I want to configure an Amazon CloudWatch alarm with an encrypted Amazon Simple Notification Service (Amazon SNS) topic.
Short description
You must use an AWS Key Management Service (AWS KMS) customer managed key to deliver Amazon SNS notifications with an encrypted Amazon SNS topic for a CloudWatch alarm. If you use the default alias/aws/sns AWS managed key for encryption, then the CloudWatch alarm fails to initiate the alarm action. You then receive a message that's similar to the following in the Alarm History section:
"Failed to execute action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key.""
Note: The default AWS KMS key policy for Amazon SNS doesn't allow CloudWatch alarms to perform kms:Decrypt and kms:GenerateDataKey API calls. You can't manually edit policies for AWS managed keys.
Resolution
To configure a CloudWatch alarm with an encrypted Amazon SNS topic, complete the following steps:
-
Open the Amazon SNS console.
-
Choose Create topic.
-
For Type, choose Standard, and then create a topic name and display name.
-
Expand the Encryption - optional setting to turn on Encryption.
-
Select a customer managed key.
-
Manually edit the key policy to grant CloudWatch alarms the Decrypt and GenerateDataKey permissions to publish messages to encrypted Amazon SNS topics:
{
"Sid": "Allow_CloudWatch_for_CMK",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudwatch.amazonaws.com"
]
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*"
}
-
(Optional) To make the policy more restrictive, include a Condition element. For example, the Condition context key in the following policy allows the action only from organization o-123456789:
"Resource": "*"
"Condition": {
"StringEquals": {
"aws:SourceOrgID": "o-123456789"
}
-
Make sure that the Amazon SNS topic's access policy includes the Publish permission to allow CloudWatch alarms to publish messages to the Amazon SNS topic:
{
"Sid": "Allow_Publish_Alarms",
"Effect": "Allow",
"Principal": {
"Service": [
"cloudwatch.amazonaws.com"
]
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:example-region:example-account-id:example-topic"}
Note: Replace example-region with your AWS Region, example-account-id with the account ID, and example-topic with the topic name.
-
Choose Create topic.
-
Create the CloudWatch alarm based on one of the following:
Static threshold
Metric math expression
Metrics Insights query
Connected data source
Anomaly detection
Related information
Using Amazon CloudWatch alarms
Encrypting messages published to Amazon SNS with AWS KMS
Why didn't I receive an SNS notification for my CloudWatch alarm trigger?