How can I troubleshoot GuardDuty custom SNS notifications that are not being delivered?

Last updated: 2020-01-29

Why are my Amazon GuardDuty custom Amazon Simple Notification Service (Amazon SNS) notifications not being delivered?  

Short Description

I followed the instructions to configure an Amazon CloudWatch Events rule for GuardDuty to send custom SNS notifications if specific AWS service event types trigger. However, the SNS notifications weren't delivered.

Resolution

Follow these instructions to confirm the correct settings for:

  • Amazon SNS subscription confirmation
  • Amazon SNS topic AWS Identity and Access Management (IAM) access policy
  • AWS Key Management Service (AWS KMS) permissions
  • CloudWatch event pattern JSON object finding type

Confirm the Amazon SNS subscription

  1. Open the Amazon SNS console, and then choose Subscriptions.
  2. For your Amazon SNS subscription ID, verify that the status is Confirmed.
  3. If the status is Pending confirmation, follow the instructions to confirm the subscription.

Confirm permissions for the SNS topic access policy

  1. Open the Amazon SNS console, and then choose Topics.
  2. In Name, choose your Amazon SNS topic.
  3. In Details, choose the Access policy tab.
  4. Verify that the IAM policy allows permission to publish the events.amazonaws.com principal similar to the following:
{
      "Sid": "AWSEvents",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:YOUR-REGION:YOUR-ACCOUNT-ID:YOUR-SNS-TOPIC"
}

Confirm AWS Key Management Service (AWS KMS) permissions

  1. Open the AWS KMS console, and then choose Customer managed keys.
  2. In Key ID, choose your customer managed key (CMK).
  3. In Key policy, choose Switch to policy view.
  4. Verify that the KMS key policy allows permission to publish the events.amazonaws.com principal similar to the following:  
{
    "Sid": "AWSEvents",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
    ],
    "Resource": "*"
}

Confirm the CloudWatch event pattern JSON object finding type

  1. Open the CloudWatch console, and then choose Rules.
  2. In Name, choose your CloudWatch rule.
  3. In Event pattern, verify that the JSON object finding type matches the specific AWS service similar to the following:  
{
  "source": [
    "aws.guardduty"
  ],
  "detail-type": [
    "GuardDuty Finding"
  ]
}