I want to troubleshoot why my Amazon Simple Notification Service (Amazon SNS) topic isn’t receiving notification from an AWS service.
Short description
To configure an AWS service to successfully publish messages to an encrypted SNS topic, follow these steps:
- Confirm that the service has the required permissions to publish messages to the SNS topic.
- Confirm that the encryption key used by the encrypted topic has the required AWS Key Management (AWS KMS) permissions.
- Review service integration.
Resolution
Confirm that the SNS topic policy granted AWS service the required permissions to publish messages to the SNS topic
The Amazon SNS topic's resource policy must allow the AWS service to publish messages to the topic. For information on resource-based policy see Example cases for Amazon SNS access control.
{
"Sid": "My-statement-id",
"Effect": "Allow",
"Principal": {
"Service": "service.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111111111111:exampletopic"
}
Note: Replace <service> with the service principal relevant to you. For a list of service principals, see the Activating compatibility between encrypted topics and event sources section in Encrypting messages published to Amazon SNS with AWS KMS.
Confirm that the encryption key used by the encrypted topic has the required AWS KMS permissions
Note: The Amazon SNS topic must use an AWS KMS customer managed key instead of the default key (AWS/SNS). This is because the default key policy doesn't include the required permissions for the AWS service to perform AWS KMS operations. You also can't modify the policy of the default key.
After you create the AWS KMS key, make sure that there is compatibility between event sources from AWS services and the encrypted topics.
Review service integration
If the SNS topic still doesn't receive notification, then follow these steps:
- Check the Amazon SNS CloudWatch metric NumberOfMessagePublished. This metric shows whether the service is publishing the event to the SNS topic. If the metric doesn't populate, then there's an issue with the service to Amazon SNS configuration. Refer to the previous sections to address permission issues.
- If the NumberOfMessagePublished metric is populated, then check the NumberOfNotificationsDelivered and NumberOfNotificationsFailed metrics. These metrics show whether the subscribing endpoints are successfully receiving messages from your Amazon SNS topic.
- Turn on the Amazon SNS topic delivery status logs to further troubleshoot message delivery issues.
Related information
AWS KMS concepts
Why didn't I receive an SNS notification for my Amazon CloudWatch alarm trigger?
Why aren't messages that I publish to my Amazon SNS topic getting delivered to my subscribed Amazon SQS queue that has server-side encryption activated?
Why can't I delete my SNS topic subscription?