Why can't I receive email notifications from my Amazon SNS topic?

4 minute read
0

I'm not receiving email notifications from my Amazon Simple Notification Service (Amazon SNS) topic.

Resolution

Verify that your email endpoint is in the confirmed state

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Use either the AWS Management Console or AWS CLI to verify the state of your email endpoint.

AWS Management Console

  1. Open the Amazon SNS console.
  2. On the navigation pane, choose Topics, and then choose your topic.
  3. In the Subscriptions section of the topic page, find your email endpoint in the Endpoint column.
  4. In the Status column of your subscription, verify that the status is Confirmed. The status is confirmed when the email endpoint is successfully subscribed.
  5. Manually confirm the subscription in the Amazon SNS console. If you can't receive the confirmation email, complete the steps in the following sections.
  6. To re-request the confirmation email, select the subscription with your endpoint, and then choose Request confirmation.

AWS CLI

Run the list-subscriptions-by-topic AWS CLI command.

Note: If there is no email endpoint in the Endpoint column, then that the endpoint was deleted.

Check if email addresses can receive emails from external contacts

To check if the issue is limited to Amazon SNS, send a test email from an external provider to your destination email address. This helps you gauge what kind of traffic is allowed from external sources. Mailboxes within an organization are often limited to internal traffic.

If the mailbox works and has no issues, then complete the steps in the Check for a firewall, spam filter, blockers, or filter policy section.

Check for a firewall, spam filter, blockers, or filter policy

Complete the following troubleshooting steps:

  1. Check with email administrators to see if the no-reply@sns.amazonaws.com address is filtered out by a firewall or spam filter.
    Tip: It's a best practice to add the no-reply@sns.amazonaws.com address to your mailbox allow list. For more information, see the Q: Do subscribers need to specifically configure their email settings to receive notifications from Amazon SNS? entry in Amazon SNS FAQs.
  2. If your emails are still filtered out as spam, check the mailbox rules for explicit denies that block your SNS topic email. You can also check if emails are routed to specific folders in the mailbox.
  3. To prevent individuals from unsubscribing all recipients of your SNS topic email, set up an authentication to unsubscribe.
    Note: You must have the required permissions to unsubscribe to your email endpoint. You can confirm the subscription with an authenticated user in the Amazon SNS console or with the AWS CLI.

Check for a filter policy on the subscription:

  1. Open the Amazon SNS console.
  2. On the navigation pane, choose Subscriptions.
  3. In the search box, enter the email address or SNS topic that the email endpoint is subscribed to, and then choose your subscription in the results.
  4. For your email endpoint, choose the Subscription filter policy tab, and then look for a filter policy on the subscription in the Subscription filter policy section.

Note: Amazon SNS compares the message attributes to the attributes in the filter policy when a message is sent to the endpoint. If the message attributes and the filter policy attributes don't align, the message won't be received on the email endpoint.

Confirm you're not using the default AWS KMS key settings

Amazon SNS allows encryption at rest for topics. If the default AWS Key Management Service (AWS KMS) key is used for encryption, services (such as Amazon CloudWatch), can't publish messages to the SNS topic. The key policy of the default AWS KMS key for Amazon SNS doesn't allow these services to perform kms:Decrypt and kms:GenerateDataKey API calls. Because this key is AWS managed, you can't manually edit the policy.

If you're encrypting your Amazon SNS topic, use a customer managed key. The customer managed key must include the following permissions under the Statement section of the key policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "service.amazonaws.com"
      },
      "Action": [
        "kms:GenerateDataKey*",
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}

These permissions allow the services to publish messages to encrypted SNS topics.

AWS OFFICIAL
AWS OFFICIALUpdated a year ago
2 Comments

If the default AWS Key Management Service (AWS KMS) key is used for encryption, services (such as Amazon CloudWatch), can't publish messages to the SNS topic. That needs to be added to the console information on the SNS encryption setting. I wasted a lot of time thinking the KMS key was set properly and useful for other AWS services.

replied 12 days ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 days ago