Why didn't I receive an SNS notification for my CloudWatch alarm trigger?

Last updated: 2021-08-27

I created an Amazon CloudWatch alarm to send notifications through an Amazon Simple Notification Service (Amazon SNS) topic when the alarm's state changes. However, the CloudWatch alarm changed states, and I didn't receive an SNS notification. Why didn't I receive an SNS notification for my CloudWatch alarm trigger?

Resolution

Delivery of SNS notifications depends on the configuration of the SNS topic and the CloudWatch alarm. To determine why you're not receiving SNS notifications, check the history of the CloudWatch alarm to find the status of the trigger action.

If your trigger action failed due to SNS access policy restrictions:

  • The CloudWatch alarm history displays a message similar to:
    Failed to execute action arn:aws:sns: : : . Received error: "Resource: arn:aws:cloudwatch: : :alarm: is not authorized to perform: SNS:Publish on resource: arn:aws:sns: : :
  • SNS restricts the sources that can publish messages to the topic using access policies. If a permissions error occurs, then the following permissions must be added under the Statement section of the SNS access policy. This update grants permissions to the CloudWatch alarms service to publish messages to the SNS topic.
    Note: Replace with the Region that this notification is for. Replace with your account ID. Replace with the SNS topic name.
{
    "Sid": "Allow_Publish_Alarms",
    "Effect": "Allow",
    "Principal":
    {
        "Service": [
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:<region>:<account-id>:<topic-name>"
}
Important: The preceding permissions enable anyone using your account to create alarms and publish messages to your SNS topic. Add global condition keys to restrict the ability to publish messages to the topic to specific alarms. The following example uses the arnLike condition operator and the aws:SourceArn global condition key. For more information, see Example cases for Amazon SNS access control.

Note: Replace with the Region that this notification is for. Replace with your account ID. Replace with the SNS topic name. Replace with the alarm name.

{
    "Sid": "Allow_Publish_Alarms",
    "Effect": "Allow",
    "Principal": {
        "Service": [
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:<region>:<account-id>:<topic-name>",
    "Condition": {
        "ArnLike": {
            "aws:SourceArn": "arn:aws:cloudwatch:<region>:<account-id>:alarm:<alarm-name>"
        }
    }
}

If your trigger action failed due to SNS topic encryption:

  • The CloudWatch alarm history displays a message similar to:
    Failed to execute action arn:aws:sns: : : . Received error: "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException;)"
  • SNS allows encryption at rest for its topic. If the default AWS Key Management Service (KMS) key "alias/aws/sns" is used for this encryption, then CloudWatch alarms can't publish messages to the SNS topic. The key policy of the default AWS KMS key for SNS doesn't allow CloudWatch alarms to perform "kms:Decrypt" and "kms:GenerateDataKey" API calls. Because this key is AWS managed, you can't manually edit the policy.
  • If the SNS topic must be encrypted at rest, you can use a customer managed key. The customer managed key must include the following permissions under the Statement section of the key policy. These permissions allow the CloudWatch alarms to publish messages to encrypted SNS topics.
{
    "Sid": "Allow_CloudWatch_for_CMK",
    "Effect": "Allow",
    "Principal": {
        "Service":[
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt","kms:GenerateDataKey*"
    ],
    "Resource": "*"
}

If your trigger action succeeded, then:

  • The CloudWatch alarm history displays a message similar to:
    Successfully executed action arn:aws:sns: : :
  • This means the CloudWatch alarm successfully published a message to the SNS topic. If the notification wasn't delivered by SNS, check the SNS topic and its metrics for any delivery failures. For more information, see How do I access Amazon SNS topic delivery logs for push notifications?

Note: CloudWatch doesn't test or validate the actions that you specify. It also doesn't detect Amazon EC2 Auto Scaling or Amazon SNS errors resulting from an attempt to invoke nonexistent actions. Make sure that your actions exist.


Did this article help?


Do you need billing or technical support?