How do I invoke a cross-account SNS topic with a CloudWatch alarm?

3 minute read

I want to invoke an Amazon Simple Notification Service (Amazon SNS) topic with an Amazon CloudWatch alarm across different AWS accounts.

Resolution

To invoke a cross-account Amazon SNS topic with a CloudWatch alarm, complete the following steps:

Note: The following steps use two accounts. Account A is used to create the CloudWatch alarm and account B is used to create an Amazon SNS topic.

Create an Amazon SNS topic in account B

Complete the following steps:

Open the Amazon SNS console.
In the navigation pane, choose Topics, and then choose Create Topic.
Choose Standard for the topic type, and then create a name for the topic.
Choose Create topic, and then copy the ARN of the topic.
In the navigation pane, choose Subscriptions, and then choose Create Subscription.
Add the topic's ARN in the Topic ARN section, and then choose Email as the protocol.
Choose Create Subscription, and then check your email to confirm the subscription.

Create a CloudWatch alarm in account A

Complete the following steps:

Open the CloudWatch console.
In the navigation pane, choose Alarms, and then choose Create Alarm.
Select your metric, and then provide details for the threshold and comparison parameters.
From Configure Actions, under Notifications, choose Use topic ARN to notify other accounts, and then enter the topic ARN from Account B.
Create a name for the alarm, and then choose Create Alarm.

Update the access policy of the Amazon SNS topic in account B

To update the access policy of the Amazon SNS topic in account B to allow the alarm to publish messages, complete the following steps:

Open the Amazon SNS console.
In the navigation pane, choose Topics, and then select the topic.

Choose Edit, and then make sure that the policy is in the following example format:

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": ""
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish"
      ],
      "Resource": "example-topic-arn-account-b"
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:cloudwatch:example-region:111122223333:alarm:"
      }
      }
    }
  ]
}

Test the alarm

To test the alarm, either change the alarm threshold based on the metric data points, or manually change the alarm state. When you change the alarm threshold or manually change the alarm state, you receive an email notification.

Related information

Allow any CloudWatch alarm to publish to a topic in a different account

Why didn't I receive an SNS notification for my CloudWatch alarm trigger?

SetAlarmState

Topics

Management & Governance Application Integration

Relevant content

CloudWatch Alarm configuration
Accepted Answer
misterMaine
asked a year ago
CloudWatch Alarm permission issue with cross account KMS encrypted SNS Topic
AWS-User-3229175
asked 2 years ago
CloudWatch Alarm not Invoking Action
grahem
asked 3 months ago
Disconnect between alarm and SNS topic
Accepted Answer
rePost-User-6771947
asked a year ago
How can I send a variables from cloudwatch service to Lambda function using SNS Topic
Najeeb-Shhade
asked 9 months ago
How do I configure a CloudWatch alarm with an encrypted SNS topic?
AWS OFFICIALUpdated 2 months ago
Why doesn't Amazon SNS invoke my Lambda function when triggered by a CloudWatch alarm?
AWS OFFICIALUpdated 4 months ago
How do I identify the CloudWatch log event that caused a CloudWatch alarm to trigger?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot a CloudWatch alarm that doesn’t invoke?
AWS OFFICIALUpdated 23 days ago
Monitor the state of BGP peering sessions in a Transit Gateway Connect peer using CloudWatch
EXPERT
George Murimi
published 3 months ago