Why AWS CloudWatch Alarm cannot send notification to encrypted SNS Topic?

Question

I set up alerts to notify me if my lambda function memory usage is more than 80% of the lambda memory size. I'm capturing the data points using custom metrics and I am able to see the alerts in the cloudwatch console when the the memory usage is over the threshold. But when Alarm takes the action to send a notification to the corresponding SNS topic is failed with this message:

{
 "actionState": "Failed",
 "stateUpdateTimestamp": 1558142246126,
 "notificationResource": "arn:aws:sns:us-east-1:5847563209:<myTopic>",
 "publishedMessage": null,
 "error": "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 6b7806a6-2c16-4582-9ecd-05100161746e)"

}

The SNS topic is encrypted with KMS key and I allowed cloudwatch to access the key in the key policy:

{
  "Sid": "Allow CloudWatch to use the key",
  "Effect": "Allow",
  "Principal": {
      "Service": "cloudwatch.amazonaws.com"
  },
  "Action": [
      "kms:GenerateDataKey",
      "kms:Decrypt"
  ],
  "Resource": "*"
}

But still the action is being failed. I've also tried events.amazonaws.com as the principal but no luck. I appreciate any help on this.

Answer 1

Looks like it's not yet supported. From here: https://aws.amazon.com/blogs/compute/encrypting-messages-published-to-amazon-sns-with-aws-kms/

As of November 2018, Amazon CloudWatch alarms don’t yet work with Amazon SNS encrypted topics.