AWS ChatBot Microsoft Teams — Cloudwatch Setup

When using an encrypted Amazon SNS topic for CloudWatch alarms, you must use a customer-managed KMS key. If you rely on the default AWS Key Management Service (AWS KMS) key for encryption, CloudWatch alarms will fail to initiate the alarm action.

1. Create a Customer-Managed KMS Key

You can use the AWS CLI or AWS Management Console to create a customer-managed KMS key in the target region. Be sure to provide a meaningful alias name for the key for easier identification.

• Update the Key Policy: On the console, modify the key policy to allow CloudWatch to use this KMS key for publishing messages to the encrypted SNS topic.

{
    "Sid": "Allow_CloudWatch_for_CMK",
    "Effect": "Allow",
    "Principal": {
        "Service": "cloudwatch.amazonaws.com"
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey*"
    ],
    "Resource": "*"
}

It is essential to use a customer-managed key, as AWS-managed keys do not allow direct policy updates. This is why we choose a customer-managed KMS key.

2. Create Encrypted SNS Topic.

Since this SNS topic will be used for Spark infrastructure alerts, encryption is required. Follow these steps:

1. Create the SNS Topic: In the SNS Console, create a topic and enable encryption.
2. Select the KMS Key: Choose the KMS key created in Step #1 for…