Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why didn't I receive an Amazon SNS notification for my CloudWatch alarm trigger?

4 minute read
1

I configured an Amazon CloudWatch alarm to send notifications to an Amazon Simple Notification Service (Amazon SNS) topic when the alarm's state changes. However, I don't receive SNS notifications when the state changes.

Resolution

To determine why you don't receive SNS notifications, check the CloudWatch alarm's history to view the trigger action's status.

SNS access policy restrictions

You receive an error message that's similar to the following in the CloudWatch alarm history:

"Failed to execute action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME. Received error: "CloudWatch Alarms is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME""

This error occurs because the SNS access policy restricts CloudWatch access to the SNS topic.

Amazon SNS uses access policies to restrict the services that can publish messages to the topic. To grant permissions to CloudWatch to publish messages to the SNS topic, add the following permissions statement to the SNS access policy:

{  "Sid": "Allow_Publish_Alarms",
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "cloudwatch.amazonaws.com"
    ]
  },
  "Action": "sns:Publish",
  "Resource": "arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME"
}

Note: Replace us-east-1 with the AWS Region that the notification is for, ACCOUNT_ID with your AWS account ID, and TOPIC_NAME with the SNS topic name.

To restrict the ability to publish messages to the topic for specific alarms, add global condition keys. The following example policy uses the ArnLike condition operator and the aws:SourceArn global condition key:

{  "Sid": "Allow_Publish_Alarms",
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "cloudwatch.amazonaws.com"
    ]
  },
  "Action": "sns:Publish",
  "Resource": "arn:aws:sns:REGION:ACCOUNT_ID:TOPIC_NAME",
  "Condition": {
    "ArnLike": {
      "aws:SourceArn": "arn:aws:cloudwatch:us-east-1:ACCOUNT_ID:alarm:ALARM_NAME"
    }
  }
}

Note: Replace us-east-1 with the Region that the notification is for, ACCOUNT_ID with your account ID, TOPIC_NAME with the SNS topic name, and ALARM_NAME with the alarm name.

Alarms that are in the account that's included in the condition can publish to the resource's SNS topic in the policy. For example, the account ID of the alarm resource owner can publish to the topic. Restrict the policy to the same account for both the account that owns the SNS topic and the account that owns the alarm.

For more information, see Example cases for Amazon SNS access control.

SNS topic encryption issues

If your trigger action fails because of SNS topic encryption, then the CloudWatch alarm history displays an error message that's similar to the following:

"Failed to execute action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key.""

If you configured Amazon SNS to use the default AWS Key Management Service (AWS KMS) alias/aws/sns key for server-side encryption, then CloudWatch can't publish to the SNS topic. The default AWS KMS key policy for Amazon SNS doesn't allow CloudWatch to perform kms:Decrypt and kms:GenerateDataKey API operations. Because AWS manages this key, you can't manually edit the policy.

If you must encrypt the SNS topic at rest, then use a customer managed key. The customer managed key must include the following permissions statement in the key policy:

{  "Sid": "Allow_CloudWatch_for_CMK",
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "cloudwatch.amazonaws.com"
    ]
  },
  "Action": [
    "kms:Decrypt",
    "kms:GenerateDataKey*"
  ],
  "Resource": "*"
}

Successful execution

If your trigger action succeeds, then the CloudWatch alarm history displays a message that's similar to the following one:

"Successfully executed action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME"

If you don't receive an SNS notification, then check the SNS topic and its metrics for delivery failures. For more information, see How do I access Amazon SNS topic delivery logs for push notifications?

CloudWatch doesn't test or validate the actions that you specify. CloudWatch also doesn't detect Amazon EC2 Auto Scaling or Amazon SNS errors that occur when you try to invoke nonexistent actions. Make sure that your actions exist.

Related information

Using Amazon CloudWatch alarms

Encrypting messages published to Amazon SNS with AWS KMS

Topics
Management & GovernanceNetworking & Content Delivery
Tags
Amazon CloudWatch
Language
English

Related videos

Watch Anushree’s video to learn more (3:33)
Watch Anushree’s video to learn more (3:33)
AWS OFFICIALUpdated 3 months ago
2 Comments

For email notifications I had chosen a SNS Topic which had encryption enabled with AWS Managed KMS Key. After removing it and updating the alarm I still not get the emails. Have enabled billing preference in the Billing Console. Do not see any error in the Cloud Watch Alarms History too

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 2 years ago

Relevant content