今回は、CloudWatchから通知を受け取るので、CloudWatchのサービス("Service": "cloudwatch.amazonaws.com")からCMKを使えるようPrincipalを設定します。 { "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::XXXXXXXXXXXX:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow",