(Optional) Set up Amazon SNS to receive notifications about OpsItems
You can configure OpsCenter to send notifications to an Amazon Simple Notification Service (Amazon SNS) topic when the system creates an OpsItem or updates an existing OpsItem.
Complete the following steps to receive notifications for OpsItems.
-
Step 3: Updating the AWS KMS access policy
Note
If you turn on AWS Key Management Service (AWS KMS) server-side encryption in Step 2, then you must complete Step 3. Otherwise, you can skip Step 3.
-
Step 4: Turning on default OpsItems rules to send notifications for new OpsItems
Step 1: Creating and subscribing to an Amazon SNS topic
To receive notifications, you must create and subscribe to an Amazon SNS topic. For more information, see Creating an Amazon SNS topic and Subscribing to an Amazon SNS topic in the Amazon Simple Notification Service Developer Guide.
Note
If you're using OpsCenter in multiple AWS Regions or accounts, you must create and subscribe to an Amazon SNS topic in each Region or account where you want to receive OpsItem notifications.
Step 2: Updating the Amazon SNS access policy
You have to associate an Amazon SNS topic with OpsItems. Use the following procedure to set up an Amazon SNS access policy so that Systems Manager can publish OpsItems notifications to the Amazon SNS topic that you created in Step 1.
Sign in to the AWS Management Console and open the Amazon SNS console at https://console.aws.amazon.com/sns/v3/home
. -
In the navigation pane, choose Topics.
-
Choose the topic that you created in Step 1, and then choose Edit.
-
Expand Access policy.
-
Add the following
Sidblock to the existing policy. Replace eachexample resource placeholderwith your own information.{ "Sid": "Allow OpsCenter to publish to this topic", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:region:account ID:topic name", // Account ID of the SNS topic owner "Condition": { "StringEquals": { "AWS:SourceAccount": "account ID" // Account ID of the OpsItem owner } } }Note
The
aws:SourceAccountglobal condition key protects against the confused deputy scenario. To use this condition key, set the value to the account ID of the OpsItem owner. For more information, see Confused Deputy in the IAM User Guide. -
Choose Save changes.
The system now sends notifications to the Amazon SNS topic when OpsItems are created or updated.
Important
If you configure the Amazon SNS topic with an AWS Key Management Service (AWS KMS) server-side encryption key in the Step 2, then complete Step 3. Otherwise, you can skip Step 3.
Step 3: Updating the AWS KMS access policy
If you turned on AWS KMS server-side encryption for your Amazon SNS topic, you must also update the access policy of the AWS KMS key that you chose when you configured the topic. Use the following procedure to update the access policy so that Systems Manager can publish OpsItem notifications to the Amazon SNS topic you created in Step 1.
Note
OpsCenter doesn't support publishing OpsItems to an Amazon SNS topic that is configured with an AWS managed key.
-
Open the AWS KMS console at https://console.aws.amazon.com/kms
. -
To change the AWS Region, use the Region selector in the upper-right corner of the page.
-
In the navigation pane, choose Customer managed keys.
-
Choose the ID of the KMS key that you chose when you created the topic.
-
In the Key policy section, choose Switch to policy view.
-
Choose Edit.
-
Add the following
Sidblock to the existing policy. Replace eachexample resource placeholderwith your own information.{ "Sid": "Allow OpsItems to decrypt the key", "Effect": "Allow", "Principal": { "Service": "ssm.amazonaws.com" }, "Action": ["kms:Decrypt", "kms:GenerateDataKey*"], "Resource": "arn:aws:kms:region:account ID:key/key ID" }In the following example, the new block is entered at line 14.
-
Choose Save changes.
Step 4: Turning on default OpsItems rules to send notifications for new OpsItems
Default OpsItems rules in Amazon EventBridge aren't configured with an Amazon Resource Name
(ARN) for Amazon SNS notifications. Use the following procedure to edit a rule in
EventBridge and enter a notifications block.
To add a notifications block to a default OpsItem rule
Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/
. -
In the navigation pane, choose OpsCenter.
-
Choose the OpsItems tab, and then choose Configure sources.
-
Choose the name of the source rule that you want to configure with a
notificationsblock, as shown in the following example.
The rule opens in Amazon EventBridge.
-
On the rule details page, on the Targets tab, choose Edit.
-
In the Additional settings section, choose Configure input transformer.
-
In the Template box, add a
notificationsblock in the following format."notifications":[{"arn":"arn:aws:sns:region:account ID:topic name"}],Here's an example.
"notifications":[{"arn":"arn:aws:sns:us-west-2:1234567890:MySNSTopic"}],Enter the notifications block before the
resourcesblock, as shown in the following example for the US West (Oregon) (us-west-2) Region.{ "title": "EBS snapshot copy failed", "description": "CloudWatch Event Rule SSMOpsItems-EBS-snapshot-copy-failed was triggered. Your EBS snapshot copy has failed. See below for more details.", "category": "Availability", "severity": "2", "source": "EC2", "notifications": [{ "arn": "arn:aws:sns:us-west-2:1234567890:MySNSTopic" }], "resources": <resources>, "operationalData": { "/aws/dedup": { "type": "SearchableString", "value": "{\"dedupString\":\"SSMOpsItems-EBS-snapshot-copy-failed\"}" }, "/aws/automations": { "value": "[ { \"automationType\": \"AWS:SSM:Automation\", \"automationId\": \"AWS-CopySnapshot\" } ]" }, "failure-cause": { "value": <failure - cause> }, "source": { "value": <source> }, "start-time": { "value": <start - time> }, "end-time": { "value": <end - time> } } } -
Choose Confirm.
-
Choose Next.
-
Choose Next.
-
Choose Update rule.
The next time that the system creates an OpsItem for the default rule, it publishes a notification to the Amazon SNS topic.
