Get Hands-on with Amazon EKS - Workshop Event Series

Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!

Why didn't my Amazon SNS topic receive EventBridge notifications?

3 minute read

I set up an Amazon EventBridge rule to send notifications to my Amazon Simple Notification Service (Amazon SNS) topic. However, my Amazon SNS topic didn't receive the event notifications.

Resolution

Verify that the targets of the EventBridge rule are in the same Region as the rule

The targets that you associate with a rule must be in the same AWS Region as the rule.

Note: To find the Region that an AWS resource is in, check the resource's Amazon Resource Name (ARN).

Review your EventBridge rule's Invocations and FailedInvocations metrics to identify the issue

Use the Amazon CloudWatch console to review your EventBridge rule's Invocations and FailedInvocations metrics.

If there are data points for only the Invocations metric, then the EventBridge rule notification didn't reach the target. To resolve this issue, reconfigure the rule for the target.

If there are data points for both metrics, then the EventBridge rule notification tried to invoke the target but the invocation failed. To resolve this issue, make sure that EventBridge has the required permissions to publish messages to your topic.

Confirm that you granted EventBridge the required permissions to publish messages to your topic

Your SNS topic's resource-based policy must allow EventBridge to publish messages to the topic. Check your topic's AWS Identity and Access Management (IAM) policy to confirm that it has the required permissions.

Example policy:

{    
    "Sid": "AWSEvents_ArticleEvent_Id4950650036948",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": "sns:Publish",
    "Resource": "SNS_TOPIC_ARN"
}

Important: You must enter events.amazonaws.com as the Service value and sns:Publish as the Action value. Replace SNS_TOPIC_ARN with the ARN of your topic.

If you use an execution role, then make sure that the IAM role that's attached to the EventBridge rule is correct. To check the IAM role, open the EventBridge console, and then choose Rules. Select your rule, and then choose Targets to view the attached IAM role.

Verify that the execution role allows EventBridge to publish to the target

The execution role requires a trust relationship with EventBridge. Make sure that your role's trust policy includes events.amazonaws.com as a trusted entity to allow EventBridge to assume the target's execution role. Also, make sure that the role has permission to invoke the SNS topic with the sts:AssumeRole action.

Example IAM trust policy:

{    
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "events.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "ACCOUNT-ID",
                    "aws:SourceArn": "EVENTBRIDGE-RULE-ARN"
                }
            }
        }
    ]
}

Note: Replace ACCOUNT-ID with your AWS account ID and EVENTBRIDGE_RULE_ARN with your rule's ARN.

Example IAM permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": [
                "SNS_TOPIC_ARN"
            ]
        }
    ]
}

Note: Replace SNS_TOPIC_ARN with your SNS topic ARN.

Confirm that your topic has the required AWS KMS permissions

If you use server-side encryption (SSE), then your topic must use an AWS Key Management Service (AWS KMS) customer managed key. This AWS KMS key must have a custom key policy that allows EventBridge to use the key.

To set up the required AWS KMS permissions, complete the following steps:

Create a new customer managed key.
Use the customer managed key to configure SSE for your SNS topic.

Configure an AWS KMS policy that allows EventBridge to publish messages to your encrypted topic.
Example policy:

{    
    "Sid": "Allow EventBridge to use the key",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*"
}

Topics: Application Integration Serverless
Tags: Amazon Simple Notification Service (SNS)Amazon EventBridge
Language: English

AWS OFFICIALUpdated a month ago

No comments

Relevant content

Cant trigger EventBridge rule with Security Hub Findings - Imported
An Nguyen
asked 2 years ago
Eventbridge pattern in json
Divya
asked a year ago
EventBridge Rule not triggering SNS Topic & Lambda Function
Accepted Answer
rePost-User-0498486
asked 2 years ago
EventBridge Pipe with SQS/SNS not functioning
Accepted Answer
Billy
asked 2 years ago
Solution to subscribe to an SNS topic from different region - aws-managed-waf-rule-notifications
Accepted Answer
Andre
asked 2 years ago
How can I troubleshoot not receiving notifications from EventBridge for AWS Backup?
AWS OFFICIALUpdated 3 years ago
How do I configure EventBridge rules for GuardDuty to send custom SNS notifications for specific service finding types?
AWS OFFICIALUpdated 7 months ago
How do I create an EventBridge rule that uses the input transformer to make an Amazon SNS notification human readable?
AWS OFFICIALUpdated a year ago
How do I use EventBridge with an Amazon SNS topic to set up customized email notifications for Security Hub findings?
AWS OFFICIALUpdated a month ago
Implementing comprehensive database event management using Amazon RDS native notifications and EventBridge
AWS OFFICIALUpdated 7 months ago