cloud watch event invocation failed to call sns topic

Question

I am a beginner to AWS CloudWatch. The event is not getting triggered when I use AWS java SDK to create CloudWatch event rules, and using sns topic as a target.

It's working fine when created using Direct AWS management console.

Everything remains the same when comparing java sdk creation and management console creation.

The only difference is in aws management console rules invoke, two metrics are created(invocation, TriggeredRules), in java sdk rules invoke, three metrics are created(invocation, TriggeredRules,FailedInvocation).

Answer 1

If you use a custom KMS key on your SNS Topic, you need also add the following policy to your KMS key policy:

{
  "Sid": "CloudwatchEvents",
  "Effect": "Allow",
  "Principal": {
  "Service": "events.amazonaws.com"
},
  "Action": [
     "kms:Encrypt*",
     "kms:Decrypt*",
     "kms:ReEncrypt*",
     "kms:GenerateDataKey*",
     "kms:Describe*"
    ],
     "Resource": "*"
}

Answer 2

If you find that it works when created via the console but not if you do it with the API (or something like Terraform) then it is likely that you are not updating the SNS Topic Policy so that it allows events to be published from CloudWatch Events. The console does this for you semi-magically but if you use the APIs you have a bit more work to do.

There is an answer here in the FAQ with the details but the long and short of it is you need to add (not replace) something like this to your SNS Topic Policy:

{
  "Sid" : "CloudWatchEvents",
  "Effect" : "Allow",
  "Resource" : "${aws_sns_topic.events.arn}",
  "Action" : "sns:Publish",
  "Principal" : {
    "Service" : "events.amazonaws.com"
  }
}