Rule: Logging of Delivery Status for Notification Messages
Ensure logging is enabled for notification messages sent to a topic
| Rule | Logging of delivery status should be enabled for notification messages sent to a topic |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
Notification messages sent to a topic in AWS should have delivery status logging enabled. This helps to maintain visibility into the status of message deliveries and ensures that notifications are successfully reaching the intended recipients.
Troubleshooting Steps:
If there are issues with message delivery or if delivery status logging is not enabled, the following steps can be taken for troubleshooting:
- 1.
Verify Topic Configuration:
- Check the topic configuration in the Amazon Simple Notification Service (SNS) console or via AWS CLI.
- Ensure that the setting for delivery status logging is enabled.
- 2.
Check Permissions:
- Ensure that the IAM user or role used to modify the SNS topic has sufficient permissions to enable delivery status logging.
- Verify that the necessary IAM policies are attached to the user or role.
- 3.
Confirm Subscriptions:
- Confirm that the subscribers of the topic have confirmed their subscriptions.
- Check for any invalid or unsubscribed endpoints.
- 4.
Verify Email Notifications:
- If the topic is configured to send email notifications, ensure that the specified email addresses are correct and actively receiving emails.
- Check spam or junk folders if the emails are not appearing in the inbox.
- 5.
Review SNS Delivery Policies:
- Review the delivery policies associated with the topic to ensure they are not preventing message delivery.
- Check if the delivery policies are correctly configured for cross-account message deliveries if applicable.
- 6.
Test with Sample Message:
- Use the
command from AWS CLI to send a test message to the topic.publish - Monitor the delivery status and check for any error messages or failures.
- 7.
Check CloudWatch Logs:
- If delivery status logging is already enabled, check the CloudWatch Logs to investigate any potential issues with message deliveries.
- Look for relevant log entries and error codes that could provide insights into the problem.
Necessary Codes:
No specific codes are required for this rule.
Step-by-Step Guide for Remediation:
To enable delivery status logging for notification messages sent to a topic in AWS, follow these steps:
- 1.
Open the Amazon SNS console.
- 2.
Navigate to the topic for which you want to enable delivery status logging.
- 3.
Click on the topic's ARN (Amazon Resource Name) to access the topic details.
- 4.
Click on the "Edit" button in the "Delivery status logging" section.
- 5.
Enable the checkbox next to "Enable delivery status logging".
- 6.
Optionally, you can provide an Amazon S3 bucket to store the delivery logs by entering the bucket name in the "S3 bucket name" field.
- 7.
Click on the "Save changes" button to save the configuration.
Once enabled, AWS will start logging the delivery status of notification messages sent to the topic. These logs can be accessed in the configured Amazon S3 bucket or viewed in the CloudWatch Logs for the topic.
Note: Enabling delivery status logging may incur additional charges for storing the logs in Amazon S3. Confirm the associated costs before enabling this feature.
By following the above steps, you can ensure that delivery status logging is enabled for notification messages sent to a topic in AWS, enhancing visibility and troubleshooting capabilities for message deliveries.