Security monitoring is only valuable when you can respond quickly. AWS Security Hub continuously aggregates security findings from AWS services, but manually checking the dashboard isn't scalable.
In this hands-on lab, we'll build a simple event-driven security automation that sends email notifications whenever AWS Security Hub detects a security finding.
By the end of this tutorial, you'll have an automated pipeline like this:
AWS Config
│
▼
AWS Security Hub
│
▼
Amazon EventBridge
│
▼
Amazon SNS
│
▼
📧 Email Notification
Step 1: Enable AWS Config
AWS Security Hub depends on AWS Config to evaluate resource compliance.
- Open the AWS Console.
- Search for AWS Config.
- Select 1-click setup.
- Review the configuration.
- Click Confirm.
- Navigate to Settings.
- Verify that the recorder status shows:
Recording is on
AWS Config is now monitoring your AWS resources.
Step 2: Enable AWS Security Hub
- Search for Security Hub.
- Click Go to Security Hub.
- Choose Enable Security Hub.
AWS Security Hub immediately begins aggregating security findings and enables AWS security standards.
Step 3: Create an SNS Topic
Next, we'll create a notification service that can send emails whenever Security Hub generates a finding.
Navigate to Amazon SNS.
Create a new topic:
Topic Name
LabAutomation
Leave the default settings and create the topic.
Create an Email Subscription
Inside the topic:
- Click Create subscription
- Protocol:
Email
- Enter your email address.
- Create the subscription.
You'll receive a confirmation email.
Click:
Confirm subscription
Return to SNS and refresh until the subscription status changes to:
Confirmed
Step 4: Create an EventBridge Rule
Now we'll connect Security Hub with SNS.
Navigate to Amazon EventBridge.
Create a new rule.
Rule Details
Name
LabAutomation
Description
LabAutomation
Event Pattern
Select:
AWS Service
Service:
Security Hub
Event Type:
Security Hub Findings - Imported
This tells EventBridge to trigger whenever Security Hub imports a new finding.
Target
Choose:
SNS Topic
Select:
LabAutomation
Leave the remaining settings as default and create the rule.
Your event-driven automation is now complete.
Step 5: Generate a Security Finding
To test the automation, we'll intentionally create an insecure security group.
Create a VPC
Navigate to Amazon VPC.
Click:
Create VPC
Choose:
VPC and more
Accept the defaults and create the VPC.
Create an Insecure Security Group
Navigate to EC2 → Security Groups.
Create a new security group.
Name:
LabAutomation
Description:
LabAutomation
Add the following inbound rule:
| Type | Source |
|---|---|
| SSH | Anywhere-IPv4 (0.0.0.0/0) |
Create the security group.
Why This Generates a Finding
Opening SSH to the entire internet (0.0.0.0/0) is considered a security risk.
AWS Security Hub detects this misconfiguration through AWS Config and AWS security standards.
Once detected:
Security Hub
│
▼
EventBridge Rule
│
▼
SNS Topic
│
▼
Email Notification
Everything happens automatically.
Step 6: Verify the Automation
Within a few minutes, check your email.
You should receive an AWS Notification email containing details about the Security Hub finding.
The email includes information such as:
- Finding title
- Severity
- Resource affected
- Compliance status
- Time detected
This confirms your automation pipeline is functioning correctly.
Architecture Overview
+----------------+
| AWS Config |
+-------+--------+
|
v
+------------------+
| AWS Security Hub |
+--------+---------+
|
Findings Imported
|
v
+------------------+
| Amazon EventBridge|
+--------+---------+
|
v
+----------------+
| Amazon SNS |
+--------+-------+
|
v
📧 Email Alerts
What We Learned
In this lab, we:
- Enabled AWS Config
- Enabled AWS Security Hub
- Created an SNS topic
- Subscribed an email endpoint
- Built an EventBridge rule
- Generated a Security Hub finding
- Automatically received an email notification
This is a simple yet powerful example of event-driven security automation on AWS.











Top comments (0)