diff --git a/cloudformation/alarms.yaml b/cloudformation/alarms.yaml
index bb2df33c..2a5295f2 100644
--- a/cloudformation/alarms.yaml
+++ b/cloudformation/alarms.yaml
@@ -579,6 +579,7 @@ Resources:
     Type: AWS::SNS::Topic
     Properties: 
       DisplayName: !Join ['-', [FhirSolution, !Ref Stage, cloudwatch, alarm, topic]]
+      KmsMasterKeyId: !Ref SnsKMSKey
   FhirWorksAlarmSNSTopicPolicy:
     Type: AWS::SNS::TopicPolicy
     DependsOn: FhirWorksAlarmSNSTopic
diff --git a/cloudformation/kms.yaml b/cloudformation/kms.yaml
index f60a32d3..eb569e1a 100644
--- a/cloudformation/kms.yaml
+++ b/cloudformation/kms.yaml
@@ -94,4 +94,40 @@ Resources:
             Condition:
               ArnLike:
                 kms:EncryptionContext:aws:logs:arn: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*
-
+  SnsAlias:
+    Type: AWS::KMS::Alias
+    Properties:
+      AliasName: !Join ['-', [alias/snsKey, !Ref Stage]]
+      TargetKeyId: !Ref SnsKMSKey
+  SnsKMSKey:
+    Type: AWS::KMS::Key
+    Properties:
+      EnableKeyRotation: true
+      Description: 'KMS CMK for SNS'
+      KeyPolicy:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'Enable IAM Root Permissions'
+            Effect: Allow
+            Principal:
+              AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
+            Action: 'kms:*'
+            Resource: '*'
+          - Sid: 'Allow Cloudwatch to use this Key Policy'
+            Effect: Allow
+            Principal:
+              Service: cloudwatch.amazonaws.com
+            Action:
+              - kms:Encrypt
+              - kms:Decrypt
+              - kms:GenerateDataKey*
+            Resource: '*'
+          - Sid: 'Allow SNS to use this Key Policy'
+            Effect: Allow
+            Principal:
+              Service: sns.amazonaws.com
+            Action:
+              - kms:Encrypt
+              - kms:Decrypt
+              - kms:GenerateDataKey*
+            Resource: '*'