Need help?

Our experts have had an average response time of 11.7 minutes in August 2021 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

Resolve : Issue with SNS notification for CloudWatch alarm trigger

by | Aug 25, 2021

Wondering Why you didn’t receive an SNS notification for the CloudWatch alarm trigger? We can help you with this!

As a part of our AWS Support Services, we often receive similar requests from our AWS customers.

Today, let’s see the steps followed by our Support Techs to help our customers to resolve the issue with the delivery of SNS notification for the CloudWatch alarm trigger.

 

SNS notification for CloudWatch alarm trigger

 
Amazon CloudWatch uses Amazon Simple Notification Service (SNS) to send emails. The delivery of SNS notifications depends on the configuration of the SNS topic and the CloudWatch alarm. For identifying the reason for the issue with the delivery of SNS notification, we need to check the history of the CloudWatch alarm to find the status of the trigger action.
 

Trigger action failed due to SNS access policy restrictions:

 
If the trigger action failed due to the SNS access policy restriction the CloudWatch alarm history will show a message similar to the following:

Failed to execute action arn:aws:sns:<region>:<account-id>:<topic-name>. Received error: "Resource: arn:aws:cloudwatch:<region>:<account-id>:alarm:<alarm-name> is not authorized to perform: SNS:Publish on resource: arn:aws:sns:<region>:<account-id>:<topic-name>

Here the SNS restricts the sources that can publish messages to the topic using access policies.

If a permission error occurs, then under the Statement section of the SNS access policy, add the following permission.

{
"Sid": "Allow_Publish_Alarms",
"Effect": "Allow",
"Principal":
{
"Service": [
"cloudwatch.amazonaws.com"
]
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:<region>:<account-id>:<topic-name>"
}

This will allows permissions to the CloudWatch alarms service to publish messages to the SNS topic. Replace the <region>,<account-id> and <topic-name> with the region, account ID and  SNS topic name respectively.

Also, note that the above permission allows anyone using the account to create alarms and publish messages to the SNS topic. So we need to add global condition keys to restrict the ability to publish messages to the topic to specific alarms.

Here, in the following example, we use arnLike condition operator and the aws:SourceArn global condition key.

{
"Sid": "Allow_Publish_Alarms",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudwatch.amazonaws.com"
]
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:<region>:<account-id>:<topic-name>",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:cloudwatch:<region>:<account-id>:alarm:<alarm-name>"
}
}
}

Replace the <region>,<account-id> and <topic-name> with the region, account ID and SNS topic name respectively.
 

Trigger action failed due to SNS topic encryption:

 
If the trigger action failed due to the SNS topic encryption, the CloudWatch alarm history show a message similar to:

Failed to execute action arn:aws:sns:<region>:<account-id>:<topic-name>. Received error: "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException;)"

SNS allows encryption at rest for its topic. The CloudWatch alarms can’t publish messages to the SNS topic if the default AWS Key Management Service (KMS) key “alias/aws/sns” is used for the encryption. The key policy of the default AWS KMS key for SNS doesn’t allow CloudWatch alarms to perform “kms:Decrypt” and “kms:GenerateDataKey” API calls. Because this key is AWS managed, so we can’t manually edit the policy.

If the SNS topic must be encrypted at rest, we can use a customer-managed CMK. It includes the following permissions under the Statement section of the key policy. These permissions enable the CloudWatch alarms to publish messages to encrypted SNS topics.

{
"Sid": "Allow_CloudWatch_for_CMK",
"Effect": "Allow",
"Principal": {
"Service":[
"cloudwatch.amazonaws.com"
]
},
"Action": [
"kms:Decrypt","kms:GenerateDataKey*"
],
"Resource": "*"
}

 

Succeeded trigger action:

If the trigger action succeeded, then CloudWatch alarm history will show a message similar to the following:

Successfully executed action arn:aws:sns:<region>:<account-id>:<topic-name>

This message means the CloudWatch alarm successfully published a message to the SNS topic.

If the notification isn’t delivered by SNS, then check the SNS topic and its metrics for any delivery failures.

[Need help with more AWS queries? We’d be happy to assist]
 

Conclusion

 
To conclude, today we discussed the steps followed by our Support Engineers to help our customers to resolve the issue with the delivery of SNS notification for the CloudWatch alarm trigger.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF