How do I set up customized email notifications using CloudWatch Events with an Amazon SNS topic?

Last updated: 2021-06-22

I want to set up a customized email notification using Amazon CloudWatch Events and an Amazon Simple Notification Service (Amazon SNS) topic.

Short description

The following resolution shows you how to configure a CloudWatch Events rule with an SNS topic as its target. Based on the rule, Amazon SNS sends a notification to the email address or addresses subscribed to the topic when your event occurs. The message is difficult to read because of its formatting. However, you can use an AWS Lambda function to create a customized alert message with improved formatting.

Important: The following resolution uses AWS Security Hub events and a Lambda function for the customization. For more information on associated costs, see AWS Security Hub pricing and AWS Lambda Pricing.

Resolution

Create an SNS topic

1.    Open the Amazon SNS console.

2.    On the navigation pane, choose Topics.

3.    Choose Create topic.

4.    In the Details section, for Type, choose Standard.

5.    For Name, enter the name of your topic.

6.    Choose Create topic.

Create a subscription

1.    From the created topic, choose Create subscription.

2.    For Topic ARN, select the Amazon Resource Name (ARN) of the topic that you created earlier.

Note: The Topic ARN may already be populated with the ARN of the topic that you created earlier.

3.    For Protocol, enter Email

4.    For Endpoint, enter the email address where you want to receive SNS notifications.

5.    Choose Create subscription.

Important: You must confirm the subscription in the confirmation email sent to the subscriber for the subscription to switch from PendingConfirmation status to Confirmed

Note: (Optional) You can also create an authenticated subscription that prevents the unsubscribe action on your topic.

Configure the CloudWatch Events rule

1.    Open the CloudWatch console.

2.    In the navigation pane, in the Events section, choose Rules.

3.    Choose Create rule.

4.    For Service Name, choose Security Hub.

5.    For Event Type, choose All Events.

Note: To configure alerts for more specific events, see Types of Security Hub integration with EventBridge.

6.    In the Targets section, choose Add target.

7.    From the target menu, choose SNS topic.

8.    For Topic, choose the topic that you created earlier.

9.    Choose Configure details.

10.    For Name, enter a name for your rule.

11.    Choose Create rule.

Test the rule

1.    Open AWS Security Hub.

2.    On navigation pane, choose Findings.

3.    From the list of findings, select the check box for the finding that you want to receive an alert for.

4.    Choose Actions, and then choose Send to email.

5.    Check your email inbox to see if you received an AWS notification message from no-reply@sns.amazonaws.com. For example:

{“version”: “0”,“id”: “91ce02aa-7c08-bacc-cc71-10837f6ef124”,“detail-type”: “Security Hub Findings - Custom Action”,“source”: “aws.securityhub”,“account”: “111122223333”,“time”: “2021-06-17T11:44:13Z”,“region”: “us-east-1”,“resources”: [“arn:aws:securityhub:us-east-1:111122223333:action/custom/SendToEmail”],“detail”: {“actionName”: “Send to email”,“actionDescription”: “This Custom Action sends selected findings to email addresses defined in an SNS Topic Subscription.”,“findings”: [{“ProductArn”: “arn:aws:securityhub:us-east-1::product/aws/securityhub”,“Types”: [“Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark”],“Description”: “The \”root\” account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.”,“Compliance”: {“Status”: “FAILED”,“StatusReasons”: [{“Description”: “Multi region CloudTrail with the required configuration does not exist in the account”,“ReasonCode”:“CLOUDTRAIL_MULTI_REGION_NOT_PRESENT”}]},“ProductName”: “Security Hub”,“FirstObservedAt”:“2020-10-22T10:18:10.991Z”,“CreatedAt”: “2020-10-22T10:18:10.991Z”,“LastObservedAt”: “2021-06-17T10:36:41.175Z”,“CompanyName”: “AWS”,“FindingProviderFields”: {“Types”: [“Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark”],“Severity”: {“Normalized”: 30,“Label”: “LOW”,“Product”: 30,“Original”: “LOW”}},“ProductFields”: {“StandardsGuideArn”: “arn: aws: securityhub: : : ruleset/cis-aws-foundations-benchmark/v/1.2.0”,“StandardsGuideSubscriptionArn”: “arn: aws: securityhub: us-east-1: 111122223333: subscription/cis-aws-foundations-benchmark/v/1.2.0”,“RuleId”: “1.1”,“RecommendationUrl”: “SampleURL”,“aws/securityhub/CompanyName”: “AWS”,“aws/securityhub/annotation”:“MultiregionCloudTrailwiththerequiredconfigurationdoesnotexistintheaccount”,“Resources: 0/Id”: “arn: aws: iam: : 111122223333: root”,“aws/securityhub/FindingId”: “arn: aws: securityhub: us-east-1: : product/aws/securityhub/arn: aws: securityhub: us-east-1:111122223333: subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/4eccb91a-c940-4e1d-90de-7c046369b89f”},“Remediation”: {“Recommendation”:{“Text”:“FordirectionsonhowtofixthisissuepleaseconsulttheAWSSecurityHubCISdocumentation.”,“Url”:“SampleURL”}},“SchemaVersion”:“2018-10-08”,“GeneratorId”: “arn: aws: securityhub: : : ruleset/cis-aws-foundations-benchmark/v/1.2.0/rule/1.1”,“RecordState”: “ACTIVE”,“Title”: “1.1Avoidtheuseofthe\”root\”account”,“Workflow”: {“Status”: “NEW”},“Severity”: {“Normalized”: 30,“Label”: “LOW”,“Product”: 30,“Original”: “LOW”},“UpdatedAt”: “2021-06-17T10: 36: 39.712Z”,“WorkflowState”: “NEW”,“AwsAccountId”: “111122223333”,“Region”:“us-east-1”,“Id”: “arn: aws: securityhub: us-east-1:111122223333: subscription/cis-aws-foundations-benchmark/v/1.2.0/1.1/finding/4eccb91a-c940-4e1d-90de-7c046369b89f”,“Resources”: [{ “Partition”: “aws”,”Type”: “AwsAccount”,”Region”: “us-east-1”,”Id”: “AWS: : : : Account: 111122223333”}]}]}}
--
If you wish to stop receiving notifications from this topic, please click or visit the link below to unsubscribe:
Unsubscribe


Please do not reply directly to this email. If you have any questions or comments regarding this email, please contact us at https://aws.amazon.com/support.

Customize the alert using a Lambda function

Create a Lambda function that extracts the information that you want from the JSON content and publish it to Amazon SNS.

1.    Open the Lambda console.

2.    On the navigation pane, choose Functions.

3.    Choose Create function.

4.    Choose Author from scratch.

5.    For Function name, enter a name for your function.

6.    Choose Runtime, and then choose Python 3.7.

7.    Expand Change default execution role.

8.    For Execution role, select Create a new role from AWS policy templates.

9.    For Role name, enter your role.

10.   For Policy template, choose Amazon SNS publish policy.

11.    Choose Create function.

12.    After the function is created, paste the following code in the Code source section:

import json
import boto3
sns = boto3.client('sns')
def lambda_handler(event, context):
    finding = event["detail"]["findings"][0] 
    findingTime = finding["FirstObservedAt"]
    findingType = finding["Types"][0]
    complianceStatus = finding["Compliance"]["Status"]    
    region = event["region"]
    accountId = finding["AwsAccountId"]    
    findingDescription = finding["Description"]
    severity = finding["Severity"]["Label"]    
    remediation = finding["Remediation"]["Recommendation"]["Text"]
    remediationUrl = finding["Remediation"]["Recommendation"]["Url"]
   
 message = "AWS SecurityHub alert in %s for account: %s\n\nFinding regarding: [%s] %s\n Severity: %s\nDescription: %s\nFirst observed at: %s\n%s: %s" % (region, accountId, complianceStatus, findingType, 
severity, findingDescription, findingTime, remediation, remediationUrl)
    response = sns.publish(
            TopicArn = "arn:aws:sns:REGION:ACCOUNT_ID:SendFindingsTopic",
            Message = message
            )
    return {
      'statusCode': 200,
      'body': json.dumps('Success!')
}

Note: The preceding code customizes and re-formats the alert message. Replace TopicArn ("arn:aws:sns:REGION:ACCOUNT_ID:SendFindingsTopic") with your topic ARN.

13.    To save the function code, choose Deploy.

Add the EventBridge as a trigger for your Lambda function

1.    In the Function overview section, choose Add trigger.

2.    For Trigger configuration, select EventBridge (CloudWatch Events).

3.    For Rule, select Existing rules.

4.    For Existing rules, select the CloudWatch Events rule that you created earlier.

5.    Choose Add.

Edit the CloudWatch Events rule

1.    Open the CloudWatch console.

2.    On the navigation pane, in the Events section, choose Rules.

3.    From the list of rules, select the CloudWatch Events rule that you created earlier.

4.    Choose Actions, and then choose Edit.

5.    In the Targets section, remove the SNS target for your topic.

6.    Choose Configure details.

7.    Choose Update rule.

When you test the rule, you receive a notification similar to the following:

AWS SecurityHub alert in us-east-1 for account: 111122223333
Finding regarding: [FAILED] Software and Configuration Checks/Industry and Regulatory Standards/CIS AWS Foundations Benchmark
Severity: LOW
Description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided.
First observed at: 2020-10-22T10:18:10.991Z
For directions on how to fix this issue, please consult the AWS Security Hub CIS documentation.: SampleURL
--
If you wish to stop receiving notifications from this topic, please click or visit the link below to unsubscribe:
Unsubscribe


Please do not reply directly to this email. If you have any questions or comments regarding this email, please contact us at https://aws.amazon.com/support.


Did this article help?


Do you need billing or technical support?