Not getting alerts from Autocalling when encryption enabled in SNS topic

0

When we enable the encryption on SNS topic then not getting autoscale related alerts from AWS side. I created the KMS key custom and gave the all permission but it's not working.

{ "Sid": "Enable SNS access to KMS", "Effect": "Allow", "Principal": { "Service": [ "ses.amazonaws.com", "s3.amazonaws.com", "cloudwatch.amazonaws.com", "events.amazonaws.com", "ec2.amazonaws.com" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*" }

1 Answer
1
Accepted Answer

I believe the issue is in the "Principal" field. You can use "*" Or you can use "arn:aws:iam::<accountID>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" Or you can create your own role with a copy of AWSServiceRoleForAutoScaling.

profile pictureAWS
EXPERT
answered a year ago
  • For a bit more detail, here is what the policy should look like and the link to the documentation. You're almost there.

    { "Sid": "Allow service-linked role use of the customer managed key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountID>:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "*" }

    https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-sns-notifications.html#sns-kms-permissions

    You can let us know if that works. Thanks.

  • Hi Team, I want to get alerts for all events in aws. If I put this only then I did not get other alerts like cloud watch and all.

    Thanks, Anuj

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions