src/services/alerts/serverless.yml
service: ${self:custom.project}-alerts
frameworkVersion: "3"
package:
individually: true
plugins:
- serverless-stack-termination-protection
- "@stratiformdigital/serverless-s3-security-helper"
provider:
name: aws
runtime: nodejs18.x
region: ${env:REGION_A}
stackTags:
PROJECT: ${self:custom.project}
SERVICE: ${self:service}
custom:
project: ${env:PROJECT}
serverlessTerminationProtection:
stages: # Apply CloudFormation termination protection for these stages
- master
- val
- production
resources:
Resources:
AlertsTopic:
Type: "AWS::SNS::Topic"
Properties:
TopicName: Alerts-${self:service}-${sls:stage}
KmsMasterKeyId: !Ref KmsKeyForSns
KmsKeyForSns:
Type: AWS::KMS::Key
Properties:
EnableKeyRotation: "true"
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: Allow access for Root User
Effect: Allow
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
Action: "kms:*"
Resource: "*"
- Sid: Allow access for Key User (SNS Service Principal)
Effect: Allow
Principal:
Service: "sns.amazonaws.com"
Action:
- "kms:GenerateDataKey"
- "kms:Decrypt"
Resource: "*"
- Sid: Allow CloudWatch events to use the key
Effect: Allow
Principal:
Service: events.amazonaws.com
Action:
- "kms:Decrypt"
- "kms:GenerateDataKey"
Resource: "*"
- Sid: Allow CloudWatch for CMK
Effect: Allow
Principal:
Service:
- cloudwatch.amazonaws.com
Action:
- "kms:Decrypt"
- "kms:GenerateDataKey*"
Resource: "*"
EventBridgeToToSnsPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- events.amazonaws.com
- cloudwatch.amazonaws.com
Action: sns:Publish
Resource: !Ref AlertsTopic
Topics:
- !Ref AlertsTopic
Outputs:
ECSFailureTopicArn:
Description: ECS Failure SNS topic ARN
Value: !Ref AlertsTopic