How do I configure a CloudWatch alarm with an encrypted SNS topic?

3 minute read

I want to configure an Amazon CloudWatch alarm with an encrypted Amazon Simple Notification Service (Amazon SNS) topic.

Short description

You must use a customer managed key to successfully deliver Amazon SNS notifications with an encrypted Amazon SNS topic for a CloudWatch alarm. If you use the default AWS Key Management Service (AWS KMS) key for encryption, then the CloudWatch alarm fails to initiate the alarm action. When the alarm fails to initiate the alarm action, a message similar to the following appears in the Alarm History section:

"Failed to execute action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key.""


To configure a CloudWatch alarm with an encrypted Amazon SNS topic, complete the following steps:

  1. Open the Amazon SNS console.

  2. Choose Create topic.

  3. For Type, choose Standard, and then create a topic name and display name.

  4. Expand the Encryption - optional setting to turn on Encryption.

  5. Select a customer managed key.
    Note: If Amazon SNS uses the default AWS KMS key alias/aws/sns for the encryption, then CloudWatch alarms can't publish messages. The default AWS KMS key policy for Amazon SNS doesn't allow CloudWatch alarms to perform kms:Decrypt and kms:GenerateDataKey API calls. You can't manually edit policies for AWS managed keys.

  6. Manually edit the key policy to grant CloudWatch alarms the permissions to publish messages to encrypted Amazon SNS topics. Make sure that the customer managed key includes the following permissions under the Statement section of the policy:

      "Sid": "Allow_CloudWatch_for_CMK",  
      "Effect": "Allow",  
      "Principal": {  
        "Service": [  
      "Action": [  
      "Resource": "*"  
  7. Make sure that the Access policy of the Amazon SNS topic includes permissions to allow CloudWatch alarms to publish messages to the Amazon SNS topic. Use the following statement:
    Note: Replace example-region with your AWS Region, example-account-id with the account ID, and example-topic with the topic name.

      "Sid": "Allow_Publish_Alarms",  
      "Effect": "Allow",  
      "Principal": {  
        "Service": [  
      "Action": "sns:Publish",  
      "Resource": "arn:aws:sns:example-region:example-account-id:example-topic"}
  8. Select Create topic.

  9. Create the CloudWatch alarm based on one of the following:
    Static threshold
    Metric math expression
    Metrics Insights query
    Connected data source
    Anomaly detection

Related information

Using Amazon CloudWatch alarms

Encrypting messages published to Amazon SNS with AWS KMS

Why didn't I receive an SNS notification for my CloudWatch alarm trigger?