Control Tower sends notifications for important governance events — account enrollments, guardrail violations, landing zone updates, and more. These notifications are critical for staying aware of what’s happening in your organization. So when they stop showing up in your inbox, you’ve got a problem. I’ve debugged this enough times to know where to look. In this post, I’ll show you how to diagnose and restore Control Tower SNS notifications.
The Problem
Control Tower publishes notifications to an SNS topic in the Audit account called aws-controltower-AggregateSecurityNotifications. When a governance event occurs (like a guardrail violation), Control Tower sends a message to this topic. The topic should be subscribed to your email address, Slack webhook, Lambda function, or another endpoint. If notifications stop arriving, something in this pipeline has broken.
| Failure Type | Description |
|---|---|
| Topic deleted | SNS topic was manually deleted |
| Topic modified | Topic settings were changed (e.g., encryption) |
| Subscription deleted | Email or Lambda subscription was removed |
| Subscription not confirmed | Email subscription pending confirmation |
| Lambda permissions missing | Lambda subscriber lacks permission to be invoked |
| KMS key issue | Encrypted topic key permissions changed |
Why Does This Happen?
- SNS topic in the Audit account was manually deleted or modified — Control Tower manages the
aws-controltower-AggregateSecurityNotificationstopic. If you deleted it or significantly changed its settings, notifications stop flowing. - Subscription (email or Lambda) was deleted from the topic — Individual subscriptions to the topic can be deleted. If you or someone else removed the email or Lambda subscription, notifications no longer go to that endpoint.
- KMS encryption on the SNS topic — subscription Lambda doesn’t have
kms:Decrypt— If the SNS topic is encrypted with KMS, the subscribing Lambda needs explicit permission to decrypt messages. Without this, the Lambda subscription fails silently. - Email subscription not confirmed — When you first subscribe an email to SNS, AWS sends a confirmation email. The subscription is “PendingConfirmation” until you click the confirmation link. If this email bounces or is not confirmed, the subscription remains inactive.
- AWS Health events not triggering as expected — Some notifications rely on AWS Health events or Control Tower-specific events. If the EventBridge rule that routes these to SNS is misconfigured or disabled, notifications won’t be sent.
The Fix
Restore Control Tower notifications systematically.
Step 1: Verify the SNS Topic Exists
Log into the Audit account and check for the SNS topic:
aws sns list-topics \
--region us-east-1 \
--output table
Look for aws-controltower-AggregateSecurityNotifications. If it’s missing, you’ll need to let Control Tower repair the landing zone to restore it.
Step 2: Check Subscriptions
List all subscriptions to the topic:
aws sns list-subscriptions-by-topic \
--topic-arn arn:aws:sns:us-east-1:AUDIT-ACCOUNT-ID:aws-controltower-AggregateSecurityNotifications \
--region us-east-1 \
--output table
You should see at least one subscription (to your email, Lambda, or other endpoint). Check the SubscriptionArn and Endpoint columns.
Step 3: Check Subscription Status
For each subscription, check its status:
- PendingConfirmation (email): The email subscription was not confirmed. Check your email (including spam) for an AWS SNS confirmation email and click the link.
- Active (email): The subscription is confirmed and should be receiving notifications.
- Failed (Lambda): The Lambda subscription failed, likely due to permissions or KMS encryption issues.
Step 4: Re-Subscribe if Needed
If a subscription is missing or failed, re-subscribe:
For email:
aws sns subscribe \
--topic-arn arn:aws:sns:us-east-1:AUDIT-ACCOUNT-ID:aws-controltower-AggregateSecurityNotifications \
--protocol email \
--notification-endpoint your-email@company.com \
--region us-east-1
AWS will send a confirmation email. Click the link to confirm.
For Lambda:
aws sns subscribe \
--topic-arn arn:aws:sns:us-east-1:AUDIT-ACCOUNT-ID:aws-controltower-AggregateSecurityNotifications \
--protocol lambda \
--notification-endpoint arn:aws:lambda:us-east-1:AUDIT-ACCOUNT-ID:function:MyFunction \
--region us-east-1
Then grant SNS permission to invoke the Lambda:
aws lambda add-permission \
--function-name MyFunction \
--statement-id SNSInvoke \
--action lambda:InvokeFunction \
--principal sns.amazonaws.com \
--source-arn arn:aws:sns:us-east-1:AUDIT-ACCOUNT-ID:aws-controltower-AggregateSecurityNotifications \
--region us-east-1
Step 5: Repair the Landing Zone
If the SNS topic is missing or significantly misconfigured, the safest fix is to repair the landing zone:
Control Tower → Landing Zone → Check for drift → Repair
This re-deploys the SNS topic and re-configures it correctly.
Step 6: Test Notifications
To test notifications, manually trigger a guardrail violation (in a non-prod account). For example, create an unencrypted S3 bucket if you have a guardrail that requires encryption. This will trigger a guardrail violation notification.
How to Run This
- Log into the Audit account (or switch to it if in a different account).
- Open the SNS console or run the
list-topicscommand above. - Verify the
aws-controltower-AggregateSecurityNotificationstopic exists. - Run the
list-subscriptions-by-topiccommand to see all subscriptions. - Check the status of each subscription (PendingConfirmation, Active, etc.).
- For email subscriptions: if PendingConfirmation, check your email for the confirmation link and click it.
- If a subscription is missing: run the
subscribecommand above for your endpoint type. - If the topic is missing: repair the landing zone to restore it.
- Test by triggering a guardrail violation and verify the notification arrives.
Is This Safe?
Yes. Re-subscribing to SNS is safe. Email and Lambda subscriptions are additive — you can have multiple subscribers to the same topic. Repairing the landing zone restores Control Tower-managed resources idempotently.
Key Takeaway
Control Tower SNS notifications fail when subscriptions are deleted, not confirmed, or when the topic is missing. Verify subscriptions exist, confirm email subscriptions, and repair the landing zone if the topic is missing.
Have questions or ran into a different Control Tower issue? Connect with me on LinkedIn or X.