Cloudwatch can't send alarms to SNS topic
Hello everyone! We receive the following error in Cloudwatch whenever an alarm triggers: ` Failed to execute action arn:aws:sns:*****:***********:************-sns-cloudwatch-alarms. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key." ` We're using the SNS topic module as configured by default with the ref arch, which seems to encrypt the SNS topic with the default aws key. Is this not the correct key to use? What are we missing? [r:terraform-aws-messaging](https://github.com/gruntwork-io/terraform-aws-messaging)
Hello, + If the **default AWS Key Management Service (KMS) key "alias/aws/sns"** is used for SNS topic encryption, then CloudWatch alarms **can't publish messages to the SNS topic**. The key policy of the default AWS KMS key for SNS doesn't allow CloudWatch alarms to perform **_"kms:Decrypt"_** and **_"kms:GenerateDataKey"_** API calls. Because this key is AWS managed, you can't manually edit the policy. + You can use a [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) that includes the following permissions under the Statement section of the key policy in order to allow the CloudWatch alarms to publish messages to encrypted SNS topics: ```hcl { "Sid": "Allow_CloudWatch_for_CMK", "Effect": "Allow", "Principal": { "Service":[ "cloudwatch.amazonaws.com" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], # better use your SNS topic ARN instead of "*" "Resource": "*" } ``` Best,