Setting up Amazon SNS notifications - Amazon CloudWatch

Setting up Amazon SNS notifications

Amazon CloudWatch uses Amazon SNS to send email. First, create and subscribe to an SNS topic. When you create a CloudWatch alarm, you can add this SNS topic to send an email notification when the alarm changes state. For more information, see the Amazon Simple Notification Service Getting Started Guide.

Alternatively, if you plan to create your CloudWatch alarm using the AWS Management Console, you can skip this procedure because you can create the topic when you create the alarm.

Note

When you create an Amazon SNS topic, you choose to make it a standard topic or a FIFO topic. CloudWatch guarantees the publication of all alarm notifications to both types of topics. However, even if you use a FIFO topic, in rare cases CloudWatch sends the notifications to the topic out of order. If you use a FIFO topic, the alarm sets the message group ID of the alarm notifications to be a hash of the ARN of the alarm.

Preventing confused deputy issues

To prevent cross-service confused deputy security issues, we recommend that you use the aws:SourceArn and aws:SourceAccount global condition keys in the Amazon SNS resource policy that grants permission to CloudWatch to access your Amazon SNS resources.

The following example resource policy uses the aws:SourceArn condition key to narrow the SNS:Publish permission to be used only by CloudWatch alarms in the specified account.

{ "Statement": [{ "Effect": "Allow", "Principal": { "Service": "cloudwatch.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:cloudwatch:us-east-2:111122223333:alarm:*" }, "StringEquals": { "aws:SourceAccount": "111122223333" } } }] }

If an alarm ARN includes any non-ASCII characters, use only the aws:SourceAccount global condition key to limit the permissions.

Setting up an Amazon SNS topic using the AWS Management Console

First, create a topic, then subscribe to it. You can optionally publish a test message to the topic.

To create an SNS topic
  1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

  2. On the Amazon SNS dashboard, under Common actions, choose Create Topic.

  3. In the Create new topic dialog box, for Topic name, enter a name for the topic (for example, my-topic).

  4. Choose Create topic.

  5. Copy the Topic ARN for the next task (for example, arn:aws:sns:us-east-1:111122223333:my-topic).

To subscribe to an SNS topic
  1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

  2. In the navigation pane, choose Subscriptions, Create subscription.

  3. In the Create subscription dialog box, for Topic ARN, paste the topic ARN that you created in the previous task.

  4. For Protocol, choose Email.

  5. For Endpoint, enter an email address that you can use to receive the notification, and then choose Create subscription.

  6. From your email application, open the message from AWS Notifications and confirm your subscription.

    Your web browser displays a confirmation response from Amazon SNS.

To publish a test message to an SNS topic
  1. Open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home.

  2. In the navigation pane, choose Topics.

  3. On the Topics page, select a topic and choose Publish to topic.

  4. In the Publish a message page, for Subject, enter a subject line for your message, and for Message, enter a brief message.

  5. Choose Publish Message.

  6. Check your email to confirm that you received the message.

Setting up an SNS topic using the AWS CLI

First, you create an SNS topic, and then you publish a message directly to the topic to test that you have properly configured it.

To set up an SNS topic
  1. Create the topic using the create-topic command as follows.

    aws sns create-topic --name my-topic

    Amazon SNS returns a topic ARN with the following format:

    { "TopicArn": "arn:aws:sns:us-east-1:111122223333:my-topic" }
  2. Subscribe your email address to the topic using the subscribe command. If the subscription request succeeds, you receive a confirmation email message.

    aws sns subscribe --topic-arn arn:aws:sns:us-east-1:111122223333:my-topic --protocol email --notification-endpoint my-email-address

    Amazon SNS returns the following:

    { "SubscriptionArn": "pending confirmation" }
  3. From your email application, open the message from AWS Notifications and confirm your subscription.

    Your web browser displays a confirmation response from Amazon Simple Notification Service.

  4. Check the subscription using the list-subscriptions-by-topic command.

    aws sns list-subscriptions-by-topic --topic-arn arn:aws:sns:us-east-1:111122223333:my-topic

    Amazon SNS returns the following:

    { "Subscriptions": [ { "Owner": "111122223333", "Endpoint": "me@mycompany.com", "Protocol": "email", "TopicArn": "arn:aws:sns:us-east-1:111122223333:my-topic", "SubscriptionArn": "arn:aws:sns:us-east-1:111122223333:my-topic:64886986-bf10-48fb-a2f1-dab033aa67a3" } ] }
  5. (Optional) Publish a test message to the topic using the publish command.

    aws sns publish --message "Verification" --topic arn:aws:sns:us-east-1:111122223333:my-topic

    Amazon SNS returns the following.

    { "MessageId": "42f189a0-3094-5cf6-8fd7-c2dde61a4d7d" }
  6. Check your email to confirm that you received the message.