Why didn't I receive an SNS notification for my CloudWatch alarm trigger?

Last updated: 2020-02-05

I created an Amazon CloudWatch alarm to send notifications through an Amazon Simple Notification Service (Amazon SNS) topic when the alarm's state changes. However, the CloudWatch alarm changed states, and I didn't receive an SNS notification. Why didn't I receive an SNS notification for my CloudWatch alarm trigger?

Resolution

Delivery of SNS notifications depends on the configuration of the SNS topic and the CloudWatch alarm. To determine why you're not receiving SNS notifications as expected, check the history of the CloudWatch alarm to find the status of the trigger action.

If your trigger action failed due to SNS access policy restrictions:

  • The CloudWatch alarm history displays a message similar to: Failed to execute action arn:aws:sns:<region>:<account-id>:<topic-name>. Received error: "Resource: arn:aws:cloudwatch:<region>:<account-id>:alarm:<alarm-name> is not authorized to perform: SNS:Publish on resource: arn:aws:sns:<region>:<account-id>:<topic-name>.
  • SNS restricts the sources that can publish messages to the topic using access policies. If a permissions error occurs, the following permissions must be added under the Statement section of the SNS access policy. This update grants permissions to the CloudWatch alarms service to publish messages to the SNS topic.
    Note: Replace <region> with the Region that this notification is for, <account-id> with your account ID, and <topic name> with the SNS topic name.
{
    "Sid": "Allow_Publish_Alarms",
    "Effect": "Allow",
    "Principal":
    {
        "Service": [
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:<region>:<account-id>:<topic-name>"
}

If your trigger action failed due to SNS topic encryption:

  • The CloudWatch alarm history displays a message similar to: Failed to execute action arn:aws:sns:<region>:<account-id>:<topic-name>. Received error: "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException;)"
  • SNS allows encryption at rest for its topic. If the default AWS Key Management Service (KMS) key "alias/aws/sns" is used for this encryption, CloudWatch alarms can't publish messages to the SNS topic. The key policy of the default AWS KMS key for SNS doesn't allow CloudWatch alarms to perform "kms:Decrypt" and "kms:GenerateDataKey" API calls. Because this key is AWS managed, you can't manually edit the policy.
  • If the SNS topic must be encrypted at rest, you can use a customer managed CMK. The customer managed CMK must include the following permissions under the Statement section of the key policy. These permissions allow the CloudWatch alarms to publish messages to encrypted SNS topics.
{
    "Sid": "Allow_CloudWatch_for_CMK",
    "Effect": "Allow",
    "Principal": {
        "Service":[
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt","kms:GenerateDataKey"
    ],
    "Resource": "*"
}

If your trigger action succeeded:

  • The CloudWatch alarm history displays a message similar to: Successfully executed action arn:aws:sns:<region>:<account-id>:<topic-name>.
  • This means the CloudWatch alarm successfully published a message to the SNS topic. If the notification wasn't delivered by SNS, check the SNS topic and its metrics for any delivery failures. For more information, see How do I troubleshoot failed Amazon SNS push notification deliveries?

Note: CloudWatch doesn't test or validate the actions that you specify. It also doesn't detect Amazon EC2 Auto Scaling or Amazon SNS errors resulting from an attempt to invoke nonexistent actions. Make sure that your actions exist.


Did this article help you?

Anything we could improve?


Need more help?