CloudWatch Alarm permission issue with cross account KMS encrypted SNS Topic

0

Hi,

I'm trying to encrypt SNS topics in AWS Control Tower scenario using KMS.

I created a KMS key in the management account which I'm using to encrypt SNS topics in member accounts (audit, log-archive and sandbox). I'm doing all the customisation using Terraform. I gave the required permissions to KMS key by using the following policy:

{
    "Sid": "Allow Log Archive, Audit and Development Account",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxx:root"
        ]
    },
    "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow_CloudWatch_for_CMK",
    "Effect": "Allow",
    "Principal": {
        "Service":[
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt","kms:GenerateDataKey"
    ],
    "Resource": "*"
}

Getting the following error:

Failed to execute action arn:aws:sns:xxxx:xxxxxxxx:aws-controltower-SecurityNotifications. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key.

The end goal is satisfy security best practices and encrypt the SNS topic.

3 Answers
0

Hello, I think you also need to edit SNS Access Policy, to allow all other accounts. Ref. Link:- https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html

answered 2 years ago
  • Hi Manish, SNS topic is in the local account (same account as cloudwatch alarms). Hence it doesn't require policy to allow other accounts.

0

To trigger an encrypted SNS topic from Cloudwatch Alarm, you need additionally "kms:DescribeKey" permission in the Key policy which is missing in your policy.

{
    "Sid": "Allow Log Archive, Audit and Development Account",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxxx:root",
            "arn:aws:iam::xxxxxxxx:root"
        ]
    },
    "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt",
        "kms:DescribeKey"
    ],
    "Resource": "*"
},
{
    "Sid": "Allow_CloudWatch_for_CMK",
    "Effect": "Allow",
    "Principal": {
        "Service":[
            "cloudwatch.amazonaws.com"
        ]
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}

FYI - We cannot use AWS default key to encrypt the topic with this use case, so when we want to trigger an encrypted SNS topic, we have to use custom key with the policy permission described in the above KMS policy

answered 2 years ago
0

Hello,

For CloudWatch alarms to trigger an encrypted SNS topic using customer managed key, you need to add the "" wild card in the "kms:GenerateDataKey" as "kms:GenerateDataKey" to allow other actions such as "kms:GenerateDataKeyPair". It is this missed portion of the policy forced the API call to generate error. Also notice that, the default AWS KMS key for SNS doesn't allow CloudWatch alarms to perform "kms:Decrypt" and "kms:GenerateDataKey" API calls.

{ "Sid": "Allow_CloudWatch_for_CMK", "Effect": "Allow", "Principal": { "Service":[ "cloudwatch.amazonaws.com" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], # better use your SNS topic ARN instead of "" in the resource section "Resource": "" }

References [1] CloudWatch Alarm Trigger and SNS topic: https://repost.aws/knowledge-center/cloudwatch-receive-sns-for-alarm-trigger [2] Customer managed key: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk

AWS
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions