CloudWatch Alarms does not have authorization to access the SNS topic encryption key about landing-zone-accelerator-on-aws HOT 5 CLOSED

We are facing same problem again. Configured alarms and SNS topic via Console and now when alarm went to "In alarm" state it failed with this error: Failed to execute action arn:aws:sns:****::. Received error: "CloudWatch Alarms does not have authorization to access the SNS topic encryption key."

from landing-zone-accelerator-on-aws.

I faced a similar problem and fixed the issue by manually adding the snippet shared by @LawLaw443 and also adding selected permissions to the principal of the source account (where the CW Event is configured). Full policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AUDIT_ACCOUNT:root" }, "Action": "kms:*", "Resource": "*" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::MANAGEMENT_ACCOUNT:root" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow_CloudWatch_for_CMK", "Effect": "Allow", "Principal": { "Service": "cloudwatch.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*" ], "Resource": "*" } ] }

from landing-zone-accelerator-on-aws.

Hello @LawLaw443. Thank you for submitting this bug. We have reworked SNS Topics in version 1.3. The new configuration example can be found here https://awslabs.github.io/landing-zone-accelerator-on-aws/classes/_aws_accelerator_config.SnsTopicConfig.html . Can you let us know if this resolves the issue?

from landing-zone-accelerator-on-aws.

Please re-open the issue if you're still having a problem.

from landing-zone-accelerator-on-aws.

@prad9 Did you manage to fix this? I'm having the same issue and I appear to have all the permissions set up (even did kms:, sns: and cloudwatch:* to test)

from landing-zone-accelerator-on-aws.