Why isn't my encrypted SNS topic receiving notification from an AWS service?

3 minute read

I want to troubleshoot why my Amazon Simple Notification Service (Amazon SNS) topic isn’t receiving notification from an AWS service.

Short description

To configure an AWS service to successfully publish messages to an encrypted SNS topic, follow these steps:

Confirm that the service has the required permissions to publish messages to the SNS topic.
Confirm that the encryption key used by the encrypted topic has the required AWS Key Management (AWS KMS) permissions.
Review service integration.

Resolution

Confirm that the SNS topic policy granted AWS service the required permissions to publish messages to the SNS topic

The Amazon SNS topic's resource policy must allow the AWS service to publish messages to the topic. For information on resource-based policy see Example cases for Amazon SNS access control.

{
"Sid": "My-statement-id",
"Effect": "Allow",
"Principal": {
"Service": "service.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:exampletopic"
}

Note: Replace <service> with the service principal relevant to you. For a list of service principals, see the Activating compatibility between encrypted topics and event sources section in Encrypting messages published to Amazon SNS with AWS KMS.

Confirm that the encryption key used by the encrypted topic has the required AWS KMS permissions

Note: The Amazon SNS topic must use an AWS KMS customer managed key instead of the default key (AWS/SNS). This is because the default key policy doesn't include the required permissions for the AWS service to perform AWS KMS operations. You also can't modify the policy of the default key.

After you create the AWS KMS key, make sure that there is compatibility between event sources from AWS services and the encrypted topics.

Review service integration

If the SNS topic still doesn't receive notification, then follow these steps:

Check the Amazon SNS CloudWatch metric NumberOfMessagePublished. This metric shows whether the service is publishing the event to the SNS topic. If the metric doesn't populate, then there's an issue with the service to Amazon SNS configuration. Refer to the previous sections to address permission issues.
If the NumberOfMessagePublished metric is populated, then check the NumberOfNotificationsDelivered and NumberOfNotificationsFailed metrics. These metrics show whether the subscribing endpoints are successfully receiving messages from your Amazon SNS topic.
Turn on the Amazon SNS topic delivery status logs to further troubleshoot message delivery issues.

Related information

AWS KMS concepts

Why didn't I receive an SNS notification for my Amazon CloudWatch alarm trigger?

Why aren't messages that I publish to my Amazon SNS topic getting delivered to my subscribed Amazon SQS queue that has server-side encryption activated?

Why can't I delete my SNS topic subscription?

Topics

Application Integration

Relevant content

Solution to subscribe to an SNS topic from different region - aws-managed-waf-rule-notifications
Accepted Answer
Andre
asked 5 months ago
Publish to SNS topic using curl
Rich650
asked 5 years ago
Issue sending email updates to encrypted SNS topic
arthur-guy
asked 4 years ago
SNS Topic encryption
pradeep
asked 2 months ago
Auto scaling group not publishing notification to a encrypted sns topic
AWS-User-8870508
asked a year ago
Why can't Amazon SES publish data to an Amazon SNS topic?
AWS OFFICIALUpdated 9 months ago
Why didn't I receive an SNS notification for my CloudWatch alarm trigger?
AWS OFFICIALUpdated 3 months ago
How do I configure a CloudWatch alarm with an encrypted SNS topic?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot an Amazon SNS topic that’s not receiving notifications from AWS Cost Anomaly Detection?
AWS OFFICIALUpdated 10 months ago
Support Automation Workflow (SAW) Runbook: Analyze connectivity to an AWS service endpoint
EXPERT
Maya Karalic
published a year ago