Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Can you use a CMK to encrypt a SNS topic in another account, then connect Cloudwatch Alarms to the encrypted SNS topic?

0

I am attempting to use a CMK from "Account A" to encrypt SNS topics in "Account B". Then, using Cloudwatch Alarms in Account B, I am trying to send messages using SNS, also in Account B.

The error occurring in Account B, is "CloudWatch Alarms does not have authorization to access the SNS topic encryption key."

Let it be known, that when I disable the encryption on the SNS topic, the alarm works perfectly fine. I have also attempted to follow the suggestions listed in this post, but none of them fixed my problem.

This is an example of the policy I am attempting to use:

In this case, let 111222333 = Account A and 444555666 = Account B

{
  "Version": "2012-10-17",
  "Id": "Cross-account account A to account B SNS, and Cloudwatch encryption key",
  "Statement": [
    {
      "Sid": "EnableIAMUserPermissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111222333:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key in account a when account b calls",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111222333:root"
      },
      "Action": "kms:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:CallerAccount": "444555666"
        }
      }
    },
    {
      "Sid": "AllowAccessThroughSNS",
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "AllowAccessThroughCloudwatch",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudwatch.amazonaws.com"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "AllowUseOfKeyFor444555666",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::444555666:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key in Account B when Account A calls",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::444555666:root"
      },
      "Action": "kms:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "kms:CallerAccount": "111222333"
        }
      }
    },
    {
      "Sid": "AllowSNSServiceForAccountB",
      "Effect": "Allow",
      "Principal": {
        "Service": "sns.amazonaws.com"
      },
      "Action": "kms:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": [
            "111222333",
            "444555666"
          ]
        }
      }
    },
    {
      "Sid": "AllowCloudwatchServiceForAccountB",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudwatch.amazonaws.com"
      },
      "Action": "kms:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": [
            "111222333",
            "444555666"
          ]
        }
      }
    }
  ]
}

As you can see, I played around with a lot of the permissions, attempting to find an answer to the error, but I was unable to get the policy to work.

I also tried appending the exact name of the SNS topic in Account B, in case it needed to be more specific and not so vague/open, but it had no effect either.

I believe the other SNS topics I have in Account B work perfectly fine being encrypted with a key from Account A, but it is specifically Cloudwatch Alarms that is not working. Is it possible to use a key from another account to encrypt SNS and use Cloudwatch alarms, or is it impossible currently?

Thank you for your help.

Topics
Application IntegrationManagement & GovernanceSecurity, Identity, & Compliance
Tags
EncryptionAWS Key Management ServiceAmazon CloudWatch AlarmsAWS Identity and Access ManagementAmazon Simple Notification Service (SNS)
Language
English
asked 10 months ago143 views
1 Answer
1

Using a Customer Managed Key (CMK) from one AWS account to encrypt an SNS topic in another account, and then connecting CloudWatch Alarms to that encrypted SNS topic, is a complex scenario that requires careful configuration. Based on the information provided and the error you're encountering, there are a few key points to consider:

  1. Cross-account key usage: It is possible to use a CMK from Account A to encrypt an SNS topic in Account B. However, this requires proper key policy configuration in Account A and appropriate permissions in Account B.

  2. CloudWatch Alarms and encrypted SNS topics: CloudWatch Alarms can work with encrypted SNS topics, but they require specific permissions to access the encryption key.

  3. The error message you're receiving ("CloudWatch Alarms does not have authorization to access the SNS topic encryption key") indicates that the CloudWatch service in Account B doesn't have the necessary permissions to use the CMK from Account A.

To resolve this issue, you need to focus on granting the correct permissions to the CloudWatch service in Account B to use the CMK from Account A. Here are some steps to try:

  1. In the key policy of the CMK in Account A, ensure that you have a statement that explicitly allows the CloudWatch service from Account B to use the key. You should include permissions for "kms:GenerateDataKey*" and "kms:Decrypt" actions.

  2. The policy should look something like this:

    { "Sid": "Allow CloudWatch in Account B to use the key", "Effect": "Allow", "Principal": { "Service": "cloudwatch.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "444555666" } } }

  3. In Account B, make sure that the IAM role or user that CloudWatch Alarms is using has permissions to use the CMK from Account A. This might involve creating a new IAM policy in Account B that allows the use of the specific CMK ARN from Account A.

  4. Double-check that the SNS topic's access policy in Account B allows CloudWatch to publish to it.

  5. Ensure that all requests to the encrypted SNS topic are using HTTPS and Signature Version 4.

It's worth noting that while it's technically possible to set up this cross-account encryption scenario, it adds complexity and potential points of failure. If possible, consider using a CMK within the same account as the SNS topic and CloudWatch Alarms for simplicity and easier troubleshooting.

If you've tried all these steps and are still encountering issues, you may need to reach out to AWS Support for further assistance, as there could be account-specific configurations or limitations at play.
Sources
Configure a CloudWatch alarm with an encrypted SNS topic | AWS re:Post
Securing Amazon SNS data with server-side encryption - Amazon Simple Notification Service
Managing Amazon SNS encryption keys and costs - Amazon Simple Notification Service

answered 10 months ago
EXPERT
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content