By using AWS re:Post, you agree to the Terms of Use
/CloudWatch Alarm permission issue with cross account KMS encrypted SNS Topic/

CloudWatch Alarm permission issue with cross account KMS encrypted SNS Topic

0

Hi,

I'm trying to encrypt SNS topics in AWS Control Tower scenario using KMS.

I created a KMS key in the management account which I'm using to encrypt SNS topics in member accounts (audit, log-archive and sandbox). I'm doing all the customisation using Terraform. I gave the required permissions to KMS key by using the following policy:

{
    "Sid": "Allow Log Archive, Audit and Development Account",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxx:root"
        ]
    },
    "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow_CloudWatch_for_CMK",
    "Effect": "Allow",
    "Principal": {
        "Service":[
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt","kms:GenerateDataKey"
    ],
    "Resource": "*"
}

Getting the following error:

Failed to execute action arn:aws:sns:xxxx:xxxxxxxx:aws-controltower-SecurityNotifications. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key.

The end goal is satisfy security best practices and encrypt the SNS topic.

2 Answers
0

Hello, I think you also need to edit SNS Access Policy, to allow all other accounts. Ref. Link:- https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html

answered 3 months ago
  • Hi Manish, SNS topic is in the local account (same account as cloudwatch alarms). Hence it doesn't require policy to allow other accounts.

0

To trigger an encrypted SNS topic from Cloudwatch Alarm, you need additionally "kms:DescribeKey" permission in the Key policy which is missing in your policy.

{
    "Sid": "Allow Log Archive, Audit and Development Account",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxx:root"
        ]
    },
    "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt",
        "kms:DescribeKey"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow_CloudWatch_for_CMK",
    "Effect": "Allow",
    "Principal": {
        "Service":[
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}

FYI - We cannot use AWS default key to encrypt the topic with this use case, so when we want to trigger an encrypted SNS topic, we have to use custom key with the policy permission described in the above KMS policy

answered 19 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions