Post

Understanding NoAvailableDeliveryChannelException in AWS Config

Posted
By Exception Decoded 3 min read

AWS Config is a service that allows you to assess, audit, and evaluate the configurations of your AWS resources. However, while working with AWS Config, developers may encounter several exceptions. One such exception is NoAvailableDeliveryChannelException. In this article, we will explore what this exception means, when it occurs, and how to handle it effectively.

What is NoAvailableDeliveryChannelException?

The NoAvailableDeliveryChannelException is part of the com.amazonaws.services.config.model package in the AWS SDK for Java. This exception is thrown when AWS Config is unable to deliver configuration snapshots and configuration history to an S3 bucket or Amazon SNS topic. It essentially indicates that there is no configured delivery channel available for AWS Config to use for delivering its records.

Common Causes

  1. Delivery Channel Not Configured: The most common cause of this exception is that the user has not configured a delivery channel in AWS Config.

  2. Insufficient Permissions: If the IAM role associated with AWS Config does not have the necessary permissions to deliver data to the specified S3 bucket or SNS topic, this exception may be thrown.

  3. S3 Bucket Not Found: If the specified S3 bucket does not exist or is inaccessible (due to incorrect policies, for example), it can lead to this exception.

  4. SNS Topic Misconfiguration: If the SNS topic’s policy does not allow AWS Config to publish notifications, it can result in the absence of a delivery channel.

How to Handle NoAvailableDeliveryChannelException

To effectively handle the NoAvailableDeliveryChannelException, follow these steps:

Step 1: Ensure Delivery Channel Configuration

You need to ensure a delivery channel is configured for AWS Config. You can create one using the AWS Management Console or AWS SDK. Below is an example using the AWS SDK for Java.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

import com.amazonaws.services.config.AWSConfig;
import com.amazonaws.services.config.AWSConfigClientBuilder;
import com.amazonaws.services.config.model.PutDeliveryChannelRequest;
import com.amazonaws.services.config.model.PutDeliveryChannelResult;

public class ConfigDeliveryChannel {
    public static void main(String[] args) {
        AWSConfig configClient = AWSConfigClientBuilder.defaultClient();

        PutDeliveryChannelRequest request = new PutDeliveryChannelRequest()
                .withDeliveryChannelName("myDeliveryChannel")
                .withS3BucketName("my-config-bucket")
                .withS3KeyPrefix("config/")
                .withSNSDestinationArn("arn:aws:sns:us-west-2:123456789012:my-topic");

        try {
            PutDeliveryChannelResult response = configClient.putDeliveryChannel(request);
            System.out.println("Delivery Channel Created: " + response);
        } catch (NoAvailableDeliveryChannelException e) {
            System.err.println("Delivery channel configuration is missing: " + e.getMessage());
        }
    }
}

Step 2: Validate IAM Permissions

Ensure that the IAM role used by AWS Config has the right permissions to access the S3 bucket and SNS topic. You can check the trust policy and permissions policy of the role associated with AWS Config. Here’s a sample policy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetBucketAcl"
            ],
            "Resource": "arn:aws:s3:::my-config-bucket/*"
        },
        {
            "Effect": "Allow",
            "Action": "sns:Publish",
            "Resource": "arn:aws:sns:us-west-2:123456789012:my-topic"
        }
    ]
}

Step 3: Verify the S3 Bucket and SNS Topic

Make sure you check that the S3 bucket and SNS topic you are using exist and are correctly configured. The S3 bucket should have the necessary policy allowing AWS Config to write to it:

1
2
3
4
5
6
7
8
9
10
11
12
13

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-config-bucket/*"
        }
    ]
}

For SNS, ensure that the policy allows AWS Config to publish messages:

1
2
3
4
5
6
7
8
9
10
11
12
13

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": "SNS:Publish",
            "Resource": "arn:aws:sns:us-west-2:123456789012:my-topic"
        }
    ]
}

Step 4: Exception Handling in Your Code

You should always handle the NoAvailableDeliveryChannelException in your application code to ensure smooth operations. Here’s how you can do it:

1
2
3
4
5
6
7

try {
    PutDeliveryChannelResult response = configClient.putDeliveryChannel(request);
    System.out.println("Delivery Channel Configured successfully: " + response);
} catch (NoAvailableDeliveryChannelException e) {
    System.err.println("Delivery Channel Error: " + e.getMessage());
    // Consider implementing fallback or alerting mechanisms here
}

Conclusion

The NoAvailableDeliveryChannelException in AWS Config is a critical exception that indicates misconfiguration of delivery options for AWS resource configurations. By ensuring that your delivery channel is set up, your IAM policies are correct, and your resources exist, you can avoid encountering this exception. Implementing thorough error handling in your application can also help mitigate any issues arising from this exception.

References

AWS, AWS Config
aws config com.amazonaws.services.config.model
This post is licensed under CC BY 4.0 by the author.