DEV Community

Cover image for CloudWatch Alarm Integration with KMS-Encrypted SNS Topic
Pavan Kumar
Pavan Kumar

Posted on • Edited on

CloudWatch Alarm Integration with KMS-Encrypted SNS Topic

Configure an Amazon CloudWatch alarm with an encrypted Amazon Simple Notification Service (Amazon SNS) topic.

Monitoring and alerting are essential in the cloud but securing those alerts is important too. In this post, we are going to explore how to configure a CloudWatch Alarm so that you are being notified through an SNS topic, which is encrypted with KMS, so your alert data stays secured.

Note:

You must use an AWS Key Management Service (AWS KMS) customer managed key to deliver Amazon SNS notifications with an encrypted Amazon SNS topic for a CloudWatch alarm. If you use the default alias/aws/sns AWS managed key for encryption, then the CloudWatch alarm fails to initiate the alarm action. You then receive a message that's similar to the following in the Alarm History section:

"Failed to execute action arn:aws:sns:us-east-1:ACCOUNT_ID:TOPIC_NAME. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key.""

Failed to execute action

Why should we want secure CloudWatch notifications?

When an Alarm is triggered, e.g., the CPU Utilization is greater than 80%, you can alert via Amazon ‘s Simple Notification Service (SNS). Such alerts could include homeland security information such as resources information, environment details and others.

Without the encryption, anybodycan access to the SNS topic could potentially read these messages. With the SNS topic encrypted with KMS, you get:

  • 🔐 Alert messages must be private
  • ✅ Adherence to Privacy Regulations
  • 🛡️ Defense from unauthorized access

Architecture Overview

Architecture Overview

Step 1: Create a KMS Key

1.1 To create a KMS key in AWS, simply follow the step-by-step instruction demonstrated in the image.

KMS Setup

Begin from Step 1, where you set up the key by choosing the key type and key usage. In Step 2, assign a descriptive label and description to use later to identify the key. Step 3 (optional) enables you to specify key administrative permissions by defining who may administer the key. Step 4 (optional) is to specify key usage permissions — who or what services are allowed to use this key to encrypt or decrypt. Step 5 (optional) is where you can modify the key policy for additional permission management. Lastly, in Step 6, take a look at all your settings and click Create to create the new KMS key.

Once it was created you are able see a key as shown below.

KMS Key

1.2 Edit the key policy to grant CloudWatch alarms the Decrypt and GenerateDataKey permissions to publish messages to encrypted Amazon SNS topics.

Adding Key Policy for CloudWatch

  • Add the below policy
{      
"Sid": "Allow_CloudWatch_for_CMK",  
  "Effect": "Allow",  
  "Principal": {  
    "Service": [  
      "cloudwatch.amazonaws.com"  
    ]  
  },  
  "Action": [  
    "kms:Decrypt",  
    "kms:GenerateDataKey*"  
  ],  
  "Resource": "*"  
}
Enter fullscreen mode Exit fullscreen mode

Note: The default AWS KMS key policy for Amazon SNS doesn't allow CloudWatch alarms to perform kms:Decrypt and kms:GenerateDataKey API calls. You can't manually edit policies for AWS managed keys.

Key Policy for CloudWatch

Step 2: Enable Encryption for SNS

2.1 Navigate to the SNS dashboard.

SNS dashboard

2.2 In the left navigation panel, select Topics.

Topics

2.2 Select the SNS topic you want to examine and click on Edit.

Edit the Topic

2.4 Under Encryption check, if the server-side encryption option is enabled or disabled, if not enabled enable with custom kms key.

Enable Encryption

2.4 Under Access Policy, includes the Publish permission to allow CloudWatch alarms to publish messages to the Amazon SNS topic.

{     
"Sid": "Allow_Publish_Alarms",  
  "Effect": "Allow",  
  "Principal": {  
    "Service": [  
      "cloudwatch.amazonaws.com"  
    ]  
  },  
  "Action": "sns:Publish",  
  "Resource": "arn:aws:sns:demo-region:demo-account-id:demo-topic"}
Enter fullscreen mode Exit fullscreen mode

Note: Replace demo-region with your AWS Region, demo-account-id with the account ID, and demo-topic with the topic name as shown in image.

Access Policy to SNS

Step 3: CloudWatch Alarm Setup

3.1 To create a CloudWatch alarm, follow the steps indicated in the image.

Steps to create CloudWatch Alarm

Start with Step 1, where you enter the metric and the conditions that will cause the alarm to trigger. This involves choosing an applicable metric and setting thresholds according to your requirements for monitoring. Under Step 2, set up what actions must be taken when the alarm state is changed — for example, sending notifications through SNS or invoking an auto-scaling policy. Proceed to Step 3, where you enter a descriptive name and description for easy identification and management of the alarm. Finally, in Step 4, check all your settings in the preview, and once all is well, go ahead and click Create to complete setting up your CloudWatch alarm.

CloudWatch Alarm

Step 4: Testing Phase

4.1 Modify the alarm by lowering the threshold (e.g., set CPU > 1%).

Modify the Threshold

4.2 Wait for the alarm to enter the ALARM state.

Alarm Status

4.3 Confirm that your SNS messages are sent and Subscribers receive the alert.

Alert Status

Conclusion:

In AWS, it's not only about receiving alerts — it's about safeguarding them. When you combine CloudWatch Alarms with KMS-encrypted SNS topics, you have a secure and auditable alerting system that meets best practices and compliance requirements.

Top comments (1)

Collapse
 
kavya_varma_b7b26239f301d profile image
Kavya Varma

Great post! Clear explanation on integrating CloudWatch Alarms with KMS-encrypted SNS topics. This will really help improve security and monitoring practices. Thanks for sharing your insights!