How can I get my Amazon SQS subscription to successfully receive a notification from my Amazon SNS topic?

Last updated: 2021-07-08

My Amazon Simple Queue Service (Amazon SQS) subscription won't receive a notification from my Amazon Simple Notification Service (Amazon SNS) topic.

Short description

Before you get started, configure Amazon CloudWatch delivery status logging for your SNS topic. For more information, see Monitoring Amazon SNS topics using CloudWatch.

Then, try the following troubleshooting steps.

Resolution

Configure your SQS queue's access policy to allow Amazon SNS to send messages

To view the access policy of your SQS queue, configure your access policy.

If your SQS queue's access policy doesn't include the "sqs:SendMessage" action for your SNS topic, then update your policy with the correct permissions. The permissions must allow Amazon SNS to send messages to the SQS queue.

Configure your AWS KMS key policy to work with server-side encryption on your SQS queue

If server-side encryption is enabled on your SQS queue, you must do the following:

1.    Enable AWS KMS key status.

2.    Verify that your SQS queue is using a customer managed key. The KMS key must have an AWS Key Management Service (AWS KMS) key policy that grants Amazon SNS the correct permissions.

To allow the SNS event source to perform kms:GenerateDataKey and kms:Decrypt API actions, add the following statement to the KMS key policy:

{
    "Sid": "Allow Amazon SNS to use this key",
    "Effect": "Allow",
    "Principal": {
        "Service": "sns.amazonaws.com"
   
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*"
}

If the KMS key policy isn't configured, then the Amazon SNS message delivery status logs show the following KMS.AccessDeniedException error:

{
    "notification": {
        "messageMD5Sum": "1234567890abcdefghijklmnopqrstu0",
        "messageId": "abcdef01-gh23-4i5j-678k-90l23m45nopq",
       
    "topicArn": "arn:aws:sns:us-east-1:111111111111:sns",
        "timestamp": "2021-06-17 17:08:10.299"
    },
    "delivery": {
        "deliveryId": "12a3b4c5-6789-0de1-fgh2-ij34k56lmn78",
        "destination": "arn:aws:sqs:us-east-1:111111111111:sns-sqs",
        "providerResponse": "{\"ErrorCode\":\"KMS.AccessDeniedException\",\"ErrorMessage\":\"null
    (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 12a345b6-7c89-0d1e-2f34-5gh67i8kl901; Proxy: null)\",\"sqsRequestId\":\"Unrecoverable\"}",
        "dwellTimeMs": 60,
       
    "attempts": 1,
        "statusCode": 400
    },
    "status": "FAILURE"
} 

Confirm that your subscribed SQS queue's filter policy matches the message sent from the SNS topic

Review the NumberOfNotificationsFilteredOut metric in your CloudWatch metrics for Amazon SNS.

The Publish requests made by the AWS Identity and Access Management (IAM) entity that's invoking your function can appear in the NumberOfNotificationsFilteredOut metric. In this scenario, check the SNS topic subscription filter policy of your SQS queue:

1.    Open the Amazon SNS console.

2.    On the navigation pane, choose Subscriptions.

3.    Select your subscription, and then choose Edit.

4.    Expand the Subscription filter policy section.

5.    In the subscription filter policy, confirm that the Publish request message attributes match the attributes required by the filter policy. If the attributes don't match, then update your Publish request message attributes to match the attributes required by the filter policy.

Note: For more information, see Amazon SNS subscription filter policies.

6.    Choose Save changes.

Troubleshoot raw message delivery issues

If you enabled raw message delivery for your SQS queue subscription, then verify that you're sending no more than 10 message attributes in the published notification.

Amazon SNS maps the message attributes for raw delivery enabled messages to SQS message attributes. If you use more than 10 message attributes, then the notification delivery fails and your delivery status logs show the following error log:

{
    "notification": {
        "messageMD5Sum": "5c10d6c5d7f246fc3fb85334b4ed55ca",
        "messageId": "50f51b06-ee71-56fc-b657-424391902ee7",
       
    "topicArn": "arn:aws:sns:us-east-1:111111111111:sns",
        "timestamp": "2021-06-17 16:51:45.468"
    },
    "delivery": {
        "deliveryId":
    "36b3ee88-bc85-5587-b2af-b7cdc3644e07",
    
        "destination": "arn:aws:sqs:us-east-1:111111111111:sns-sqs",
        "providerResponse": "{\"ErrorCode\":\"InvalidParameterValue\",\"ErrorMessage\":\"Number of message
    attributes [SENT DURING PUBLISH] exceeds the allowed maximum [10].\",\"sqsRequestId\":\"Unrecoverable\"}",
        "dwellTimeMs": 44,
        "attempts": 1,
       
    "statusCode": 400
    },
    "status": "FAILURE"
}

Troubleshoot message deduplication with notification delivery for SNS FIFO topics

SNS FIFO topics order and deduplicate messages. If a notification for a deduplication ID is successfully sent to an SNS FIFO topic, then any message published with the same deduplication ID, within the five-minute deduplication interval, is accepted but not delivered.

You can configure the deduplication ID in the Publish API operation. Or, the deduplication ID is computed by the FIFO topic based on the message body if content-based deduplication is enabled for the SNS FIFO topic.

The SNS FIFO topic continues to track the message deduplication ID, even after the message is delivered to subscribed endpoints.

For more information, see Message deduplication for FIFO topics.


Did this article help?


Do you need billing or technical support?