CloudWatch Alarm Integration with KMS-Encrypted SNS Topic

Configure an Amazon CloudWatch alarm with an encrypted Amazon Simple Notification Service (Amazon SNS) topic.

Monitoring and alerting are essential in the cloud but securing those alerts is important too. In this post, we are going to explore how to configure a CloudWatch Alarm so that you are being notified through an SNS topic, which is encrypted with KMS, so your alert data stays secured.

Note:

You must use an AWS Key Management Service (AWS KMS) customer managed key to deliver Amazon SNS notifications with an encrypted Amazon SNS topic for a CloudWatch alarm. If you use the default alias/aws/sns AWS managed key for encryption, then the CloudWatch alarm fails to initiate the alarm action. You then receive a message that's similar to the following in the Alarm History section:

"Failed to execute action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key.""

Why should we want secure CloudWatch notifications?

When an Alarm is triggered, e.g., the CPU Utilization is greater than 80%, you can alert via Amazon ‘s Simple Notification Service (SNS). Such alerts could include homeland security information such as resources information, environment details and others.

Without the encryption, anybodycan access to the SNS topic could potentially read these messages. With the SNS topic encrypted with KMS, you get:

• 🔐 Alert messages must be private
• ✅ Adherence to Privacy Regulations
• 🛡️ Defense from unauthorized access

Architecture Overview

Step 1: Create a KMS Key

1.1 To create a KMS key in AWS, simply follow the step-by-step instruction demonstrated in the image.

Begin from Step 1, where you set up the key by choosing the key type and key usage. In Step 2, assign a descriptive label and description to use later to identify the key. Step 3 (optional) enables you to specify key administrative permissions by defining who may administer the key. Step 4 (optional) is to specify key usage permissions — who or what services are allowed to use this key to encrypt or decrypt. Step 5 (optional) is where you can modify the key policy for additional permission management. Lastly, in Step 6, take a look at all your settings and click Create to create the new KMS key.

Once it was created you are able see a key as shown below.

1.2 Edit the key policy to grant CloudWatch alarms the Decrypt and GenerateDataKey permissions to publish messages to encrypted Amazon SNS topics.

• Add the below policy

{      
"Sid": "Allow_CloudWatch_for_CMK",  
  "Effect": "Allow",  
  "Principal": {  
    "Service": [  
      "cloudwatch.amazonaws.com"  
    ]  
  },  
  "Action": [  
    "kms:Decrypt",  
    "kms:GenerateDataKey*"  
  ],  
  "Resource": "*"  
}

Note: The default AWS KMS key policy for Amazon SNS doesn't allow CloudWatch alarms to perform kms:Decrypt and kms:GenerateDataKey API calls. You can't manually edit policies for AWS managed keys.

Step 2: Enable Encryption for SNS

2.1 Navigate to the SNS dashboard.

2.2 In the left navigation panel, select Topics.

2.2 Select the SNS topic you want to examine and click on Edit.

2.4 Under Encryption check, if the server-side encryption option is enabled or disabled, if not enabled enable with custom kms key.

2.4 Under Access Policy, includes the Publish permission to allow CloudWatch alarms to publish messages to the Amazon SNS topic.

{     
"Sid": "Allow_Publish_Alarms",  
  "Effect": "Allow",  
  "Principal": {  
    "Service": [  
      "cloudwatch.amazonaws.com"  
    ]  
  },  
  "Action": "sns:Publish",  
  "Resource": "arn:aws:sns:demo-region:demo-account-id:demo-topic"}

Note: Replace demo-region with your AWS Region, demo-account-id with the account ID, and demo-topic with the topic name as shown in image.

Step 3: CloudWatch Alarm Setup

3.1 To create a CloudWatch alarm, follow the steps indicated in the image.

Start with Step 1, where you enter the metric and the conditions that will cause the alarm to trigger. This involves choosing an applicable metric and setting thresholds according to your requirements for monitoring. Under Step 2, set up what actions must be taken when the alarm state is changed — for example, sending notifications through SNS or invoking an auto-scaling policy. Proceed to Step 3, where you enter a descriptive name and description for easy identification and management of the alarm. Finally, in Step 4, check all your settings in the preview, and once all is well, go ahead and click Create to complete setting up your CloudWatch alarm.

Step 4: Testing Phase

4.1 Modify the alarm by lowering the threshold (e.g., set CPU > 1%).

4.2 Wait for the alarm to enter the ALARM state.

4.3 Confirm that your SNS messages are sent and Subscribers receive the alert.

Conclusion:

In AWS, it's not only about receiving alerts — it's about safeguarding them. When you combine CloudWatch Alarms with KMS-encrypted SNS topics, you have a secure and auditable alerting system that meets best practices and compliance requirements.

Comments

[Kavya Varma]

Great post! Clear explanation on integrating CloudWatch Alarms with KMS-encrypted SNS topics. This will really help improve security and monitoring practices. Thanks for sharing your insights!