How do I troubleshoot an Amazon SNS topic that’s not receiving notifications from AWS Cost Anomaly Detection?

Short description

When the cost anomaly detection monitor detects an anomaly, it publishes a notification to the Amazon SNS topic. Then, Amazon SNS delivers the notifications to subscribed endpoints, usually by email. The notification can fail to reach the concerned endpoint because of the following reasons:

• Cost anomaly detection notifications aren't reaching the SNS topic. This can be because of missing permissions on the topic access policy or the KMS key policy when encryption is activated on the topic.
• The SNS topic fails to deliver notifications to the subscribed endpoints.

Resolution

Review the SNS NumberOfMessagesPublished metric

Review the SNS NumberOfMessagesPublished metric to confirm whether events in the anomaly detection history have corresponding data points for published notifications. This metric indicates whether the notifications are successfully published to your topic.

The SNS NumberOfMessagesPublished metric has no data points

Set required permissions

Confirm that you granted AWS Cost Anomaly Detection service the required permissions to publish messages to your topic.

The following example SNS topic access policy allows AWS Cost Anomaly Detection to publish messages to an Amazon SNS topic:

{  
  "Sid": "E.g., AWSAnomalyDetectionSNSPublishingPermissions",  
  "Effect": "Allow",  
  "Principal": {  
    "Service": "costalerts.amazonaws.com"  
  },  
  "Action": "SNS:Publish",  
  "Resource": "your topic ARN"  
}

For more information, see Creating an Amazon SNS topic for anomaly notifications.

Activate server-side encryption

Check if you activated server-side encryption on your topic. Confirm that you granted AWS Cost Anomaly Detection service the AWS Key Management (AWS KMS) permissions to your key when you published to the topic.

Your Amazon SNS topic must use an AWS KMS key that's customer managed. This KMS key must include a custom key policy that allows AWS Cost Anomaly Detection service to perform kms:GenerateDataKey and kms:Decrypt actions. For more information, see Configuring AWS KMS permissions.

The following example IAM policy statement allows AWS Cost Anomaly Detection to publish messages to an encrypted Amazon SNS topic:

{  
    "Version": "2012-10-17",  
    "Statement": [{  
        "Effect": "Allow",  
        "Principal": {  
            "Service": "costalerts.amazonaws.com"  
        },  
    "Action": [  
        "kms:GenerateDataKey*",  
        "kms:Decrypt"  
        ],  
    "Resource": "*"  
    }]  
    }

The SNS NumberOfMessagesPublished metric is populated, but you still don't receive notifications

Follow these steps to troubleshoot the issue:

1. Verify that your subscribed endpoints are in the Confirmed state.
2. Confirm that the NumberOfNotificationsDelivered and NumberOfNotificationsFailed metrics notifications are published and successfully delivered to the endpoints.
3. Check if there's a filter policy on the subscribed endpoints. Check the NumberOfNotificationsFilteredOut metric to see if the messages are getting filtered out. If messages are getting filtered out, then see How do I troubleshoot subscription filter policy issues in Amazon SNS?
4. Check if the topic's subscribed endpoint is an email protocol. Check if the NumberOfNotificationsDelivered metric indicates that notifications are successfully delivered but not reaching the email inbox. For more information, see Why can't I receive email notifications from my Amazon SNS topic?
5. Messages might fail to reach these other subscribed endpoints:

• HTTP
• Amazon Kinesis Data Firehose
• AWS Lambda
• Platform application endpoint
• Amazon Simple Queue Service
• Short Message Service (SMS)

Turn on the Amazon SNS topic delivery status logs to further troubleshoot the issue. The ProviderResponse attribute in the logs explains the cause of the delivery failure.

Note: To make sure that each message delivery status is logged, set the success sample rate to 100%. If you use a lower percentage, then SNS generates delivery logs for only the specified percentage of delivered or failed messages.