Managing ElastiCache Amazon SNS notifications
You can configure ElastiCache to send notifications for important cluster events using Amazon Simple Notification Service (Amazon SNS). In these examples, you will configure a cluster with the Amazon Resource Name (ARN) of an Amazon SNS topic to receive notifications.
Note
This topic assumes that you've signed up for Amazon SNS and have set up and subscribed to an Amazon SNS topic. For information on how to do this, see the Amazon Simple Notification Service Developer Guide.
By default, the
API modify-replication-groupaffects all groups in a Region and not just the current specified group. If you want to configure one specific group in a Region differently than the other groups, you can use the--notification-topic-arnoption to create a separate topic for that group.
SNS topic access policy requirement
When you configure an Amazon SNS topic for ElastiCache notifications, the topic's access policy
must use the aws:SourceOwner condition key, not aws:SourceAccount.
Newly created Amazon SNS topics default to aws:SourceAccount in their access policy,
which ElastiCache does not support for event notifications.
If your Amazon SNS topic uses aws:SourceAccount, ElastiCache cannot publish
notifications to the topic and automatically sets the topic status to
inactive. Global Datastore failovers and other cluster operations can trigger this error.
To ensure ElastiCache notifications work correctly, verify your Amazon SNS topic access policy includes the following statement:
{ "Statement": [ { "Sid": "AllowElastiCachePublish", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "SNS:Publish", "Resource": "arn:aws:sns:region:account-id:topic-name", "Condition": { "StringEquals": { "AWS:SourceOwner": "account-id" } } } ] }
If ElastiCache shows your Amazon SNS topic status as inactive
after a failover or other cluster operation, check the topic's access policy and replace
aws:SourceAccount with aws:SourceOwner. Then re-enable the
notification on the cluster with the ModifyReplicationGroup API operation or the console.
For more information about these condition keys, see aws:SourceAccount vs aws:SourceOwner in the Amazon SNS Developer Guide.
Prerequisites
Before you configure Amazon SNS notifications for ElastiCache, verify the following requirements:
The Amazon SNS topic must be in the same AWS Region as your ElastiCache cluster.
The Amazon SNS topic must be owned by the same AWS account as your ElastiCache cluster.
The Amazon SNS topic must not be encrypted with a customer managed AWS KMS key. ElastiCache does not support publishing notifications to Amazon SNS topics that are encrypted with customer managed AWS KMS keys.
You must have permissions to modify the Amazon SNS topic access policy (
sns:SetTopicAttributesor equivalent).
Granting ElastiCache permission to publish to your Amazon SNS topic
To receive event notifications, you must grant ElastiCache permission to publish
messages to your Amazon SNS topic. You do this by adding a resource-based policy to the
Amazon SNS topic that allows the elasticache.amazonaws.com service principal
to publish messages.
The following policy grants ElastiCache the required permission:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowElastiCachePublish", "Effect": "Allow", "Principal": { "Service": "elasticache.amazonaws.com" }, "Action": "sns:Publish", "Resource": "arn:aws:sns:region:account-id:topic-name", "Condition": { "StringEquals": { "aws:SourceAccount": "account-id" } } } ] }
The following table describes the policy components.
| Component | Value | Description |
|---|---|---|
| Principal | elasticache.amazonaws.com |
The ElastiCache service principal |
| Action | sns:Publish |
The minimum required permission |
| Resource | Topic ARN | The ARN of your specific Amazon SNS topic |
Condition: aws:SourceAccount |
Your AWS account ID | Restricts access to requests originating from your specific AWS account |
Granting permission (Console)
To grant ElastiCache permission to publish to your Amazon SNS topic (Console)
-
Open the Amazon Simple Notification Service console at https://console.aws.amazon.com/sns/
. -
In the navigation pane, choose Topics.
-
Select your topic and choose Edit.
-
Expand the Access policy section.
-
In the JSON editor, add the preceding policy statement.
-
Choose Save changes.
