Home > Software design >  AWS Cloudformation : Does CloudWatch Alarm for RDS needs IAM role?
AWS Cloudformation : Does CloudWatch Alarm for RDS needs IAM role?

Time:10-28

I want to get a notification email whenever my RDS instance has available storage space less than a threshold value for example 2GB.

I created an alarm from the AWS console that monitors the FreeStorageSpace metric for the above reason.

Now I want to put this alarm snippet in my existing Cloudformation template to link this alarm to my existing RDS instance. Do I need to create any kind of IAM role for the RDS?

    Type: AWS::CloudWatch::Alarm
    Properties:
      AlarmName: RDS Low Storage Alarm
      AlarmDescription: This alarm is triggered when RDS storage is lower than or equal to 5GB
    ActionsEnabled: true
    OKActions: []
    AlarmActions:
      - arn:aws:sns:ap-northeast-1:1234567890:stg1-init-AlertTopic-1WPRQT95IHBJZ
    InsufficientDataActions: []
    MetricName: FreeStorageSpace
    Namespace: AWS/RDS
    Statistic: Average
    Dimensions:
     - Name: DBInstanceIdentifier
       Value: xxx1blsxxxxel
    Period: 60
    EvaluationPeriods: 1
    DatapointsToAlarm: 1
    Threshold: 5368709120
    ComparisonOperator: LessThanOrEqualToThreshold
    TreatMissingData: missing

I found several articles like this where alarm creation like above is explained. But I found no information about IAM things.

Update: The SNS Alert topic I have created in my main cfn template has the below access policy as a default. In this case, Will it be enough just to create the above alarm?

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "SNS:GetTopicAttributes",
        "SNS:SetTopicAttributes",
        "SNS:AddPermission",
        "SNS:RemovePermission",
        "SNS:DeleteTopic",
        "SNS:Subscribe",
        "SNS:ListSubscriptionsByTopic",
        "SNS:Publish",
        "SNS:Receive"
      ],
      "Resource": "arn:aws:sns:ap-northeast-1:333333333333:stg1-init-AlertTopic-1WPRQT95IHBJZ",
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "333333333333"
        }
      }
    }
  ]
}

CodePudding user response:

Do I need to create any kind of IAM role for the RDS?

Not for RDS. But SQS topic must have a special policy for that. An example is (depending on your setup, maybe default policy can also be enough):

{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "SNS:Publish",
            "Resource": "arn:aws:sns:us-east-2:444455556666:MyTopic",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:cloudwatch:us-east-2:111122223333:alarm:*"
                }
            }
        }
    ]
}
  • Related