[cloudwatch] Alarms don't execute on KMS encrypted SNS

[du291]

Alarms do not seem to execute properly when configured to a Topic with master_key.

Reproduction Steps

topic = aws_sns.Topic(self.stack, 'alarm-topic',
                              display_name='Topic for alarms',
                              master_key=key,
                              topic_name=self.alarms_topic_name)
alarm.add_alarm_action(aws_cloudwatch_actions.SnsAction(alarms_topic))

then trigger the alarm via boto3 set_alarm_state

What did you expect to happen?

Triggering the alarm would send notification to the topic.

What actually happened?

The following error on aws cloudwatch alarm page:

Failed to execute action arn:aws:sns:eu-west-1:461491260158:rivendell-eu-west-1-log-test-pht-alarms-topic. Received error: "null (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: 4fea0cd9-2182-432e-a0a0-5442996cc605; Proxy: null)"

Environment

CLI Version : 1.70
Framework Version: Python 3.8.5
Node.js Version: v14.11.0
OS : Linux
Language (Version): Python (3.8.5)

Other

---

This is 🐛 Bug Report

[rix0rrr]

I would think that the key needs a permission added to have the CloudWatch service principal be able to encrypt using it.

[S3ky]

Hi @rix0rrr, @jumi-dev,

I saw, that you have the open PR for that issue (#12117), but there are some changes requested. Could you please take a look at it?

Thank ou.

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.