Email notification via SNS when Nocompliant resources are detected by AWS Config

Email notification via SNS when Nocompliant resources are detected by AWS Config AWS_EN

Email notification via SNS when Nocompliant resources are detected by AWS Config

The following page covers how EventBridge receives event data sent out from AWS Config and only those that match the rules are notified via email by SNS.

A similar configuration can be used to send email notifications via SNS when a resource is detected in an AWS Config audit that does not comply with the rules.

Specifically, the following official AWS page covers how to set this up

Receive notifications for a non-compliant AWS resource using AWS Config

This time, the above configuration will be built using CloudFormation.
Specifically, we will set up rules regarding SSE for S3 buckets in AWS Config, and configure the system to send an email notification when a bucket that does not conform to these rules is detected.


Diagram of email notification via SNS when Nocompliant resources are detected by AWS Config

The configuration is generally the same as in the page introduced at the beginning of this page.

Create rules for SSE for S3 buckets in AWS Config.
When an S3 bucket with SSE disabled is detected, event data will be generated as a non-compliant resource.

If the EventBridge rule receives data that satisfies the above, it sends the data to the SNS topic.

Specify an email address as a subscriber to the SNS topic and email notification will be sent.

CloudFormation Template Files

The above configuration is built with CloudFormation.
The CloudFormation templates are located at the following URL

awstut-fa/104 at main · awstut-an-r/awstut-fa
Contribute to awstut-an-r/awstut-fa development by creating an account on GitHub.

Explanation of key points of the template files

Basically, it is the same as the page introduced at the beginning of this document, so only the different parts will be covered.

AWS Config Rules

    Type: AWS::Config::ConfigRule
      - ConfigurationRecorder
      ConfigRuleName: !Sub "${Prefix}-S3-Bucket-SSE-Enabled"
          - AWS::S3::Bucket
        Owner: AWS
Code language: YAML (yaml)

Configure the rules regarding SSE for the S3 bucket.
In this case, we will use the managed rule “s3-bucket-server-side-encryption-enabled”.

s3-bucket-server-side-encryption-enabled - AWS Config
Checks that your Amazon S3 bucket either has S3 default encryption enabled or that the S3 bucket policy explicitly denies put-object requests without server sid...

Specify this rule in the Source property.

For more information about AWS Config rules, please also check the following page

EventBridge Rules

    Type: AWS::Events::Rule
      EventBusName: !Ref EventBusName
          - aws.config
          - Config Rules Compliance Change
            - ComplianceChangeNotification
            - !Ref S3BucketSSEEnabledConfigRule
            - AWS::S3::Bucket
              - NON_COMPLIANT
      Name: !Sub "${Prefix}-EventsRule"
      State: ENABLED
        - Arn: !Ref TopicArn
          Id: !Ref TopicName
              "awsRegion": "$.detail.awsRegion"
              "resourceId": "$.detail.resourceId"
              "awsAccountId": "$.detail.awsAccountId"
              "compliance": "$.detail.newEvaluationResult.complianceType"
              "rule": "$.detail.configRuleName"
              "time": "$.detail.newEvaluationResult.resultRecordedTime"
              "resourceType": "$.detail.resourceType"
            InputTemplate: |
              "On <time> AWS Config rule <rule> evaluated the <resourceType> with Id <resourceId> in the account <awsAccountId> region <awsRegion> as <compliance> For more details open the AWS Config console at<awsRegion>#/timeline/<resourceType>/<resourceId>/configuration"
Code language: YAML (yaml)

When a resource is determined to be non-compliant by an AWS Config rule, data is sent to EventBridge.
Create an EventBridge rule for SSE in the S3 bucket and configure it to send a message to the SNS topic when the event is received.

There are two points.

The first is the EventPattern property.
Specify the data pattern that will be generated when the S3 bucket is judged as non-compliant with the rules regarding SSE.
Set as described in the official AWS page.

Receive notifications for a non-compliant AWS resource using AWS Config

The following is a sample of data.

