Why didn't my Amazon SNS topic receive EventBridge notifications?

4 minute read

I set up an Amazon EventBridge rule to send notifications to my Amazon Simple Notification Service (Amazon SNS) topic. However, my Amazon SNS topic didn't receive the event notifications.

Resolution

Verify that the EventBridge rule's targets are in the same Region as the rule

The targets that you associate with a rule must be in the same AWS Region as the rule.

Note: To find the Region that an AWS resource is in, review the resource's Amazon Resource Name (ARN).

Review your EventBridge rule's "Invocations" and "FailedInvocations" metrics to determine the issue

Use the Amazon CloudWatch console to review your EventBridge rule's Invocations and FailedInvocations metrics.

If there are data points for both metrics, then the EventBridge rule notification tried to invoke the target but the invocation failed. To resolve the issue, you must grant EventBridge the required permissions to publish messages to your topic. For instructions, see the Confirm that you granted EventBridge the required permissions to publish messages to your topic section of this article.

If there are data points for only the Invocations metric, then the EventBridge rule notification didn't reach the target. To resolve the issue, reconfigure the rule for the target.

Confirm that you granted EventBridge the required permissions to publish messages to your topic

Your Amazon SNS topic's resource-based policy must allow EventBridge to publish messages to the topic. Review your topic's AWS Identity and Access Management (IAM) policy to confirm that it has the required permissions. If the policy doesn't have them, then add the required permissions.

Important: You must list events.amazonaws.com as the Service value, and sns:Publish as the Action value.

Example IAM permissions statement that allows EventBridge to publish messages to an Amazon SNS topic:

{    "Sid": "AWSEvents_ArticleEvent_Id4950650036948",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": "sns:Publish",
    "Resource": "arn:aws:sns:us-east-1:123456789012:My_SNS_Topic"
}

Verify that the execution role allows EventBridge to publish to the target

The IAM execution role assigned to your EventBridge rules target requires a trust relationship with the EventBridge service. Make sure that your role trust policy includes EventBridge (events.amazonaws.com) as a trusted entity. If the trust policy doesn't include the required permissions, then update the trust policy to grant EventBridge permission to assume the role.

Example IAM trust relationship statement that allows EventBridge to assume the target's execution role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "events.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "ACCOUNT-ID",
                    "aws:SourceArn": "EVENTBRIDGE-RULE-ARN"
                }
            }
        }
    ]
}

Important: List events.amazonaws.com as the Service value, and sts:AssumeRole as the Action value. Replace ACCOUNT-ID with your AWS Account ID, and EVENTBRIDGE_RULE_ARN with your ARN.

(For topics with SSE activated) Confirm that your topic has the required AWS KMS permissions

Your Amazon SNS topic must use an AWS Key Management Service (AWS KMS) customer managed key. This AWS KMS key must include a custom key policy that gives EventBridge permission to use the key.

To set up the required AWS KMS permissions, complete the following steps:

Example IAM policy statement that allows EventBridge to publish messages to an encrypted Amazon SNS topic:

{    "Sid": "Allow CWE to use the key",
    "Effect": "Allow",
    "Principal": {
        "Service": "events.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*"
}

Topics: Application Integration
Tags: Amazon Simple Notification Service (SNS)
Language: English

AWS OFFICIALUpdated 3 months ago

No comments

Relevant content

Eventbridge pattern in json
Divya
asked a year ago
Cant trigger EventBridge rule with Security Hub Findings - Imported
An Nguyen
asked a year ago
EventBridge Pipe with SQS/SNS not functioning
Accepted Answer
Billy
asked 2 years ago
EventBridge Rule not triggering SNS Topic & Lambda Function
Accepted Answer
rePost-User-0498486
asked 2 years ago
Email Subject for Email Customized for SNS Topic Email Endpoint without using Lambda
Sunny-9404269
asked 3 years ago
How can I troubleshoot not receiving notifications from EventBridge for AWS Backup?
AWS OFFICIALUpdated 3 years ago
How do I configure EventBridge rules for GuardDuty to send custom SNS notifications for specific service finding types?
AWS OFFICIALUpdated 4 months ago
How do I create an EventBridge rule that uses the input transformer to make an Amazon SNS notification human readable?
AWS OFFICIALUpdated a year ago
How do I customize the default Amazon SNS email subject line?
AWS OFFICIALUpdated 2 months ago
Implementing comprehensive database event management using Amazon RDS native notifications and EventBridge
AWS OFFICIALUpdated 4 months ago