Granting permission (AWS CLI)
Save the access policy to a file named sns-policy.json,
then run the following command:
For Linux, macOS, or Unix:
aws sns set-topic-attributes \ --topic-arn arn:aws:sns:region:account-id:topic-name\ --attribute-name Policy \ --attribute-value file://sns-policy.json \ --regionregion
For Windows:
aws sns set-topic-attributes ^ --topic-arn arn:aws:sns:region:account-id:topic-name^ --attribute-name Policy ^ --attribute-value file://sns-policy.json ^ --regionregion
To verify the policy was applied correctly, run the following command:
For Linux, macOS, or Unix:
aws sns get-topic-attributes \ --topic-arn arn:aws:sns:region:account-id:topic-name\ --query 'Attributes.Policy' \ --output text \ --regionregion
For Windows:
aws sns get-topic-attributes ^ --topic-arn arn:aws:sns:region:account-id:topic-name^ --query 'Attributes.Policy' ^ --output text ^ --regionregion
Adding an Amazon SNS topic
The following sections show you how to add an Amazon SNS topic using the AWS Console, the AWS CLI, or the ElastiCache API.
Adding an Amazon SNS topic (Console)
The following procedure shows you how to add an Amazon SNS topic for a cluster. When using Valkey or Redis OSS to add an Amazon SNS topic for a replication group in step 2, instead of choosing a cluster, choose a replication group. Then follow the same remaining steps.
Note
This process can also be used to modify the Amazon SNS topic.
To add or modify an Amazon SNS topic for a cluster (Console)
-
Sign in to the AWS Management Console and open the ElastiCache console at https://console.aws.amazon.com/elasticache/
. -
In Clusters, choose the cluster for which you want to add or modify an Amazon SNS topic ARN.
-
Choose Modify.
-
In Modify Cluster under Topic for SNS Notification, choose the SNS topic you want to add, or choose Manual ARN input and type the ARN of the Amazon SNS topic.
-
Choose Modify.
Adding an Amazon SNS topic (AWS CLI)
To add or modify an Amazon SNS topic for a cluster,
use the AWS CLI command modify-cache-cluster.
The following code example adds an Amazon SNS topic arn to my-cluster.
For Linux, macOS, or Unix:
aws elasticache modify-cache-cluster \ --cache-cluster-idmy-cluster\ --notification-topic-arnarn:aws:sns:us-west-2:123456789xxx:ElastiCacheNotifications
For Windows:
aws elasticache modify-cache-cluster ^ --cache-cluster-idmy-cluster^ --notification-topic-arnarn:aws:sns:us-west-2:123456789xx:ElastiCacheNotifications
For more information, see modify-cache-cluster.
Adding an Amazon SNS topic (ElastiCache API)
To add or modify an Amazon SNS topic for a cluster, call the
ModifyCacheCluster action with the following parameters:
-
CacheClusterId=my-cluster -
TopicArn=arn%3Aaws%3Asns%3Aus-west-2%3A565419523791%3AElastiCacheNotifications
Example
https://elasticache.amazon.com/ ?Action=ModifyCacheCluster &ApplyImmediately=false &CacheClusterId=my-cluster &NotificationTopicArn=arn%3Aaws%3Asns%3Aus-west-2%3A565419523791%3AElastiCacheNotifications &Version=2014-12-01 &SignatureVersion=4 &SignatureMethod=HmacSHA256 &Timestamp=20141201T220302Z &X-Amz-Algorithm=&AWS;4-HMAC-SHA256 &X-Amz-Date=20141201T220302Z &X-Amz-SignedHeaders=Host &X-Amz-Expires=20141201T220302Z &X-Amz-Credential=<credential> &X-Amz-Signature=<signature>
For more information, see ModifyCacheCluster.
Enabling and disabling Amazon SNS notifications
You can turn notifications on or off for a cluster. The following procedures show you how to disable Amazon SNS notifications.
