AWS Managed Notifications: Understanding Aggregation and Deduplication

7 minute read

Content level: Intermediate

Email overload is a common challenge for organizations managing multiple AWS accounts. When an AWS Health event affects multiple accounts in your organization, the same notification might be sent to shared contacts multiple times. AWS managed notifications helps address this challenge through aggregation and deduplication features. In this post, we'll explore how these features work, their key differences, and best practices for implementation. We'll also look at common pitfalls to avoid and pro

What are AWS Managed Notifications?

AWS User Notifications now offers 'AWS managed notifications' (MNs) - notifications generated by default from AWS services. Currently, only AWS Health notifications are supported. These notifications inform you about important changes that might affect your AWS resources and services, such as planned maintenance, security vulnerabilities, or service issues.

To receive AWS managed notifications:

Users must enable managed notifications for AWS Health
Once enabled, notifications are displayed in the Console Notifications Center
Notifications are sent to account contacts (root user and alternate contacts) from health@aws.com

Figure 1: Diagram showing the flow of AWS Health events to managed notifications and default delivery channels

Default Delivery Channels

Console Notifications Center

After enabling MNs, all AWS Health events for the account appear here
Provides a centralized view of notifications
Accessible through the bell icon in the AWS Management Console or by navigating to ‘AWS User Notifications’ service.

Account Contacts

Once enabled, the following contacts receive notifications:

Root user email (always)
Alternate contacts (varies by notification category):
- Alternate billing contact
- Alternate operations contact
- Alternate security contact

Additional delivery channels (such as AWS Chatbot, AWS Console Mobile App and other emails) can be configured if needed.

Figure 2: Default delivery channels for AWS Managed Notifications

How Aggregation and Deduplication Work

Aggregation

A single aggregated notification in the management account referencing related events across accounts within an organization.

Requires only the management account to enable managed notifications and AWS organizations integration
Combines similar AWS Health events affecting multiple accounts into a single notification
Provides a comprehensive view of events across your organization

Deduplication

Deduplication prevents emails about related events across accounts from being sent to the same email address more than once.

Requires the management account to enable managed notifications and AWS organizations integration, AND the member account to enable managed notifications.
Prevents duplicate notifications when account contacts are shared between management and member accounts, including plus addressing (example: user+tag@domain.com)

Figure 3: Comparison of aggregation and deduplication in AWS Managed Notifications

Understanding Notification Behavior

Let's examine how notifications behave in different scenarios:

Experience type	Behavior	Management Account only enabled	Both Management and Member Accounts enabled
Notifications Center	Management Account sees aggregated notification	✅	✅
	Member Accounts see their individual notifications	❌	✅
Email	Management Account contacts receive aggregated emails	✅	✅
	Unique member account contacts receive individual emails	⚠️ legacy email experience	✅
	Shared email addresses* receive de-duplicated notifications	❌ duplicate email per account	✅

Note: Shared email addresses include plus addressing variations (example: user+tag@domain.com and user@domain.com are treated as the same email address).

Example Scenario

To better understand these concepts, let's consider a specific example: Figure 4: Example for an AWS Organization with Service trust enabled for UNO

In this scenario, we have:

Management Account 1 with contact: root@email.com, ops@email.com, and Slack channel #slack-A
Member Account 2 with contacts: root+2@email.com, ops@email.com, security@email.com and Slack channel #slack-A
Member Account 3 with contacts: root+3@email.com, ops@email.com, security@email.com and Slack channel #slack-A

When an AWS Health event affects member accounts:

If only management account has MNs and Organizations integration enabled:

root@email.com receives: 1 aggregated notification + 2 individual notifications
ops@email.com receives: 1 aggregated notification + 2 individual notifications
security@email.com receives: 2 individual notifications
Slack channel #slack-A receives: 1 aggregated notification + 2 individual notifications (deduplication only occurs across account contacts)

Figure 5: Notifications received by Channels in an Org with Event Consolidation when only the management account enabled managed notifications

If all accounts have MNs enabled and the management account has also enabled Organizations integration:

root@email.com receives: 1 aggregated notification
ops@email.com receives: 1 aggregated notification
security@email.com receives: 2 individual notifications (since the contact isn’t part of the management account)
Slack channel #slack-A receives: 1 aggregated notification + 2 individual notifications (deduplication only occurs across account contacts)

Figure 6: Notifications received by Channels in an Org with Event Consolidation when all members have enabled managed notifications

As shown above, the behavior changes significantly depending on which accounts have managed notifications enabled.

