Wondering Why you didn’t receive an SNS notification for the CloudWatch alarm trigger? We can help you with this!
As a part of our AWS Support Services, we often receive similar requests from our AWS customers.
Today, let’s see the steps followed by our Support Techs to help our customers to resolve the issue with the delivery of SNS notification for the CloudWatch alarm trigger.
SNS notification for CloudWatch alarm trigger
Amazon CloudWatch uses Amazon Simple Notification Service (SNS) to send emails. The delivery of SNS notifications depends on the configuration of the SNS topic and the CloudWatch alarm. For identifying the reason for the issue with the delivery of SNS notification, we need to check the history of the CloudWatch alarm to find the status of the trigger action.
Trigger action failed due to SNS access policy restrictions:
If the trigger action failed due to the SNS access policy restriction the CloudWatch alarm history will show a message similar to the following:
Failed to execute action arn:aws:sns:<region>:<account-id>:<topic-name>. Received error: "Resource: arn:aws:cloudwatch:<region>:<account-id>:alarm:<alarm-name> is not authorized to perform: SNS:Publish on resource: arn:aws:sns:<region>:<account-id>:<topic-name>
Here the SNS restricts the sources that can publish messages to the topic using access policies.
If a permission error occurs, then under the Statement section of the SNS access policy, add the following permission.
{ "Sid": "Allow_Publish_Alarms", "Effect": "Allow", "Principal": { "Service": [ "cloudwatch.amazonaws.com" ] }, "Action": "sns:Publish", "Resource": "arn:aws:sns:<region>:<account-id>:<topic-name>" }
This will allows permissions to the CloudWatch alarms service to publish messages to the SNS topic. Replace the <region>,<account-id> and <topic-name> with the region, account ID and SNS topic name respectively.
Also, note that the above permission allows anyone using the account to create alarms and publish messages to the SNS topic. So we need to add global condition keys to restrict the ability to publish messages to the topic to specific alarms.
Here, in the following example, we use arnLike condition operator and the aws:SourceArn global condition key.
{ "Sid": "Allow_Publish_Alarms", "Effect": "Allow", "Principal": { "Service": [ "cloudwatch.amazonaws.com" ] }, "Action": "sns:Publish", "Resource": "arn:aws:sns:<region>:<account-id>:<topic-name>", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:cloudwatch:<region>:<account-id>:alarm:<alarm-name>" } } }
Replace the <region>,<account-id> and <topic-name> with the region, account ID and SNS topic name respectively.
Trigger action failed due to SNS topic encryption:
If the trigger action failed due to the SNS topic encryption, the CloudWatch alarm history show a message similar to:
Failed to execute action arn:aws:sns:<region>:<account-id>:<topic-name>. Received error: "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException;)"
SNS allows encryption at rest for its topic. The CloudWatch alarms can’t publish messages to the SNS topic if the default AWS Key Management Service (KMS) key “alias/aws/sns” is used for the encryption. The key policy of the default AWS KMS key for SNS doesn’t allow CloudWatch alarms to perform “kms:Decrypt” and “kms:GenerateDataKey” API calls. Because this key is AWS managed, so we can’t manually edit the policy.
If the SNS topic must be encrypted at rest, we can use a customer-managed CMK. It includes the following permissions under the Statement section of the key policy. These permissions enable the CloudWatch alarms to publish messages to encrypted SNS topics.
{ "Sid": "Allow_CloudWatch_for_CMK", "Effect": "Allow", "Principal": { "Service":[ "cloudwatch.amazonaws.com" ] }, "Action": [ "kms:Decrypt","kms:GenerateDataKey*" ], "Resource": "*" }
Succeeded trigger action:
If the trigger action succeeded, then CloudWatch alarm history will show a message similar to the following:
Successfully executed action arn:aws:sns:<region>:<account-id>:<topic-name>
This message means the CloudWatch alarm successfully published a message to the SNS topic.
If the notification isn’t delivered by SNS, then check the SNS topic and its metrics for any delivery failures.
[Need help with more AWS queries? We’d be happy to assist]
Conclusion
To conclude, today we discussed the steps followed by our Support Engineers to help our customers to resolve the issue with the delivery of SNS notification for the CloudWatch alarm trigger.
