Overview

📋 Table of Contents

1. Overview
2. Key Concepts
3. SNS Configuration
4. Integration with CloudWatch Alarms
5. Best Practices
6. Examples from Our Infrastructure
7. Useful Links

🌟 Overview

Amazon Simple Notification Service (SNS) is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. In our infrastructure, we primarily use SNS to route CloudWatch Alarm notifications to various endpoints, including Lambda functions that send alerts to Discord.

🔑 Key Concepts

1. Topics: The main SNS resource to which messages are published.
2. Subscriptions: Endpoints that receive messages published to a topic.
3. Publishers: Services or applications that send messages to SNS topics.
4. Message Filtering: Allows subscribers to receive only a subset of messages published to a topic.

🛠 SNS Configuration

In our infrastructure, we set up SNS topics to handle different types of notifications:

1. Error Alerts: For critical error logs detected by CloudWatch Logs.
2. Resource Alarms: For CloudWatch Alarms related to resource utilization and performance.

🔗 Integration with CloudWatch Alarms

CloudWatch Alarms are configured to publish messages to SNS topics when alarm states change. This integration allows us to:

1. Centralize notification management.
2. Route different types of alarms to different endpoints.
3. Transform and customize alert messages before sending them to final destinations (e.g., Discord).

📝 Best Practices

1. Use IAM Roles: Always use IAM roles to grant permissions to services that publish to or subscribe to SNS topics.
2. Implement Dead-Letter Queues: For critical messages, use dead-letter queues to capture any messages that fail to be delivered.
3. Message Attributes: Use message attributes to include metadata with your messages, enabling more sophisticated filtering and routing.
4. Encryption: Enable server-side encryption for sensitive data in transit.
5. Monitor SNS: Set up CloudWatch metrics for SNS to track successful and failed message deliveries.

🛠 Examples from Our Infrastructure

Error Filter SNS Topic

We use an SNS topic to handle error notifications from CloudWatch Logs:

Error Filter SNS Configuration

export const snsTopicErrorAlerts = new aws.sns.Topic(`gh-errorfilter-${stack}-sns-${region}-webhook`);

new aws.sns.TopicSubscription(`gh-errorfilter-${stack}-sns-${region}-subscription`, {
    topic: snsTopicErrorAlerts.arn,
    protocol: "lambda",
    endpoint: errorFilterLambdaFunction.arn,
});

new aws.lambda.Permission(`gh-errorfilter-${stack}-sns-${region}-permission`, {
    action: "lambda:InvokeFunction",
    function: errorFilterLambdaFunction.name,
    principal: "sns.amazonaws.com",
    sourceArn: snsTopicErrorAlerts.arn,
});

This configuration creates an SNS topic and subscribes a Lambda function to it. It also grants the necessary permissions for SNS to invoke the Lambda function.

Resource Alarm SNS Topic

We have another SNS topic for handling CloudWatch Alarm notifications:

Resource Alarm SNS Configuration

export const snsTopicDiscordCw = new aws.sns.Topic(`gh-discord-${stack}-sns-${region}-webhook`);

new aws.sns.TopicSubscription(`gh-discord-${stack}-sns-${region}-subscription`, {
    topic: snsTopicDiscordCw.arn,
    protocol: "lambda",
    endpoint: lambdaDiscordCWFuntion.arn,
});

new aws.lambda.Permission(`gh-discord-${stack}-lambda-${region}-permission`, {
    action: "lambda:InvokeFunction",
    function: lambdaDiscordCWFuntion.name,
    principal: "sns.amazonaws.com",
    sourceArn: snsTopicDiscordCw.arn,
});

This setup is similar to the error filter configuration but is used specifically for CloudWatch Alarms.

🔗 Useful Links

• Amazon SNS Developer Guide
• SNS Best Practices
• Using Amazon SNS for Application-to-Person (A2P) Messaging
• Amazon SNS Message Filtering

---

Remember to keep this document up-to-date as you modify the SNS configuration in your infrastructure. Regular reviews will ensure that your notification strategy remains effective and aligned with your operational needs.