Permissions for AWS KMS–encrypted Amazon SNS topics

Amazon DevOps Guru is in preview and available in the following AWS Regions: US West (Oregon), US East (N. Virginia), US East (Ohio), Europe (Ireland), and Asia Pacific (Tokyo).

The preview is open to all AWS accounts. You do not need to request access. Features might be added or changed before General Availability is announced. Contact us at amazon-devops-guru-feedback@amazon.com with feedback.

The Amazon SNS topic you specify might be encrypted by AWS Key Management Service. To allow DevOps Guru to work with encrypted topics, you must first create a customer-managed key (CMK) and then add the following statement to the policy of the CMK. For more information, see Encrypting messages published to Amazon SNS with AWS KMS, Key identifiers (KeyId) in the AWS KMS User Guide, and Data encryption in the Amazon Simple Notification Service Developer Guide.


{
    "Version": "2012-10-17",
    "Id": "your-kms-key-policy",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "region-id.devops-guru.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey*",
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
      ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Permissions for cross account Amazon SNS topics

Troubleshooting