I'm using an AWS Lambda function to process Amazon Simple Notification Service (Amazon SNS) notifications, but my Amazon SNS topic doesn't invoke the function.
Short description
To receive messages published to a topic, you must subscribe an endpoint to the topic. After successfully subscribing, the endpoint begins to receive messages published to the associated topic. The endpoints can include Amazon Simple Queue Service (Amazon SQS), AWS Lambda, Short Messaging Service (SMS), email, and push notifications.
Resolution
There are five reasons why an Amazon SNS message event doesn't invoke a Lambda function that's subscribed to an SNS topic:
Important: Amazon SNS supports Amazon CloudWatch log delivery to the endpoints for AWS Lambda. If you haven't done so already, configure CloudWatch delivery status logging for your Amazon SNS topic. For more information, see Monitoring Amazon SNS topics using CloudWatch.
Confirm that the IAM identity publishing to the SNS topic has the permissions required to publish to the SNS topic
Look at the NumberOfMessagesPublished metric in your CloudWatch metrics for Amazon SNS. If the Publish requests made by the IAM entity that you're using to invoke the function aren't recorded in the NumberOfMessagesPublished metric, do the following:
1. Confirm that the IAM entity making the Publish API request has the permissions required to publish to the SNS topic. For more information and specific policy statement examples, see Example cases for Amazon SNS access control.
2. Confirm that the permissions policy for the SNS topic allows the IAM entity making the Publish API call to use the "SNS:Publish" action. For more information and example of the permissions policies, see Permissions for the Amazon SNS topic.
Confirm that your Lambda function has the permissions required to allow Amazon SNS to invoke the function
To view your function's permissions policy, follow the instructions in Using resource-based policies for AWS Lambda. If your function's policy doesn't include the "lambda:invokeFunction" action for your SNS topic, update the policy to include the required permissions.
Confirm that your Lambda function's filter policy matches the message attributes being sent from the SNS topic
Review the NumberOfNotificationsFilteredOut metric in your CloudWatch metrics for Amazon SNS. If the Publish requests made by the IAM entity that you're using to invoke the function appear in the NumberOfNotificationsFilteredOut metric, then do the following:
1. View your Lambda function's SNS topic subscription filter policy by doing the following:
Open the Amazon SNS console.
On the left navigation panel, choose Subscriptions.
On the Edit page, expand the Subscription filter policy section.
2. Review the subscription filter policy to confirm that the Publish request message attributes match the attributes required by the filter policy. If the attributes don't match, then update your Publish request message attributes so that they match the attributes required by the filter policy.
Note: For more information, see Amazon SNS subscription filter policies.
Confirm that your Lambda function isn't being throttled
Follow the instructions in How do I troubleshoot Lambda function throttling with "Rate exceeded" and 429 "TooManyRequestsException" errors?
Confirm that your Lambda function is hosted in the same Region as your SNS topic
Cross-Region delivery
Amazon SNS supports cross-Region deliveries, both for Regions that are active by default and for opt-in Regions. For the current list of AWS Regions that Amazon SNS supports, including opt-in Regions, see Amazon Simple Notification Service endpoints and quotas.
Amazon SNS supports the cross-Region delivery of notifications to AWS Lambda functions. When one of the Regions is an opt-in Region, specify a different Amazon SNS service principal in the subscribed resource's policy. For more information, Sending Amazon SNS messages to an Amazon SQS queue or AWS Lambda function in a different Region. For more information on the Lambda function policy, see Opt-in Regions.
Lambda function in an opt-in Region
AWS doesn't support SNS deliveries from a default-enabled Region to an opt-in Region or from one opt-in Region to another. In such instances, Amazon SNS might fail to trigger the Lambda function.
Follow these steps if the Amazon SNS topic is hosted in a commercial AWS Region and the function is hosted in an opt-in Region:
1. Create a new Lambda function in the same Region as your Amazon SNS topic.
2. Configure the function's settings so that it makes an Invoke API call to the function that's hosted in the opt-in Region.
Important: Make sure that you update your SDK Region settings.
Example Python (Boto 3) command to change Region settings
#us-east-1 client
lambda_us_east_1_client = boto3.client('lambda', region_name='us-east-1')
#us_west_1 client
lambda_us_west_1_client = boto3.client('lambda', region_name='us-west-1')
Example JavaScript/Node.js command to change Region settings
//us-east-1 client
var lambda_us_east_1_client = new AWS.Lambda({apiVersion: '2015-03-31',region: 'us-east-1'});
//us_west_1 client
var lambda_us_east_1_client = new AWS.Lambda({apiVersion: '2015-03-31', region: 'us-west-1'});