Alarms to notify on SNS topics

As we discussed cloudwatch logging feature in the previous post, lets explore the another powerful feature of AWS cloudwatch service which is nothing but cloudwatch alarms.

Lets consider the simple use case as below: “Create an alarm when more than 5 objects are added or deleted from an S3 buckets and once alarm state is active, it should raise an event notification to SNS topic which in turn should send out an email.

  1.  I’m assuming that you already have created a S3 bucket which can be used in this tutorial.
  2. Create new SNS topic : Go to Simple Notification service & create a new SNS topic with desired name, lets say <test>. Once topic is created, create a new subscription. Please make sure to confirm the email subscription. The most commonly ignored step is to grant permissions. Please keep in mind that you need to specifically grant permissions for other AWS services to publish notifications to this topic. In our case, we need to grant policy permissions to cloudwatch alarm service to access this topic. We will cover this in step 5.
  3. Now go to cloudwatch service on AWS console – Navigate to services & search for cloudwatch. Once you are on cloudwatch console page, click on Alarm from the left navigation menu & create new alarm. On select metric page, select S3 then select the bucket from step 1 with AllStorageTypes. At the bottom navigation select relative 1 day duration & max=5 then click next.
  4. On Alarm definition page, add desired name & description. Then set alarm threshold as numberOfObjects>=5. Leave other values as default & then set action as “whenever this alarm : state is ALARM” & “send notification to:topicname<created in step2>”. Then choose your desired email & click create alarm.
  5. Now as mentioned in step 2, the most important step to grant permissions for this alarm to publish to SNS topic. Go to Simple Notification Service console page & select SNS topic <test>. From the Actions->Edit Topic Policy->Advanced view & paste below mentioned policy. Please update SNS topic name, region, account id & alarm-name accordingly. Click on update policy &  that is basically permission granted to your cloudwatch alarm to publish to SNS topic.
  6. {
      "Version": "2012-10-17",
      "Id": "SNSTopicPolicy",
      "Statement": [
          "Sid": "SNSTopicPolicy-ID",
          "Effect": "Allow",
          "Principal": {
            "AWS": "*"
          "Action": "SNS:Publish",
          "Resource": "arn:aws:sns:<TOPIC-REGION>:<ACCOUNT-ID>:<YOUR-SNS-TOPIC-NAME>",
          "Condition": {
            "ArnLike": {
              "aws:SourceArn": "arn:aws:cloudwatch:<TOPIC-REGION>:<ACCOUNT-ID>:alarm:<YOUR-ALARM-NAME>"
  7. Now, go ahead & delete 6 text files the s3 bucket created in step1. As soon as, all files are uploaded successfully, alarm will be active & you should receive an email.

Leave a Reply

Your email address will not be published. Required fields are marked *