Email notification via SNS of AWS Config data matching EventBridge rules

Email notification of only those AWS Config resource change history data that match EventBridge rules via SNS

The following page shows how to email AWS Config resource change history data via SNS.

However, with the configuration on the above page, you will receive an email every time a change occurs to a resource.

In this article, we will use EventBridge rules to create a configuration that sends email notifications only when a specific event occurs.


Diagram of email notification via SNS of AWS Config data matching EventBridge rules

The configuration is generally similar to the page introduced at the beginning of this article.
The only difference is that we will put EventBridge between AWS Config and SNS.

The EventBridge rule is configured to send an email notification when an event occurs that disables the SSE settings in the S3 bucket.

CloudFormation template files

The above configuration is built using CloudFormation.
The CloudFormation templates are located at the following URL

awstut-fa/103 at main · awstut-an-r/awstut-fa
Contribute to awstut-an-r/awstut-fa development by creating an account on GitHub.

Explanation of key points of the template files

Basically the same as the page introduced at the beginning of this document.

In this page, AWS Config data is received by EventBridge and email notifications are sent via SNS.

SNS Topic

    Type: AWS::SNS::Topic
        - Endpoint: !Ref MailAddress
          Protocol: email
      TopicName: !Ref Prefix
Code language: YAML (yaml)

Create an SNS topic and specify your email address as the subscriber.

For more information, please see the following page

AWS Config

    Type: AWS::Config::DeliveryChannel
      Name: !Sub "${Prefix}-DeliveryChannel"
      S3BucketName: !Ref ConfigBucket
    Type: AWS::Config::ConfigurationRecorder
      Name: !Sub "${Prefix}-ConfigurationRecorder"
        AllSupported: false
        IncludeGlobalResourceTypes: false
          - AWS::S3::Bucket
      RoleARN: !Sub "arn:aws:iam::${AWS::AccountId}:role/aws-service-role/${AWSServiceRoleForConfig}"
    Type: AWS::IAM::ServiceLinkedRole
    DeletionPolicy: Delete
Code language: YAML (yaml)

No special configuration is required to deliver AWS Config data to EventBridge.

For basic information on AWS Config, please see the following page

In this case, we will configure it to collect data about S3 buckets.

EventBridge Rules

    Type: AWS::Events::Rule
      EventBusName: !Ref EventBusName
          - aws.config
          - Config Configuration Item Change
            - ConfigurationItemChangeNotification
              - AWS::S3::Bucket
                  - DELETE
      Name: !Sub "${Prefix}-EventsRule"
      State: ENABLED
        - Arn: !Ref TopicArn
          Id: !Ref TopicName
              "awsRegion": "$.detail.configurationItem.awsRegion"
              "awsAccountId": "$.detail.configurationItem.awsAccountId"
              "resource_ID": "$.detail.configurationItem.resourceId"
              "configurationItemCaptureTime": "$.detail.configurationItem.configurationItemCaptureTime"
            InputTemplate: |
              "On <configurationItemCaptureTime> S3 Bucket <resource_ID> recorded a deletion of ServerSideEncryptionConfiguration in the account <awsAccountId> region <awsRegion>."
Code language: YAML (yaml)

When handling AWS Config data with EventBridge rules, two properties are key.

The first is the EventPattern property.
Refer to the following page to specify the various parameters of the data to be received.

Receive custom email notifications when a resource is created with AWS Config
I created an Amazon EventBridge rule to initiate on service event types when new AWS resources are created. However, the responses are in JSON format. How can I...

The values for “source,” “detail-type,” and “messageType” are identical to those on the above page.
For “configurationItemDiff,” we used the event data generated when the SSE setting is disabled as a reference.
The following is an excerpt of the relevant section.

  "detail": {
    "recordVersion": "1.3",
    "messageType": "ConfigurationItemChangeNotification",
    "configurationItemDiff": {
      "changedProperties": {
        "SupplementaryConfiguration.ServerSideEncryptionConfiguration": {
          "previousValue": {
            "rules": [
                "applyServerSideEncryptionByDefault": {
                  "sseAlgorithm": "AES256"
                "bucketKeyEnabled": false
          "changeType": "DELETE"
      "changeType": "UPDATE"
Code language: JSON / JSON with Comments (json)

In other words, in addition to source, detail-type, etc., if the configurationItemDiff.changedProperties.SupplementaryConfiguration.ServerSideEncryptionConfiguration. If the changeType item is present and its value is “DELETE”, then the data satisfies the condition.

In order to link EventBridge with SNS, it is necessary to give EventBridge permission to publish messages to SNS.

    Type: AWS::SNS::TopicPolicy
          - Principal:
            Action: sns:Publish
            Effect: Allow
            Resource: !Ref TopicArn
        - !Ref TopicArn
Code language: YAML (yaml)

Resource-based policies are used to grant SNS-related access privileges to EventBridge.

For more information, please refer to the following page.

(Reference) S3 bucket

    Type: AWS::S3::Bucket
      BucketName: !Sub "${Prefix}-encryption-enabled"
      AccessControl: Private
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
Code language: YAML (yaml)

Prepare an S3 bucket as a verification resource.
Enable SSE.


Use CloudFormation to build this environment and verify actual behavior.

Create CloudFormation stacks and verify resources in stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page

After checking the resources in each stack, information on the main resources created this time is as follows

  • SNS topic: fa-103
  • EventBridge rule: fa-103-EventRule
  • Bucket for verification: fa-103-encryption-enabled

Authentication of email address

If an email address is specified as a subscriber to an SNS topic, the email address must be authenticated.
The following authentication email will be sent to the specified email address.

Detail of SNS 1.

Click “Confirm subscription” to proceed with the authentication.

Detail of SNS 2.

The above page will appear, indicating that the authentication has been completed.

Resource Confirmation

Check each resource from the AWS Management Console.
First, check the SNS topic.

Detail of SNS 3.
Detail of SNS 4.
Detail of SNS 5.

You can see that the SNS topic has been successfully created.

In addition, you can see that the email address you registered as a subscriber is registered.
The Status value of the email address is “Confirmed,” indicating that the authentication has been completed.

The access policy shows that EventBridge is allowed to publish messages to this topic.

Check the AWS Config settings.

Detail of AWS Config 1.

We can see that the AWS Config is working properly and that data collection has started.

Looking at the item related to SNS in Delivery method, we see that no settings have been made.
This indicates that there is no direct integration between AWS Config and SNS.

Check EventBridge.

Detail of EventBridge 1.
Detail of EventBridge 2.
Detail of EventBridge 3.
Detail of EventBridge 4.

We see that the EventBridge rule has been successfully created.

Looking at the Event Pattern, we see that the pattern is defined as per the CloudFormation template.
This means that if AWS Config sends event data regarding the deletion of the SSE settings of the S3 bucket, the condition is satisfied.

Looking at Target, we can see that the SNS topic mentioned earlier is specified.
This means that if event data that satisfies the aforementioned pattern is sent, it will be notified by e-mail via SNS.

Looking at the Input transformer, a template for the string to be sent by email and the parameters to be embedded are defined.

Check the S3 bucket for verification.

Detail of S3 1.

You can see that the SSE setting is indeed enabled.

Checking Operation

Now that everything is ready, let’s check the Operation.

Disable the SSE setting for the S3 bucket.

Detail of S3 2.

After waiting for a while, the following e-mail arrives.

Detail of SNS 6.

The body of the email is indeed a string with various parameters embedded in the template as specified in the Input Transformer.

The event data has been generated by AWS Config following the deactivation of the SSE setting in the S3 bucket.
This event data met the requirements of the EventBridge rule, so the event data was forwarded to the target SNS topic.
A message was created using a portion of the event data, and the message was sent to the email address of the SNS subscriber.


We have shown how to use EventBridge rules to configure email notifications only when a specific event occurs.