Why is my Amazon SNS topic not receiving EventBridge notifications?

3 minute read
2

I set up an Amazon EventBridge rule to send notifications to my Amazon Simple Notification Service (Amazon SNS) topic. Why isn't my Amazon SNS topic receiving the event notifications?

Resolution

Verify that the EventBridge rule's targets are in the same AWS Region as the rule

The targets you associate with a rule must be in the same Region as the rule.

Note: To see the Region that an AWS resource is in, review the resource's Amazon Resource Name (ARN).

Verify the cause of the issue by reviewing your EventBridge rule's "Invocations" and "FailedInvocations" metrics

In the CloudWatch console, review your EventBridge rule's Invocations and FailedInvocations metrics.

If there are data points for both metrics, then the EventBridge rule notification tried to invoke the target but the invocation failed. To resolve the issue, you must grant EventBridge the required permissions to publish messages to your topic. For instructions, see the Confirm that you've granted EventBridge the required permissions to publish messages to your topic section of this article.

If there are data points for the Invocations metric only, then the EventBridge rule notification didn't reach the target. To resolve the issue, correct the misconfiguration on the target.

For more information, see View available metrics in the CloudWatch User Guide.

Confirm that you've granted EventBridge the required permissions to publish messages to your topic

Your Amazon SNS topic's resource-based policy must allow EventBridge to publish messages to the topic. Review your topic's AWS Identity and Access Management (IAM) policy to confirm that it has the required permissions, and add them if needed.

Important: "events.amazonaws.com" must be listed as the "Service" value. "sns:Publish" must be listed as the "Action" value.

To add the required permissions, see My rule runs, but I don't see any messages published into my Amazon SNS topic.

Example IAM permissions statement that allows EventBridge to publish messages to an Amazon SNS topic

{
  "Sid": "AWSEvents_ArticleEvent_Id4950650036948",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": "sns:Publish",
  "Resource": "arn:aws:sns:us-east-1:123456789012:My_SNS_Topic"
}

(For topics with server-side encryption (SSE) activated) Confirm that your topic has the required AWS Key Management Service (AWS KMS) permissions

Your Amazon SNS topic must use an AWS KMS key that is customer managed. This AWS KMS key must include a custom key policy that gives EventBridge sufficient key usage permissions.

To set up the required AWS KMS permissions, do the following:

1.    Create a new AWS KMS key that is customer managed and includes the required permissions for EventBridge (events.amazonaws.com).

2.    Configure SSE for your Amazon SNS topic using the custom AWS KMS key you just created.

3.    Configure AWS KMS permissions that allow EventBridge to publish messages to your encrypted topic (events.amazonaws.com).

Example IAM policy statement that allows EventBridge to publish messages to an encrypted Amazon SNS topic

{
  "Sid": "Allow CWE to use the key",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": [
    "kms:Decrypt",
    "kms:GenerateDataKey*"
  ],
  "Resource": "*"
}

Related information

Getting started with Amazon EventBridge

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago