DEV Community

josepraveen
josepraveen

Posted on

Automating AWS Security Hub Findings with EventBridge and SNS | Hands-on Lab

Security monitoring is only valuable when you can respond quickly. AWS Security Hub continuously aggregates security findings from AWS services, but manually checking the dashboard isn't scalable.

In this hands-on lab, we'll build a simple event-driven security automation that sends email notifications whenever AWS Security Hub detects a security finding.

By the end of this tutorial, you'll have an automated pipeline like this:

AWS Config
      │
      ▼
AWS Security Hub
      │
      ▼
Amazon EventBridge
      │
      ▼
Amazon SNS
      │
      ▼
📧 Email Notification
Enter fullscreen mode Exit fullscreen mode

Step 1: Enable AWS Config

AWS Security Hub depends on AWS Config to evaluate resource compliance.

  1. Open the AWS Console.
  2. Search for AWS Config.
  3. Select 1-click setup.
  4. Review the configuration.
  5. Click Confirm.
  6. Navigate to Settings.
  7. Verify that the recorder status shows:
Recording is on
Enter fullscreen mode Exit fullscreen mode

config

AWS Config is now monitoring your AWS resources.


Step 2: Enable AWS Security Hub

  1. Search for Security Hub.
  2. Click Go to Security Hub.
  3. Choose Enable Security Hub.

enable

AWS Security Hub immediately begins aggregating security findings and enables AWS security standards.


Step 3: Create an SNS Topic

Next, we'll create a notification service that can send emails whenever Security Hub generates a finding.

Navigate to Amazon SNS.

Create a new topic:

Topic Name

LabAutomation
Enter fullscreen mode Exit fullscreen mode

Leave the default settings and create the topic.


Create an Email Subscription

Inside the topic:

  1. Click Create subscription
  2. Protocol:
Email
Enter fullscreen mode Exit fullscreen mode
  1. Enter your email address.
  2. Create the subscription.

You'll receive a confirmation email.

Click:

Confirm subscription
Enter fullscreen mode Exit fullscreen mode

Return to SNS and refresh until the subscription status changes to:

Confirmed
Enter fullscreen mode Exit fullscreen mode

email


Step 4: Create an EventBridge Rule

Now we'll connect Security Hub with SNS.

Navigate to Amazon EventBridge.

Create a new rule.

Rule Details

Name

LabAutomation
Enter fullscreen mode Exit fullscreen mode

Description

LabAutomation
Enter fullscreen mode Exit fullscreen mode

event


Event Pattern

Select:

AWS Service
Enter fullscreen mode Exit fullscreen mode

Service:

Security Hub
Enter fullscreen mode Exit fullscreen mode

Event Type:

Security Hub Findings - Imported
Enter fullscreen mode Exit fullscreen mode

security hub

This tells EventBridge to trigger whenever Security Hub imports a new finding.


Target

Choose:

SNS Topic
Enter fullscreen mode Exit fullscreen mode

Select:

LabAutomation
Enter fullscreen mode Exit fullscreen mode

sns

Leave the remaining settings as default and create the rule.

Your event-driven automation is now complete.


Step 5: Generate a Security Finding

To test the automation, we'll intentionally create an insecure security group.

Create a VPC

Navigate to Amazon VPC.

Click:

Create VPC
Enter fullscreen mode Exit fullscreen mode

Choose:

VPC and more
Enter fullscreen mode Exit fullscreen mode

Accept the defaults and create the VPC.


Create an Insecure Security Group

Navigate to EC2 → Security Groups.

Create a new security group.

Name:

LabAutomation
Enter fullscreen mode Exit fullscreen mode

Description:

LabAutomation
Enter fullscreen mode Exit fullscreen mode

Add the following inbound rule:

Type Source
SSH Anywhere-IPv4 (0.0.0.0/0)

rule

Create the security group.

missconfiguration


Why This Generates a Finding

Opening SSH to the entire internet (0.0.0.0/0) is considered a security risk.

AWS Security Hub detects this misconfiguration through AWS Config and AWS security standards.

Once detected:

Security Hub
        │
        ▼
EventBridge Rule
        │
        ▼
SNS Topic
        │
        ▼
Email Notification
Enter fullscreen mode Exit fullscreen mode

Everything happens automatically.


Step 6: Verify the Automation

Within a few minutes, check your email.

email

You should receive an AWS Notification email containing details about the Security Hub finding.

findings

The email includes information such as:

  • Finding title
  • Severity
  • Resource affected
  • Compliance status
  • Time detected

This confirms your automation pipeline is functioning correctly.

security hub


Architecture Overview

                +----------------+
                |  AWS Config    |
                +-------+--------+
                        |
                        v
               +------------------+
               | AWS Security Hub |
               +--------+---------+
                        |
             Findings Imported
                        |
                        v
             +------------------+
             | Amazon EventBridge|
             +--------+---------+
                        |
                        v
               +----------------+
               | Amazon SNS     |
               +--------+-------+
                        |
                        v
                📧 Email Alerts
Enter fullscreen mode Exit fullscreen mode

What We Learned

In this lab, we:

  • Enabled AWS Config
  • Enabled AWS Security Hub
  • Created an SNS topic
  • Subscribed an email endpoint
  • Built an EventBridge rule
  • Generated a Security Hub finding
  • Automatically received an email notification

This is a simple yet powerful example of event-driven security automation on AWS.

Top comments (0)