CloudWatch Alarm permission issue with cross account KMS encrypted SNS Topic

Question

Hi,

I'm trying to encrypt SNS topics in AWS Control Tower scenario using KMS.

I created a KMS key in the management account which I'm using to encrypt SNS topics in member accounts (audit, log-archive and sandbox). I'm doing all the customisation using Terraform. I gave the required permissions to KMS key by using the following policy:
```  
{
    "Sid": "Allow Log Archive, Audit and Development Account",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxx:root"
        ]
    },
    "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow_CloudWatch_for_CMK",
    "Effect": "Allow",
    "Principal": {
        "Service":[
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt","kms:GenerateDataKey"
    ],
    "Resource": "*"
}
```

Getting the following error:

```Failed to execute action arn:aws:sns:xxxx:xxxxxxxx:aws-controltower-SecurityNotifications. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key.```

The end goal is satisfy security best practices and encrypt the SNS topic.

Answer

Hello, I think you also need to edit SNS Access Policy, to allow all other accounts.
Ref. Link:- https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html

Answer

To trigger an encrypted SNS topic from Cloudwatch Alarm, you need additionally  "kms:DescribeKey" permission in the Key policy which is missing in your policy.

```
{
    "Sid": "Allow Log Archive, Audit and Development Account",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxx:root"
        ]
    },
    "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt",
        "kms:DescribeKey"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow_CloudWatch_for_CMK",
    "Effect": "Allow",
    "Principal": {
        "Service":[
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}
```

FYI - We cannot use AWS default key to encrypt the topic with this use case, so when we want to trigger an encrypted SNS topic, we have to use custom key with the policy permission described in the above KMS policy

Answer

Hello,

For CloudWatch alarms to trigger an encrypted SNS topic using customer managed key, you need to add the "*" wild card in the "kms:GenerateDataKey" as "kms:GenerateDataKey*" to allow other actions such as "kms:GenerateDataKeyPair". It is this missed portion of the policy forced the API call to generate error. Also notice that, the default AWS KMS key for SNS doesn't allow CloudWatch alarms to perform "kms:Decrypt" and "kms:GenerateDataKey" API calls.

{
    "Sid": "Allow_CloudWatch_for_CMK",
    "Effect": "Allow",
    "Principal": {
        "Service":[
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt",
         "kms:GenerateDataKey*"
    ],
    # better use your SNS topic ARN instead of "*" in the resource section
    "Resource": "*"
}

References
[1] CloudWatch Alarm Trigger and SNS topic: https://repost.aws/knowledge-center/cloudwatch-receive-sns-for-alarm-trigger
[2] Customer managed key: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk

CloudWatch Alarm permission issue with cross account KMS encrypted SNS Topic

Relevant content