AWS Cloudwatch 无法使用 SSE 发布到 SNS 主题

Question

I have a Route53 health check, which submits its metrics into Cloudwatch, and finally Cloudwatch specifies thresholds and should send alerts through SNS.

However, I would like my SNS Topic to be encrypted. When I turn on SNS Topic encryption using the alias/aws/sns key I receive these messages in the Cloudwatch message history:

{
  "actionState": "Failed",
  "stateUpdateTimestamp": 123456778899,
  "notificationResource": "arn:aws:sns:xx-region-y:zzzzzzzzzz:topic_name",
  "publishedMessage": null,
  "error": "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: ccccccccccccccccccc)"
}

This appears to not be an IAM issue with Cloudwatch, but with SNS itself being unauthorized to use the KMS resources.

I enjoy using the IAM Policy Simulator for IAM users to identify where their permissions are lacking, but there doesn't seem to be a way to validate a Service's access to other services. Is that a thing I can manage?

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

---

I have also tried this with a CMK with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "sns.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey*",
                "kms:Decrypt"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "route53.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey*",
                "kms:Decrypt"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "events.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey*",
                "kms:Decrypt"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXX:role/OrganizationAccountAccessRole"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

I'm pretty much throwing darts at a wall with the principals, but I think there's validation for sns.amazonaws.com for SNS and events.amazonaws.com for Cloudwatch.

I received the exact same error, "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: ccccccccccccccccccc)" , when using a CMK in this manner as well. I can understand my CMK not working properly, but the Amazon managed key I think should just work out of the box.

---

I've tried using a CMK which grants sns.amazonaws.com and events.amazonaws.com with kms:* permissions. Same error.

Answer 1

Update: It's likely this information is out of date. Please try the other answers and let everyone know if they work for you.

---

Apparently, CloudWatch can't send messages to encrypted SNS topics according to Protecting Amazon SNS Data Using Server-Side Encryption (SSE) and AWS KMS :

Currently, CloudWatch alarms don't work with Amazon SNS encrypted topics. For information about publishing alarms to unencrypted topics, see Using Amazon CloudWatch Alarms in the Amazon CloudWatch User Guide.

However, the blog post Encrypting messages published to Amazon SNS with AWS KMS seems to indicate you can...

🤦

Answer 2

Just summarizing the correct answer here because the accepted answer seems to be outdated:.

1. You cannot use the Amazon managed CMK alias/aws/sns because in order to connect cloudwatch with an SNS topic encrypted with a KMS CMK, you need to set a resource-policy/access-policy on the CMK so that cloudwatch service can perform kms:GenerateDataKey* and kms:Decrypt actions on the key and the access-policy on amazon managed keys cannot be edited.

2. For your case, you would need to create a customer managed symmetric CMK, and edit the access-policy to allow cloudwatch service principal to access that CMK. The access-policy will look like:

    "Version": "2012-10-17",
    "Id": "key-policies",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions for administration of this key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow cloudwatch metric to use this key",
            "Effect": "Allow",
            "Principal": {
                "Service": "cloudwatch.amazonaws.com"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*"
        }
    ]
}

Answer 3

The service is not "events.amazonaws.com", it is "cloudwatch.amazonaws.com". You should get the SNS notifications once you change this in the key policy.

See https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html for more information.

Answer 4

While some AWS services use an IAM Role in your account, others use a specific principal to be granted access instead. See https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/ .

I think in your case you need to allow the cloudwatch principal, events.amazonaws.com , to be allowed to use the KMS key you specified, in the key's policy. See the section "Enabling compatibility between encrypted topics and event sources" in the above link.

Note that as the document says, "Several AWS services publish events to Amazon SNS topics. To allow these event sources to work with encrypted topics, you must first create a customer-managed CMK and then add the following statement to the policy of the CMK." This only works with customer managed keys.

Answer 5

I ran into the same issue today! I see there are suggestions for granting the CMK to cloudwatch.amazonaws.com and also to events.amazonaws.com . For me, I needed to grant to both for that to work. Here is the entirety of my Cloudformation definition for the CMK.

 InternalSNSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: IA-Internal-SNS Encryption Key
      KeyPolicy:
        Version: 2012-10-17
        Id: allow-root-access-to-key
        Statement:
          - Sid: allow-root-to-delegate-actions
            Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
            Action:
              - kms:*
            Resource: '*'
          - Sid: allow-cloudwatch-to-use-key
            Effect: Allow
            Principal:
              Service: cloudwatch.amazonaws.com
            Action:
              - kms:Decrypt
              - kms:GenerateDataKey*
            Resource: '*'
          - Sid: allow-events-to-use-key
            Effect: Allow
            Principal:
              Service: events.amazonaws.com
            Action:
              - kms:Decrypt
              - kms:GenerateDataKey*
            Resource: '*'

Answer 6

Adding just the below events.amazon.com permissions to the KMS key's resource policy did the trick for me, specifically to allow AWS::Events::Rule that had encrypted SNS topics registered as Targets for 'FAILED' CodeBuild and CodePipeline states.

       {
            "Sid": "Allow Events use of key (for publishing to CMK encrypted SNS topics)",
            "Effect": "Allow",
            "Principal": {
                "Service": "events.amazonaws.com"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*"
        }

Hope this saves someone else some of the frustration and time this had caused me.