Why didn't I receive an SNS notification for my CloudWatch alarm trigger?

4 minute read

I created an Amazon CloudWatch alarm to send notifications for through an Amazon Simple Notification Service (Amazon SNS) topic when the alarm's state changes. However, when the CloudWatch alarm changes states, I don't receive an SNS notification.

Resolution

Delivery of SNS notifications depends on the configuration of the SNS topic and the CloudWatch alarm. To determine why you don't receive SNS notifications, check the CloudWatch alarm's history to see the trigger action's status.

If your trigger action failed due to SNS access policy restrictions, then the CloudWatch alarm history displays a message similar to the following message:

"Failed to execute action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME. Received error: "Resource: arn:aws:cloudwatch:us-east-1:ACCOUNT_ID:alarm:ALARM_NAME is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME""

SNS restricts the sources that can publish messages to the topic using access policies. If a permissions error occurs, then you must add the following permissions under the Statement section of the SNS access policy. This update grants permissions to the CloudWatch alarms service to publish messages to the SNS topic.

Note: Replace us-east-1 with the AWS Region that this notification is for. Replace ACCOUNT_ID with your account ID. Replace TOPIC_NAME with the SNS topic name:

{
  "Sid": "Allow_Publish_Alarms",
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "cloudwatch.amazonaws.com"
    ]
  },
  "Action": "sns:Publish",
  "Resource": "arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME"
}

These permissions allow anyone who's using your account to create alarms and publish messages to your SNS topic. To restrict the ability to publish messages to the topic to specific alarms, add global condition keys. The following example uses the ArnLike condition operator and the aws:SourceArn global condition key. For more information, see Example cases for Amazon SNS access control.

Note: Note: Replace us-east-1 with the AWS Region that this notification is for. Replace ACCOUNT_ID with your account ID. Replace TOPIC_NAME with the SNS topic name. Replace ALARM_NAME with the alarm name:

{
  "Sid": "Allow_Publish_Alarms",
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "cloudwatch.amazonaws.com"
    ]
  },
  "Action": "sns:Publish",
  "Resource": "arn:aws:sns:REGION:ACCOUNT_ID:TOPIC_NAME",
  "Condition": {
    "ArnLike": {
      "aws:SourceArn": "arn:aws:cloudwatch:us-east-1:ACCOUNT_ID:alarm:ALARM_NAME"
    }
  }
}

If your trigger action fails due to SNS topic encryption, then the CloudWatch alarm history displays a message similar to the following message:

"Failed to execute action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME. Received error: "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException;)""

SNS allows encryption at rest for its topic. If SNS uses the default AWS Key Management Service (AWS KMS) key alias/aws/sns for this encryption, then CloudWatch alarms can't publish messages to the SNS topic. The default AWS KMS key's policy for SNS doesn't allow CloudWatch alarms to perform kms:Decrypt and kms:GenerateDataKey API calls. Because this key is AWS managed, you can't manually edit the policy.

If the SNS topic must be encrypted at rest, then use a customer managed key. The customer managed key must include the following permissions under the Statement section of the key policy. These permissions allow the CloudWatch alarms to publish messages to encrypted SNS topics:

{
  "Sid": "Allow_CloudWatch_for_CMK",
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "cloudwatch.amazonaws.com"
    ]
  },
  "Action": [
    "kms:Decrypt",
    "kms:GenerateDataKey*"
  ],
  "Resource": "*"
}

If your trigger action succeeded, then the CloudWatch alarm history displays a message similar to the following message:

"Successfully executed action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME"

This means the CloudWatch alarm successfully published a message to the SNS topic. If the notification wasn't delivered by SNS, then check the SNS topic and its metrics for any delivery failures. For more information, see How do I access Amazon SNS topic delivery logs for push notifications?

Note: CloudWatch doesn't test or validate the actions that you specify. It also doesn't detect Amazon EC2 Auto Scaling or Amazon SNS errors that result from an attempt to invoke nonexistent actions. Make sure that your actions exist.

Related information

Using Amazon CloudWatch alarms

Encrypting messages published to Amazon SNS with AWS KMS

Topics

Management & Governance

Relevant content

SNS filter policy based on cloudwatch alarm
Accepted Answer
rePost-User-4136916
asked 8 months ago
Creating SNS notifications from cloudwatch log group for rds
rePost-User-8141302
asked 9 months ago
CloudWatch Alarm permission issue with cross account KMS encrypted SNS Topic
AWS-User-3229175
asked 2 years ago
Generate specific parameters to appear in SNS email notification in CloudWatch Alarm for a Log Group
Accepted Answer
rePost-User-7010889
asked 10 months ago
Disconnect between alarm and SNS topic
Accepted Answer
rePost-User-6771947
asked a year ago
Why can't I receive email notifications from my Amazon SNS topic?
AWS OFFICIALUpdated 8 months ago
Why isn't Amazon SNS invoking my Lambda function when triggered by a CloudWatch alarm?
AWS OFFICIALUpdated 2 years ago
Why is my Amazon SNS topic not receiving EventBridge notifications?
AWS OFFICIALUpdated a year ago
Why isn't my encrypted SNS topic receiving notification from an AWS service?
AWS OFFICIALUpdated 4 months ago
The Advantages of Using VMware Cloud on AWS for Your Business
EXPERT
Sedat Salman
published 5 months ago

Why didn't I receive an SNS notification for my CloudWatch alarm trigger?

Resolution

Related information

Related videos

Relevant content