CloudWatch Alarms is not authorized to perform: lambda:InvokeFunction on the resource because because no resource-based policy allows the lambda:InvokeFunction action

Just adding to what has been mentioned here earlier. First you need to add resource policy to your target lambda function through AWS CLI, catch here is, you can't add resource policy for Cloudwatch Alam through UI unlike other sources such as SNS, SQS etc, so you'll have to add resource policy through AWS CLI as mentioned in AWS Documentation:

aws lambda add-permission \
--function-name my-function-name \
--statement-id AlarmAction \
--action 'lambda:InvokeFunction' \
--principal lambda.alarms.cloudwatch.amazonaws.com \
--source-account 111122223333 \
--source-arn arn:aws:cloudwatch:us-east-1:111122223333:alarm:alarm-name

Once you add this to your target lambda function, CloudWatch Alarm should be able to invoke your lambda function.

Reference Doc: Using Amazon CloudWatch alarms

That error is telling you that the cloudwatch service does not have permission to invoke the lambda. The easiest way is update the resource policy to allow cloudwatch to invoke the service. [1]

If you provide a bit more details on what you are looking to build, we may be able to offer a more detailed answer or recommend patterns that are resilient.

[1] https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-actions-Lambda : Using Amazon CloudWatch alarms - Lambda alarm actions