AWS ChatBot Microsoft Teams — Cloudwatch Setup

Sreedhar Bukya
2 min readOct 29, 2024

When using an encrypted Amazon SNS topic for CloudWatch alarms, you must use a customer-managed KMS key. If you rely on the default AWS Key Management Service (AWS KMS) key for encryption, CloudWatch alarms will fail to initiate the alarm action.

1. Create a Customer-Managed KMS Key

You can use the AWS CLI or AWS Management Console to create a customer-managed KMS key in the target region. Be sure to provide a meaningful alias name for the key for easier identification.

  • Update the Key Policy: On the console, modify the key policy to allow CloudWatch to use this KMS key for publishing messages to the encrypted SNS topic.
{
"Sid": "Allow_CloudWatch_for_CMK",
"Effect": "Allow",
"Principal": {
"Service": "cloudwatch.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*"
}

It is essential to use a customer-managed key, as AWS-managed keys do not allow direct policy updates. This is why we choose a customer-managed KMS key.

2. Create Encrypted SNS Topic.

Since this SNS topic will be used for Spark infrastructure alerts, encryption is required. Follow these steps:

  1. Create the SNS Topic: In the SNS Console, create a topic and enable encryption.
  2. Select the KMS Key: Choose the KMS key created in Step #1 for…

--

--

Sreedhar Bukya
Sreedhar Bukya

Written by Sreedhar Bukya

Software Engineer , Build Everything required.

No responses yet