Enabling and disabling Amazon SNS notifications (Console)
To disable Amazon SNS notifications using the AWS Management Console
-
Sign in to the AWS Management Console and open the ElastiCache console at https://console.aws.amazon.com/elasticache/
. -
To see a list of your clusters running Memcached, in the navigation pane choose Memcached.
To see a list of your clusters running Valkey or Redis OSS, in the navigation pane choose Valkey or Redis OSS.
-
Choose the box to the left of the cluster you want to modify notification for.
-
Choose Modify.
-
In Modify Cluster under Topic for SNS Notification, choose Disable Notifications.
-
Choose Modify.
Enabling and disabling Amazon SNS notifications (AWS CLI)
To disable Amazon SNS notifications, use the command modify-cache-cluster
with the following parameters:
For Linux, macOS, or Unix:
aws elasticache modify-cache-cluster \ --cache-cluster-idmy-cluster\ --notification-topic-statusinactive
For Windows:
aws elasticache modify-cache-cluster ^ --cache-cluster-idmy-cluster^ --notification-topic-statusinactive
Note
When the cluster belongs to a replication group, you must use the CLI command modify-replication-group to enable or disable SNS notifications.
Enabling and disabling Amazon SNS notifications (ElastiCache API)
To disable Amazon SNS notifications, call the ModifyCacheCluster action with the
following parameters:
-
CacheClusterId=my-cluster -
NotificationTopicStatus=inactive
This call returns output similar to the following:
Example
https://elasticache.us-west-2.amazonaws.com/ ?Action=ModifyCacheCluster &ApplyImmediately=false &CacheClusterId=my-cluster &NotificationTopicStatus=inactive &Version=2014-12-01 &SignatureVersion=4 &SignatureMethod=HmacSHA256 &Timestamp=20141201T220302Z &X-Amz-Algorithm=&AWS;4-HMAC-SHA256 &X-Amz-Date=20141201T220302Z &X-Amz-SignedHeaders=Host &X-Amz-Expires=20141201T220302Z &X-Amz-Credential=<credential> &X-Amz-Signature=<signature>
Security best practices for Amazon SNS topic policies
To help secure your Amazon SNS topic policy, follow these best practices:
Always include the
aws:SourceAccountcondition key to prevent cross-account confused deputy attacks.Use the
elasticache.amazonaws.com.rproxy.govskope.caservice principal rather than individual AWS account IDs.Never use
"Principal": {"AWS": "*"}without additional condition keys.Grant only the minimum required permissions (
sns:Publishonly).Regularly audit your Amazon SNS topic access policies.
Verifying that notifications are working
After configuring the Amazon SNS topic policy and adding the topic to your ElastiCache cluster, verify that notifications are working:
Trigger an ElastiCache event, such as a configuration change on your cluster.
Check your Amazon SNS subscription endpoint (email, Lambda function, or SQS queue) for the notification message.
In the Amazon SNS console, verify that the subscription status shows Confirmed.
Troubleshooting Amazon SNS notifications
If you are not receiving Amazon SNS notifications from ElastiCache, check the following:
- Region mismatch
Verify that the Amazon SNS topic is in the same AWS Region as your ElastiCache cluster.
- Account ownership
Verify that the Amazon SNS topic is owned by the same AWS account as your ElastiCache cluster.
- Incorrect account ID in condition
Check that the
aws:SourceAccountvalue is your exact 12-digit AWS account ID.- KMS encryption
Verify that the Amazon SNS topic is not encrypted with a customer managed AWS KMS key. ElastiCache does not support publishing to topics with customer managed AWS KMS encryption.
- Topic ARN mismatch
Confirm that the Amazon SNS topic ARN in the policy matches exactly the ARN of the topic attached to your ElastiCache cluster.
- Unconfirmed subscription
Verify that your Amazon SNS subscription is in Confirmed status.
- Insufficient permissions
Confirm that you have
sns:SetTopicAttributespermission to modify the topic's access policy.
