为什么AWS CloudWatch Alarm无法将通知发送到加密的SNS主题?

时间:2019-05-18 13:28:17

标签: amazon-cloudwatch aws-kms cloudwatch-alarms

如果我的lambda函数内存使用量超过了lambda内存大小的80%,我会设置警报以通知我。我正在使用自定义指标捕获数据点,并且当内存使用量超过阈值时,能够在cloudwatch控制台中看到警报。但是当Alarm采取行动将通知发送到相应的SNS主题时,此消息失败:

{
 "actionState": "Failed",
 "stateUpdateTimestamp": 1558142246126,
 "notificationResource": "arn:aws:sns:us-east-1:5847563209:<myTopic>",
 "publishedMessage": null,
 "error": "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 6b7806a6-2c16-4582-9ecd-05100161746e)"

}

SNS主题已使用KMS密钥加密,并且我允许cloudwatch访问密钥策略中的密钥:

{
  "Sid": "Allow CloudWatch to use the key",
  "Effect": "Allow",
  "Principal": {
      "Service": "cloudwatch.amazonaws.com"
  },
  "Action": [
      "kms:GenerateDataKey",
      "kms:Decrypt"
  ],
  "Resource": "*"
}

但是操作仍然失败。我还尝试过events.amazonaws.com作为委托人,但没有运气。我对此表示感谢。

1 个答案:

答案 0 :(得分:0)

好像还不被支持。从这里:https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/

  

截至2018年11月,Amazon CloudWatch警报尚未与   Amazon SNS加密的主题。