How do I access Amazon SNS topic delivery logs for push notifications?

Last updated: 2021-06-28

I want to access Amazon Simple Notification Service (Amazon SNS) topic delivery logs for push notifications.

Short description

Before you completed the following steps, confirm that you're using SNS endpoints supported by Amazon SNS for log delivery status of notification messages:

  • HTTP and HTTPs
  • Amazon Kinesis Data Firehose
  • AWS Lambda
  • Platform application endpoint
  • Amazon Simple Queue Service (Amazon SQS)
  • SMS

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Resolution

Configure push notification delivery status attributes for Amazon CloudWatch Logs

Note: As an alternative to the following console steps, you can configure message delivery status using AWS SDKs or the AWS CLI.

1.    Open the Amazon SNS console.

2.    On the navigation menu, expand Mobile, and then choose Push notifications.

3.    In the Platform applications section, select the platform application that you want to have delivery status for.

4.    Choose Edit.

5.    Expand Delivery status logging – optional.

6.    For Success sample rate, in the % text box, enter 100.

7.    In the IAM roles section, for Service role, select Create new service role, and then choose Create new roles. The AWS Identity and Access Management (IAM) console opens.

Note: If you already have an IAM role with the right permissions, then you can use that service role by selecting Use existing service role instead.

8.    On the IAM console permission request page, choose Allow.

9.    After returning to the Amazon SNS console, choose Save changes.

Now, an IAM role is created for successful and failed deliveries with the following policy and trust relationships for Amazon SNS. See the following examples:

IAM role for successful deliveries:

arn:aws:iam::1111111111:role/SNSSuccessFeedback

IAM role for failed deliveries:

arn:aws:iam::1111111111:role/SNSFailureFeedback

Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:PutMetricFilter",
                "logs:PutRetentionPolicy"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Trust relationships:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

View delivery status logs

1.    Open the Amazon CloudWatch console.

2.    On the navigation pane, expand Logs, and then choose Log groups.

3.    In the Filter search box, enter sns to find only log groups for Amazon SNS.

The sns/your-AWS-region/your-account_ID/app/platform_name/application_name log group contains the successful delivery logs.

sns/us-east-1/1111111111/app/GCM/Test1
sns/us-east-1/1111111111/app/APNS_SANDBOX/Test2
sns/us-east-1/1111111111/app/APNS/Test3

The sns/your-AWS-region/your-account_ID/app/platform_name/application_name/Failure log group contains the failure delivery logs:

sns/us-east-1/1111111111/app/GCM/Test1/Failure
sns/us-east-1/1111111111/app/APNS_SANDBOX/Test2/Failure
sns/us-east-1/1111111111/app/APNS/Test3/Failure

4.    Choose the Amazon SNS log group that you want to view.

5.    On the Log streams tab, choose a particular log stream to view the application endpoint delivery logs.

Consider the following:

  • You can't add a prefix to the streams in CloudWatch Logs.
  • You can't directly change the default log group name for Amazon SNS.
  • The notification content isn't written to your CloudWatch logs. That is, the SNS topic delivery logs don't log the notification content to CloudWatch, but write only the metadata to CloudWatch.
  • If you publish on an SNS topic that has SMS and platform application endpoints, the delivery status logs are still populated for these endpoints in their respective log group.

Troubleshoot notification failures

Look up the statusCode with the provider service, such as FCM or APNs. For the provider's exact response message, view the providerResponse.

For a list of push notification service response codes, see Platform response codes.


Did this article help?


Do you need billing or technical support?