How can I troubleshoot GuardDuty custom Amazon SNS notifications that didn’t get delivered?

3 minute read
0

My Amazon GuardDuty custom Amazon Simple Notification Service (Amazon SNS) notifications didn’t get delivered.

Short description

I followed the instructions to configure an Amazon EventBridge rule for GuardDuty to send custom SNS notifications if specific AWS service event types launch. However, the SNS notifications weren't delivered.

Resolution

Follow these instructions to confirm that the following settings are correct:

  • Amazon SNS subscription confirmation.
  • Amazon SNS topic AWS Identity and Access Management (IAM) access policy.
  • AWS Key Management Service (AWS KMS) permissions.
  • EventBridge event pattern JSON object finding type.

Confirm the Amazon SNS subscription

  1. Open the Amazon SNS console, and then choose Subscriptions.
  2. For your Amazon SNS subscription ID, verify that the status is Confirmed and the Topic is correct.
  3. If the status is Pending confirmation, then follow the instructions to confirm the subscription.

Confirm permissions for the SNS topic IAM access policy

  1. Open the Amazon SNS console, and then choose Topics.
  2. In Name, choose your Amazon SNS topic.
  3. In Details, choose the Access policy tab.
  4. Verify that the IAM policy allows permission to publish the events.amazonaws.com principal similar to the following:
{
  "Sid": "AWSEvents",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": "sns:Publish",
  "Resource": "arn:aws:sns:YOUR-REGION:YOUR-ACCOUNT-ID:YOUR-SNS-TOPIC"
}

Confirm AWS KMS permissions

Note: You can skip this step if you haven't activated encryption or if you used an AWS managed key.

  1. Open the AWS KMS console, and then choose Customer managed keys.
  2. In Key ID, choose the customer managed key that you used to encrypt SNS messages.
  3. In Key policy, choose Switch to policy view.
  4. Make sure that the KMS key policy allows permission to publish the events.amazonaws.com principal similar to the following:
{
  "Sid": "AWSEvents",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": [
    "kms:GenerateDataKey",
    "kms:Decrypt"
  ],
  "Resource": "*"
}

Confirm the EventBridge event pattern JSON object finding type

  1. Open the EventBridge console, and then choose Rules.
  2. In Name, choose your rule.
  3. In Event pattern, verify that the JSON object finding type matches the specific AWS service similar to the following:
{  "source": [
    "aws.guardduty"
  ],
  "detail-type": [
    "GuardDuty Finding"
  ]
}

For more information, see Creating custom responses to GuardDuty findings with Amazon CloudWatch Events.

Confirm the EventBridge export frequency

  1. Open the GuardDuty console, and then choose Settings.
  2. In Findings export options, choose Edit.
  3. In Edit frequency to publish updated findings, check the frequency set. By default, findings are automatically sent to EventBridge every 6 hours. To change the frequency from the default setting of 6 hours, choose either 1 hour or 15 minutes, and then choose Save changes.

Note: GuardDuty sends notifications for new finding types within 5 minutes. For more information, see CloudWatch Events notification frequency for GuardDuty.

Related information

Finding types

Exporting findings

Why is my Amazon SNS topic not receiving EventBridge notifications?

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago