How do I troubleshoot an Amazon SNS topic that didn't receive notifications from Cost Anomaly Detection?

Short description

When the Cost Anomaly Detection monitor detects an anomaly, it publishes a notification to the Amazon SNS topic. Then, Amazon SNS delivers the notifications to subscribed endpoints, usually by email. The notification can fail to reach the endpoint because of the following reasons:

• Cost Anomaly Detection notifications didn't reach the SNS topic. Missing permissions on the topic access policy or the KMS key policy can cause this when you activate encryption on the topic.
• The SNS topic fails to deliver notifications to the subscribed endpoints.

Resolution

Review the SNS NumberOfMessagesPublished metric

Review the SNS NumberOfMessagesPublished metric to confirm whether events in the anomaly detection history have corresponding data points for published notifications. This metric indicates whether your topic successfully publishes the notifications.

The SNS NumberOfMessagesPublished metric has no data points

Confirm that you granted Cost Anomaly Detection the required permissions to publish messages to your topic.

The following example SNS topic access policy allows Cost Anomaly Detection to publish messages to an Amazon SNS topic:

{  
  "Sid": "E.g., AWSAnomalyDetectionSNSPublishingPermissions",  
  "Effect": "Allow",  
  "Principal": {  
   "Service": "costalerts.amazonaws.com"  
  },  
  "Action": "SNS:Publish",  
  "Resource": "your topic ARN"  
}

For more information, see Creating an Amazon SNS topic for anomaly notifications.

The SNS NumberOfMessagesPublished metric has data points

To troubleshoot this issue, complete the following steps:

1. Verify that your subscribed endpoints are in the Confirmed state.
2. Confirm that the NumberOfNotificationsDelivered and NumberOfNotificationsFailed metrics notifications are published and successfully delivered to the endpoints.
3. Check if there's a filter policy on the subscribed endpoints. Check the NumberOfNotificationsFilteredOut metric to verify whether the subscription filter policy filters out the messages.. If messages get filtered out, then see How do I troubleshoot subscription filter policy issues in Amazon SNS?
4. Check if the topic's subscribed endpoint is an email protocol. Check if the NumberOfNotificationsDelivered metric shows that the topic successfully delivered notifications, but they didn't reach the email inbox. For more information, see Why can't I receive email notifications from my Amazon SNS topic?

Confirm that you activated server-side encryption

Confirm that you activated server-side encryption on your Amazon SNS topic. If you activated server-side encryption, then check your permission requirements. Make sure that the Cost Anomaly Detection grants the required AWS Key Management Service (AWS KMS) permissions to your key.

Your Amazon SNS topic must use an AWS KMS key that's customer managed. This KMS key must include a custom key policy that allows Cost Anomaly Detection to perform kms:GenerateDataKey* and kms:Decrypt actions. For more information, see Configuring AWS KMS permissions.

The following example IAM policy statement allows AWS Cost Anomaly Detection to publish messages to an encrypted Amazon SNS topic:

{  
   "Version": "2012-10-17",  
   "Statement": [{  
      "Effect": "Allow",  
      "Principal": {  
         "Service": "costalerts.amazonaws.com"  
      },  
   "Action": [  
      "kms:GenerateDataKey*",  
      "kms:Decrypt"  
      ],  
   "Resource": "*"  
   }]  
   }

Turn on delivery status logs

Turn on the Amazon SNS topic delivery status logs to further troubleshoot the issue. The ProviderResponse attribute in the logs explains the cause of the delivery failure.

Note: To log every message delivery status, set the success sample rate to 100%. If you use a lower percentage, then SNS generates delivery logs for only the specified percentage of delivered or failed messages.