall delivery time is not significantly impacted.
No, prefix and suffix matching are only for string attributes. For numeric attributes, you must use numeric operators (e.g., >=, <). If you send a numeric value as a string, it will not match a numeric rule.
'exists: true' matches messages where the attribute is present, regardless of its value. Not specifying the attribute in the policy means no condition on that attribute; the message will match if all other conditions are satisfied. If you want to match only when an attribute is absent, use 'exists: false'.
You've just covered SNS Message Filtering and Fan-Out — now see how well it sticks with free DVA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?