Why isn't Amazon SNS invoking my AWS Lambda function, and how do I troubleshoot the issue?

Short description

There are five reasons why an Amazon SNS message event doesn't invoke a Lambda function that's subscribed to an SNS topic:

• The AWS Identity Access and Management (IAM) identity publishing to the SNS topic doesn't have the permissions required to publish to the SNS topic.
• The Lambda function doesn't have the permissions required to allow Amazon SNS to invoke the function.
• The Lambda function's SNS topic subscription has a filter policy that doesn't match the message attributes being sent from the SNS topic.
• The Lambda function is throttled because it's close to exceeding the account-level concurrency quota in the AWS Region that it's hosted in.
• The Amazon SNS topic is hosted in an AWS Region and the Lambda function is hosted in an opt-in Region.
  Note: For the current list of AWS Regions that Amazon SNS supports, see Amazon Simple Notification Service endpoints and quotas.

Resolution

Important: If you haven't done so already, configure Amazon CloudWatch delivery status logging for your Amazon SNS topic. For more information, see Monitoring Amazon SNS topics using CloudWatch.

Confirm that the IAM identity publishing to the SNS topic has the permissions required to publish to the SNS topic

Look at the NumberOfMessagesPublished metric in your Amazon CloudWatch metrics for Amazon SNS. If the Publish requests made by the IAM entity that you're using to invoke the function aren't recorded in the NumberOfMessagesPublished metric, do the following:

1.    Confirm that the IAM entity making the Publish API request has the permissions required to publish to the SNS topic. For more information and specific policy statement examples, see Example cases for Amazon SNS access control.

2.    Confirm that the permissions policy for the SNS topic allows the IAM entity making the Publish API call to use the "SNS:Publish" action. For more information and example permissions policies, see Permissions for the Amazon SNS topic.

Confirm that your Lambda function has the permissions required to allow Amazon SNS to invoke the function

To view your function's permissions policy, follow the instructions in Using resource-based policies for AWS Lambda. If your function's policy doesn't include the "lambda:invokeFunction" action for your SNS topic, update the policy to include the required permissions.

Confirm that your Lambda function's filter policy matches the message attributes being sent from the SNS topic

Review the NumberOfNotificationsFilteredOut metric in your CloudWatch metrics for Amazon SNS. If the Publish requests made by the IAM entity that you're using to invoke the function appear in the NumberOfNotificationsFilteredOut metric, then do the following:

1.    View your Lambda function's SNS topic subscription filter policy by doing the following:
Open the Amazon SNS console.
On the left navigation panel, choose Subscriptions.
On the Edit page, expand the Subscription filter policy section.

2.    Review the subscription filter policy to confirm that the Publish request message attributes match the attributes required by the filter policy. If the attributes don't match, then update your Publish request message attributes so that they match the attributes required by the filter policy.

Note: For more information, see Amazon SNS subscription filter policies.

Confirm that your Lambda function isn't being throttled

Follow the instructions in How do I troubleshoot Lambda function throttling with "Rate exceeded" and 429 "TooManyRequestsException" errors?

Confirm that your Lambda function is hosted in the same Region as your SNS topic

An Amazon SNS topic hosted in an AWS Region can't invoke a Lambda function that's not in the same AWS Region. For the current list of Regions that Amazon SNS supports, see Amazon Simple Notification Service endpoints and quotas.

Look at the Amazon Resource Names (ARNs) of your Lambda function and your Amazon SNS topic. If the Amazon SNS topic is hosted in a commercial AWS Region and the function is hosted in an opt-in Region, do the following:

1.    Create a new Lambda function in the same Region as your Amazon SNS topic.

2.    Configure the function's settings so that it makes an Invoke API call to the function that's hosted in the opt-in Region.

Important: Make sure that you update your SDK Region settings.

Example Python (Boto 3) command to change Region settings

#us-east-1 client
lambda_us_east_1_client = boto3.client('lambda',  region_name='us-east-1')
#us_west_1 client
lambda_us_west_1_client = boto3.client('lambda',  region_name='us-west-1')

Example JavaScript/Node.js command to change Region settings

//us-east-1 client
var lambda_us_east_1_client = new AWS.Lambda({apiVersion: '2015-03-31',region: 'us-east-1'});
//us_west_1 client
var lambda_us_east_1_client = new AWS.Lambda({apiVersion: '2015-03-31', region: 'us-west-1'});