By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why can't I receive email notifications from my Amazon SNS topic?

4 minute read
0

I can't receive email notifications from my Amazon Simple Notification Service (Amazon SNS) topic.

Resolution

Verify that your email endpoint status is Confirmed

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To verify the state of your email endpoint, use either the Amazon SNS console or AWS CLI.

Amazon SNS console

  1. Open the Amazon SNS console.
  2. In the navigation pane, choose Topics, and then select your topic.
  3. In the Subscriptions section, find your email endpoint in the Endpoint column.
  4. In the Status column, check whether the status is Confirmed.
  5. If the status isn't Confirmed, then manually confirm the subscription in the Amazon SNS console. If you can't receive the confirmation email, then complete the steps in the following sections.
  6. To request the confirmation email again, select the subscription with your endpoint, and then choose Request confirmation.

AWS CLI

Run the list-subscriptions-by-topic command.

Note: If no email endpoint is in the Endpoint column, then the endpoint is deleted.

Check if email addresses can receive emails from external contacts

To check whether the issue is only with Amazon SNS, send a test email from an external provider to your destination email address. The test email helps you determine what type of traffic is allowed from external sources. Mailboxes within an organization can be limited to internal traffic.

If the mailbox receives the test email, then complete the steps in the following section.

Check for a firewall, spam filter, blockers, or filter policy

Ask your email administrators to check whether a firewall or spam filter is blocking the no-reply@sns.amazonaws.com address. It's a best practice to add the no-reply@sns.amazonaws.com address to your mailbox allow list. For more information, see Q: Do subscribers need to specifically configure their email settings to receive notifications from Amazon SNS? in the Transports section of Amazon SNS FAQs.

Check the mailbox rules for any explicit Deny action that blocks your SNS topic email. Also, check if emails are routed to specific folders in the mailbox.

Set up an authentication to unsubscribe so that users don't unsubscribe all recipients of your SNS topic email. You must have the required permissions to unsubscribe your email endpoint. You can use the Amazon SNS console or AWS CLI to confirm the subscription with an authenticated user.

To check for a filter policy on the subscription, complete the following steps:

  1. Open the Amazon SNS console.
  2. In the navigation pane, choose Subscriptions.
  3. In the search box, enter the email address or SNS topic that the email endpoint is subscribed to. Then, select your subscription.
  4. For your email endpoint, choose the Subscription filter policy tab.
  5. Under Subscription filter policy, look for a filter policy.

When a message is sent to the endpoint, Amazon SNS compares the message attributes to the attributes in the filter policy. If the message attributes and the filter policy attributes don't match, then the email endpoint doesn't receive the message.

Confirm that the default AWS KMS key settings aren't in use

Amazon SNS allows encryption at rest for topics. If you use the default AWS Key Management Service (AWS KMS) key for encryption, then AWS services can't publish messages to the SNS topic. The AWS KMS key policy for Amazon SNS doesn't allow AWS services to perform kms:Decrypt and kms:GenerateDataKey API calls. Because AWS manages the key, you can't manually edit the policy.

If you encrypt your Amazon SNS topic, then use a customer managed key instead. The following customer managed key policy includes the permissions to perform kms:Decrypt and kms:GenerateDataKey:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "service.amazonaws.com"
      },
      "Action": [
        "kms:GenerateDataKey*",
        "kms:Decrypt"
      ],
      "Resource": "*"
    }
  ]
}
AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago
2 Comments

If the default AWS Key Management Service (AWS KMS) key is used for encryption, services (such as Amazon CloudWatch), can't publish messages to the SNS topic. That needs to be added to the console information on the SNS encryption setting. I wasted a lot of time thinking the KMS key was set properly and useful for other AWS services.

replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 months ago