  "version": "0",
  "id": "e1127974-86dd-69bb-649a-1416eaa3a14a",
  "detail-type": "Config Rules Compliance Change",
  "source": "aws.config",
  "account": "[account-id]",
  "time": "2022-12-02T14:39:46Z",
  "region": "ap-northeast-1",
  "resources": [],
  "detail": {
    "resourceId": "fa-104-encryption-enabled",
    "awsRegion": "ap-northeast-1",
    "awsAccountId": "[account-id]",
    "configRuleName": "fa-104-S3-Bucket-SSE-Enabled",
    "recordVersion": "1.0",
    "configRuleARN": "arn:aws:config:ap-northeast-1:[account-id]:config-rule/config-rule-yt5uxw",
    "messageType": "ComplianceChangeNotification",
    "newEvaluationResult": {
      "evaluationResultIdentifier": {
        "evaluationResultQualifier": {
          "configRuleName": "fa-104-S3-Bucket-SSE-Enabled",
          "resourceType": "AWS::S3::Bucket",
          "resourceId": "fa-104-encryption-enabled"
        "orderingTimestamp": "2022-12-02T14:39:32.966Z"
      "complianceType": "NON_COMPLIANT",
      "resultRecordedTime": "2022-12-02T14:39:45.721Z",
      "configRuleInvokedTime": "2022-12-02T14:39:45.437Z"
    "oldEvaluationResult": {
      "evaluationResultIdentifier": {
        "evaluationResultQualifier": {
          "configRuleName": "fa-104-S3-Bucket-SSE-Enabled",
          "resourceType": "AWS::S3::Bucket",
          "resourceId": "fa-104-encryption-enabled"
        "orderingTimestamp": "2022-12-02T14:33:12.486Z"
      "complianceType": "COMPLIANT",
      "resultRecordedTime": "2022-12-02T14:38:39.897Z",
      "configRuleInvokedTime": "2022-12-02T14:38:29.554Z"
    "notificationCreationTime": "2022-12-02T14:39:46.796Z",
    "resourceType": "AWS::S3::Bucket"
Code language: JSON / JSON with Comments (json)

The second point is the Targets property.
This specifies the SNS topic.
By default, the message to be published to the SNS topic is the JSON data shown above.
The message can be specified by setting the InputTransformer property.
This is also set as described on the official AWS page.


Using CloudFormation, build this environment and check the actual behavior.

Create CloudFormation stacks and check resources in stacks

Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following page

After checking the resources in each stack, information on the main resources created this time is as follows

  • SNS topic: fa-104
  • AWS Config rule: fa-104-S3-Bucket-SSE-Enabled
  • EventBridge rule: fa-104-EventRule
  • Validation bucket: fa-104-encryption-enabled

Authentication of email addresses

If an email address is specified as a subscriber to an SNS topic, the email address must be authenticated.
The following authentication email will be sent to the specified email address.

Detail of SNS 1.

Click “Confirm subscription” to proceed with the authentication.

Detail of SNS 2.

The above page will appear, indicating that the authentication is complete.

Resource Confirmation

Check each resource from the AWS Management Console.
First, check the SNS topic.

Detail of SNS 3.
Detail of SNS 4.
Detail of SNS 5.

You can see that the SNS topic has been successfully created.

In addition, you can see that the email address you registered as a subscriber is registered.
The Status value of the email address is “Confirmed,” indicating that the authentication has been completed.

The access policy shows that EventBridge is allowed to publish messages to this topic.

Check the S3 bucket for verification.

Detail of S3 1.

We see that SSE is indeed enabled.

Check the AWS Config settings.

Detail of AWS Config 1.

We can see that AWS Config is acting correctly and has started collecting data.

Check the AWS Config rules.

Detail of AWS Config 2.

We can see that the rules for SSE have been created.
And if we look at the S3 bucket mentioned above, we see that it is “Compliant”, so we know that it is now compliant.

Check the EventBridge rule.

Detail of EventBridge 1.
Detail of EventBridge 2.
Detail of EventBridge 3.

We can see that the EventBridge rule has been successfully created.

Looking at Target, we can see that the SNS topic mentioned earlier is specified.
This means that when event data that satisfies the pattern is sent, it will be notified via email by SNS.

The Event Pattern shows that the pattern is defined as per the CloudFormation template.
This means that if a resource is detected that does not conform to the AWS Config rules for SSE configuration of S3 buckets, it will satisfy the condition.

Looking at the Input transformer, we see that a template for the string to be sent by email and the parameters to be embedded are defined.

Checking Action

Now that everything is ready, let’s check the Operation.

Disable the SSE settings for the S3 bucket.

Detail of S3 2.

After disabling, re-evaluate the rules on the AWS Config side.

Detail of AWS Config 3.

The rules are re-evaluated and the bucket for verification is now “Nocompliant.

Detail of AWS Config 4.

After waiting for a while, the following email was received.

Detail of SNS 6.

The body of the email is indeed a string with various parameters embedded in the template specified in the Input Transformer.

By configuring the EventBridge rule in this way, we were able to send an email notification via SNS when a resource that does not conform to AWS Config rules is detected.


We have introduced a method to send email notifications via SNS when a non-compliant resource is detected in an AWS Config audit.