When using an encrypted Amazon SNS topic for CloudWatch alarms, you must use a customer-managed KMS key. If you rely on the default AWS Key Management Service (AWS KMS) key for encryption, CloudWatch alarms will fail to initiate the alarm action.
You can use the AWS CLI or AWS Management Console to create a customer-managed KMS key in the target region. Be sure to provide a meaningful alias name for the key for easier identification.
It is essential to use a customer-managed key, as AWS-managed keys do not allow direct policy updates. This is why we choose a customer-managed KMS key.