Best Practices for Implementation

To effectively implement AWS Managed Notifications, follow these best practices:

1. Enable Managed Notifications Strategically

Start with the management account to enable organization-wide aggregation and managed notifications
Gradually enable managed notifications in member accounts to benefit from deduplication
Document which accounts have managed notifications enabled.

2. Contact Management

Identify shared email addresses across accounts
Document which contacts will receive aggregated vs individual notifications
Consider using different email addresses when separate notifications are desired
Document shared contacts across accounts

3. Organizational Structure

Consider using delegated administrators (up to 5) for operational oversight
Maintain clear documentation of notification flows
Keep management account access restricted

Common Implementation Mistakes

Avoid these common mistakes:

Expecting deduplication without enabling managed notifications in member accounts
Over-restricting access to notification management
Assuming all notifications will be aggregated automatically without enabling organizations
Forgetting to enable managed notifications for AWS Health

Monitoring and Maintenance

To ensure the ongoing effectiveness of your managed notifications:

1. Regular Reviews

Verify notification patterns
Update contact information as needed
Review access permissions
Confirm managed notifications remain enabled

2. Documentation

Keep records of enabled accounts
Document shared contacts
Maintain escalation procedures
Track which accounts have managed notifications enabled

Best Practices Checklist

Use this checklist to ensure you're following best practices:

✅ Enable AWS Health managed notifications in relevant accounts
✅ Enable managed notifications in management account first
✅ Document shared contacts across accounts
✅ Plan member account enablement strategically
✅ Configure delegated administrators as needed
✅ Maintain clear escalation paths
✅ Regularly review notification patterns

Additional Resources

AWS User Notifications Documentation

Conclusion

Understanding how AWS managed notifications work, along with the distinctions between aggregation and deduplication requirements, is crucial for effective implementation. Remember that managed notifications must first be enabled for AWS Health, and while aggregation only requires management account enablement of AWS Organizations integration, achieving full deduplication benefits requires enabling managed notifications in both management and member accounts. Most importantly, member accounts will always receive their individual notifications - deduplication only affects shared email addresses.

By following the best practices and avoiding common pitfalls outlined in this guide, you can optimize your use of AWS Managed Notifications to stay informed about critical events affecting your AWS resources and services.

Topics

Management & Governance

Relevant content

Developing a high-specificity AWS Health event strategy with AWS User Notifications
EXPERT
Andrew_R
published 6 months ago
Amazon Managed Grafana now supports AWS CloudFormation
EXPERT
Mengdi Chen
published 2 years ago
What's new: AWS Resource Access Manager supports fine-grained customer managed permissions
EXPERT
Fabian
published 2 years ago
Where are e-mail notifications configured for AWS Certificate Manager expirations?
tedi
asked 3 years ago
AWS Secret Management offering
Learn_everyday
asked 2 years ago
Systems Manager Change Manager Notifications not working
Higher
asked 3 years ago
How do I better manage notifications for patching in Systems Manager?
AWS OFFICIALUpdated 2 years ago
How do I understand the configurationItemDiff field in Amazon SNS ConfigurationItemChangeNotification notifications?
AWS OFFICIALUpdated 4 years ago
How do I troubleshoot issues with AWS Systems Manager Session Manager?
AWS OFFICIALUpdated 7 months ago
What browsers does the AWS Management Console support?
AWS OFFICIALUpdated 2 years ago