Why is my Amazon SNS topic not receiving CloudWatch Events notifications?

Last updated: 2021-09-10

I set up an Amazon CloudWatch Events rule to send notifications to my Amazon Simple Notification Service (Amazon SNS) topic. Why isn't my Amazon SNS topic receiving the event notifications?

Resolution

Verify that the CloudWatch Events rule's targets are in the same AWS Region as the rule

The targets you associate with a rule must be in the same Region as the rule. For more information, see Getting Started with Amazon CloudWatch Events.

Note: To see the Region that an AWS resource is in, review the resource's Amazon Resource Name (ARN).

Verify the cause of the issue by reviewing your CloudWatch Events rule's "Invocations" and "FailedInvocations" metrics

In the CloudWatch console, review your CloudWatch Event's rule's Invocations and FailedInvocations metrics.

If there are data points for both metrics, then the CloudWatch Events rule notification tried to invoke the target but the invocation failed. To resolve the issue, you must grant CloudWatch the required permissions to publish messages to your topic. For instructions, see the Confirm that you've granted CloudWatch the required permissions to publish messages to your topic section of this article.

If there are data points for the Invocations metric only, the CloudWatch Events rule notification didn't reach the target. To resolve the issue, correct the misconfiguration on the target.

For more information, see Viewing available metrics in the CloudWatch user guide.

Confirm that you've granted CloudWatch the required permissions to publish messages to your topic

Your Amazon SNS topic's resource-based policy must allow CloudWatch to publish messages to the topic. Review your topic's AWS Identity and Access Management (IAM) policy to confirm that it has the required permissions, and add them if needed.

Important: "events.amazonaws.com" must be listed as the "Service" value. "sns:Publish" must be listed as the "Action" value.

To add the required permissions, follow the instructions in My rule runs, but I don't see any messages published into my Amazon SNS topic.

Example IAM permissions statement that allows CloudWatch to publish messages to an Amazon SNS topic

{
    "Sid": "AWSEvents_ArticleEvent_Id4950650036948",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:us-east-1:123456789012:My_SNS_Topic"
}

(For topics with server-side encryption (SSE) activated) Confirm that your topic has the required AWS Key Management (AWS KMS) permissions

Your Amazon SNS topic must use an AWS KMS key that is customer managed. This KMS key must include a custom key policy that gives CloudWatch sufficient key usage permissions.

To set up the required AWS KMS permissions, do the following:

1.    Create a new KMS key that is customer managed and includes the required permissions for CloudWatch.

2.    Configure SSE for your Amazon SNS topic using the custom KMS key you just created.

3.    Configure AWS KMS permissions that allow CloudWatch to publish messages to your encrypted topic.

Example IAM policy statement that allows CloudWatch to publish messages to an encrypted Amazon SNS topic

{
    "Sid": "Allow CWE to use the key",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*"
}

Did this article help?


Do you need billing or technical support?