From e2cd2893949be225f4274366107661962fd651db Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Thu, 12 Mar 2026 12:49:49 +0100
Subject: [PATCH] Remove KMS encryption from SNS alert topics
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

EventBridge cannot publish to SNS topics encrypted with the AWS-managed
SNS key (alias/aws/sns) because the key policy doesn't grant
events.amazonaws.com the kms:GenerateDataKey permission.

This caused ALL EventBridge → SNS deliveries to fail silently:
- Resource creation alerts: 3/3 failed
- Resource modification alerts: 1/1 failed
- Console login alerts: 5/5 failed

These are internal alert routing topics, not carrying sensitive data.
---
 terraform/platform/monitoring/main.tf | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/terraform/platform/monitoring/main.tf b/terraform/platform/monitoring/main.tf
index c9f78db..1b65139 100644
--- a/terraform/platform/monitoring/main.tf
+++ b/terraform/platform/monitoring/main.tf
@@ -3,8 +3,7 @@
 ################################################################################
 
 resource "aws_sns_topic" "alerts" {
-  name              = "${var.project}-alerts"
-  kms_master_key_id = "alias/aws/sns"
+  name = "${var.project}-alerts"
 
   tags = {
     Name = "${var.project}-alerts"
@@ -12,8 +11,7 @@ resource "aws_sns_topic" "alerts" {
 }
 
 resource "aws_sns_topic" "security" {
-  name              = "${var.project}-security"
-  kms_master_key_id = "alias/aws/sns"
+  name = "${var.project}-security"
 
   tags = {
     Name = "${var.project}-security"