Why isn't my encrypted SNS topic receiving notification from an AWS service?

3 minute read
0

I want to troubleshoot why my Amazon Simple Notification Service (Amazon SNS) topic isn’t receiving notification from an AWS service.

Short description

To configure an AWS service to successfully publish messages to an encrypted SNS topic, follow these steps:

  1. Confirm that the service has the required permissions to publish messages to the SNS topic.
  2. Confirm that the encryption key used by the encrypted topic has the required AWS Key Management (AWS KMS) permissions.
  3. Review service integration.

Resolution

Confirm that the SNS topic policy granted AWS service the required permissions to publish messages to the SNS topic

The Amazon SNS topic's resource policy must allow the AWS service to publish messages to the topic. For information on resource-based policy see Example cases for Amazon SNS access control.

{
"Sid": "My-statement-id",
"Effect": "Allow",
"Principal": {
"Service": "service.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:exampletopic"
}

Note: Replace <service> with the service principal relevant to you. For a list of service principals, see the Activating compatibility between encrypted topics and event sources section in Encrypting messages published to Amazon SNS with AWS KMS.

Confirm that the encryption key used by the encrypted topic has the required AWS KMS permissions

Note: The Amazon SNS topic must use an AWS KMS customer managed key instead of the default key (AWS/SNS). This is because the default key policy doesn't include the required permissions for the AWS service to perform AWS KMS operations. You also can't modify the policy of the default key.

After you create the AWS KMS key, make sure that there is compatibility between event sources from AWS services and the encrypted topics.

Review service integration

If the SNS topic still doesn't receive notification, then follow these steps:

  1. Check the Amazon SNS CloudWatch metric NumberOfMessagePublished. This metric shows whether the service is publishing the event to the SNS topic. If the metric doesn't populate, then there's an issue with the service to Amazon SNS configuration. Refer to the previous sections to address permission issues.
  2. If the NumberOfMessagePublished metric is populated, then check the NumberOfNotificationsDelivered and NumberOfNotificationsFailed metrics. These metrics show whether the subscribing endpoints are successfully receiving messages from your Amazon SNS topic.
  3. Turn on the Amazon SNS topic delivery status logs to further troubleshoot message delivery issues.

Related information

AWS KMS concepts

Why didn't I receive an SNS notification for my Amazon CloudWatch alarm trigger?

Why aren't messages that I publish to my Amazon SNS topic getting delivered to my subscribed Amazon SQS queue that has server-side encryption activated?

Why can't I delete my SNS topic subscription?

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago