How can I troubleshoot not receiving notifications from EventBridge for AWS Backup?

Short description

To troubleshoot Amazon Simple Notification Service (Amazon SNS) notifications from Amazon EventBridge that aren't received, verify these configurations:

• The event pattern and targets in the EventBridge rule are configured correctly.
• The EventBridge rule is activated.
• The Amazon SNS access policy includes events.amazonaws.com.
• The Amazon SNS subscription is confirmed.
• The AWS Key Management Service (AWS KMS) key policy includes sns.amazonaws.com and events.amazonaws.com.

Resolution

Verify that the event pattern and targets in the EventBridge rule are configured correctly

To verify the configuration of event pattern and targets in the EventBridge rule, complete the following steps:

1.    Open the Amazon EventBridge console.

2.    In the navigation pane, choose Rules.

3.    For Name, choose your rule.

4.    For Event pattern, verify that the JSON object is configured with the correct source and state. The following is an example of a pattern to receive notifications about the status of a failed AWS Backup job:

{  
  "source": ["aws.backup"],  
  "detail-type": ["Backup Job State Change"],  
 "detail": {  
    "state": ["FAILED"]  
  }  
}

5.    For Targets, verify that the expected Target name is set up on the EventBridge rule. If your using Amazon SNS, then confirm that the correct SNS topic is assigned.

Note: A rule's targets must be in the same AWS Region as the rule.

Verify that the EventBridge rule is activated

To verify the status of an EventBridge rule, complete the following steps:

1. Open the Amazon EventBridge console.
2. In the navigation pane, choose Rules.
3. Choose the rule name that you want to update.
4. Verify that your rule is in Enabled status.

Verify the permissions for the SNS topic access policy

To verify the SNS topic access policy allows events.amazonaws.com, complete the following steps:

1.    Open the Amazon SNS console.

2.    In the navigation pane, choose Topics.

3.    For Name, select your Amazon SNS topic.

4.    For Details, choose the Access policy tab.

5.    Verify that the AWS Identity and Access Management (IAM) access policy has permission to publish to events.amazonaws.com. The following is an example statement that allows events.amazonaws.com:

{  
 "Statement": [{  
    "Sid": "Statement1",  
    "Effect": "Allow",  
    "Principal": {  
      "Service": "events.amazonaws.com"  
    },  
    "Action": "sns:Publish",  
    "Resource": "arn:aws:sns:[region]:[account id]:[topic name]"  
  }]  
}

Verify the Amazon SNS subscription

To verify the Amazon SNS subscription, complete the following steps:

1. Open the Amazon SNS console.
2. In the navigation pane, choose Subscriptions.
3. For your Amazon SNS subscription ID, verify that the status is Confirmed.
4. If the status is Pending confirmation, then follow the instructions to confirm the subscription.

Verify the AWS KMS permissions

To verify the AWS KMS permissions, complete the following steps:

1.    Open the AWS KMS console.

2.    In the navigation pane, choose Customer managed keys.

3.    Choose the check box for the KMS keys that you want to review. Then, verify the KMS key is turned on. To turn on a KMS key, choose Key actions, Enable.

4.    For Key ID, select your AWS KMS key.

5.    For Key policy, choose Switch to policy view.

6.    Verify that the KMS key policy allows permission to publish to events.amazonaws.com. The following is an example statement allowing events.amazonaws.com:

{
  "Sid": "Allow access for Key User (SNS Service Principal)",
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "sns.amazonaws.com",
      "events.amazonaws.com"
    ]
  },
  "Action": [
    "kms:GenerateDataKey*",
    "kms:Decrypt"
  ],
  "Resource": "*"
}

Related information

Monitoring AWS Backup events using EventBridge

Amazon EventBridge event patterns

Subscribing to an Amazon SNS topic

Encrypting messages published to Amazon SNS with AWS KMS