How do I configure a CloudWatch alarm with an encrypted SNS topic?

3 minute read

I want to configure an Amazon CloudWatch alarm with an encrypted Amazon Simple Notification Service (Amazon SNS) topic.

Short description

You must use a customer managed key to successfully deliver Amazon SNS notifications with an encrypted Amazon SNS topic for a CloudWatch alarm. If you use the default AWS Key Management Service (AWS KMS) key for encryption, then the CloudWatch alarm fails to initiate the alarm action. When the alarm fails to initiate the alarm action, a message similar to the following appears in the Alarm History section:

"Failed to execute action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key.""

Resolution

To configure a CloudWatch alarm with an encrypted Amazon SNS topic, complete the following steps:

Open the Amazon SNS console.
Choose Create topic.
For Type, choose Standard, and then create a topic name and display name.
Expand the Encryption - optional setting to turn on Encryption.
Select a customer managed key.
Note: If Amazon SNS uses the default AWS KMS key alias/aws/sns for the encryption, then CloudWatch alarms can't publish messages. The default AWS KMS key policy for Amazon SNS doesn't allow CloudWatch alarms to perform kms:Decrypt and kms:GenerateDataKey API calls. You can't manually edit policies for AWS managed keys.

Manually edit the key policy to grant CloudWatch alarms the permissions to publish messages to encrypted Amazon SNS topics. Make sure that the customer managed key includes the following permissions under the Statement section of the policy:

{    
  "Sid": "Allow_CloudWatch_for_CMK",  
  "Effect": "Allow",  
  "Principal": {  
    "Service": [  
      "cloudwatch.amazonaws.com"  
    ]  
  },  
  "Action": [  
    "kms:Decrypt",  
    "kms:GenerateDataKey*"  
  ],  
  "Resource": "*"  
}

Make sure that the Access policy of the Amazon SNS topic includes permissions to allow CloudWatch alarms to publish messages to the Amazon SNS topic. Use the following statement:
Note: Replace example-region with your AWS Region, example-account-id with the account ID, and example-topic with the topic name.

{   
  "Sid": "Allow_Publish_Alarms",  
  "Effect": "Allow",  
  "Principal": {  
    "Service": [  
      "cloudwatch.amazonaws.com"  
    ]  
  },  
  "Action": "sns:Publish",  
  "Resource": "arn:aws:sns:example-region:example-account-id:example-topic"}

Select Create topic.
Create the CloudWatch alarm based on one of the following:
Static threshold
Metric math expression
Metrics Insights query
Connected data source
Anomaly detection

Related information

Using Amazon CloudWatch alarms

Encrypting messages published to Amazon SNS with AWS KMS

Why didn't I receive an SNS notification for my CloudWatch alarm trigger?

Topics

Management & Governance Application Integration

Relevant content

CloudWatch Alarm permission issue with cross account KMS encrypted SNS Topic
AWS-User-3229175
asked 2 years ago
SNS Topic encryption
pradeep
asked 2 months ago
Auto scaling group not publishing notification to a encrypted sns topic
AWS-User-8870508
asked a year ago
How can I send a variables from cloudwatch service to Lambda function using SNS Topic
Najeeb-Shhade
asked 9 months ago
Disconnect between alarm and SNS topic
Accepted Answer
rePost-User-6771947
asked a year ago
Why didn't I receive an SNS notification for my CloudWatch alarm trigger?
AWS OFFICIALUpdated 3 months ago
How do I invoke a cross-account SNS topic with a CloudWatch alarm?
AWS OFFICIALUpdated 2 months ago
How do I configure custom CloudWatch alarm notifications with EventBridge?
AWS OFFICIALUpdated 8 months ago
Why isn't my encrypted SNS topic receiving notification from an AWS service?
AWS OFFICIALUpdated 9 months ago
Create custom alerts in Amazon Redshift
EXPERT
Rick Fraser
published 6 months ago