How can I use AWS Config to notify me when an AWS resource is non-compliant?

3 minute read

I want to create an Amazon EventBridge rule that sends a custom email notification to me when AWS resources are non-compliant.

Short description

To match an AWS Config evaluation rule output as NON_COMPLIANT, first create an EventBridge rule with a custom event pattern and an input transformer. Then, route the response from EventBridge to an Amazon Simple Notification Service (Amazon SNS) topic.

Resolution

In the following example, EventBridge sends Amazon SNS notifications when the ec2-security-group-attached-to-eni managed rule reports AWS resources as NON_COMPLIANT. The non-compliant resource is an Amazon Elastic Compute Cloud (Amazon EC2) security group.

Note: You can replace the resourceType and configRuleName fields with the actual values from the Config rule that you use.

Complete the following steps:

Create an Amazon SNS topic. If you have an existing Amazon SNS topic, then continue to the next step. Important: The Amazon SNS topic must be in the same AWS Region as your AWS Config service.
Open the EventBridge console.
Select EventBridge Rule with event pattern, and then choose Create rule.
Select Visual rule builder opt in, and then enter the following information:For Name, enter a name for your rule.(Optional) For Description, enter a description of the rule. Then, choose Next.
For Event source, choose AWS events or EventBridge partner events.

Under Creation method, choose Custom pattern (JSON editor), and then enter the following example event pattern:

{ 
  "source": [ 
    "aws.config" 
  ], 
  "detail-type": [ 
    "Config Rules Compliance Change" 
  ], 
  "detail": { 
    "messageType": [ 
      "ComplianceChangeNotification" 
    ], 
    "configRuleName": [ 
      "ec2-security-group-attached-to-eni" 
    ], 
    "resourceType": [ 
      "AWS::EC2::SecurityGroup" 
    ], 
    "newEvaluationResult": { 
      "complianceType": [ 
        "NON_COMPLIANT" 
      ] 
    } 
  } 
}

Choose Next.

On the Select target(s) screen, enter the following information:
For Target types, choose AWS service.
For Select a target, choose SNS topic.
For Topic, choose your SNS topic.
Under Additional settings, for Configure target input, choose Input transformer. Choose Configure input transformer. Under Target input transformer, for the Input Path text box, enter the following example path:

{ 
  "awsRegion": "$.detail.awsRegion", 
  "resourceId": "$.detail.resourceId", 
  "awsAccountId": "$.detail.awsAccountId", 
  "compliance": "$.detail.newEvaluationResult.complianceType", 
  "rule": "$.detail.configRuleName", 
  "time": "$.detail.newEvaluationResult.resultRecordedTime", 
  "resourceType": "$.detail.resourceType" 
}

For Template, enter the following example template:
"On AWS Config rule evaluated the with Id in the account in the as. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=<awsRegion>#/timeline/<resourceType>/<resourceId>/configuration"

Choose Confirm.
Choose Next, and then choose Next.
Choose Create rule.

After your resources trigger an event type, you receive an SNS email notification with the custom fields populated.

Example:

"On ExampleTime AWS Config rule ExampleRuleName evaluated the ExampleResourceType with Id ExampleResource_ID in the account ExampleAccount_ID in the Region ExampleRegion as ExampleComplianceType. For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=ExampleRegion#/timeline/ExampleResourceType/ExampleResource_ID/configuration"

Related information

How do I get notifications when changes happen to my Route 53 hosted zone records?

How do I set up custom email notifications when AWS Config detects new resources?

How do I configure EventBridge rules for GuardDuty to send custom SNS notifications for specific service finding types?

Topics: Management & Governance
Tags: AWS Config
Language: English

AWS OFFICIALUpdated 2 months ago

2 Comments

This doesn't work when you use Control Tower. When you try to create the filter, you get the error:

User: arn:aws:sts::0123456789:assumed-role/AWSReservedSSO_AWSAdministratorAccess_0123456789/user is not authorized to perform: SNS:SetTopicAttributes on resource: arn:aws:sns:us-west-2:0123456789:aws-controltower-AggregateSecurityNotifications with an explicit deny in a service control policy

The workaround of using a Lambda also doesn't work for the same reason. See also: https://repost.aws/questions/QUyHJeFC9vRVqRLd_ep7-OeQ/conflicts-between-control-tower-and-security-controls

greg

replied 2 years ago

This article was reviewed and updated on 2026-04-23.

EXPERT

AWS Official

replied 2 months ago

Relevant content

aws config cloudtrail-security-trail-enabled rule Noncompliant resource
rePost-User-0993987
asked 3 years ago
Why is my deleted EKS cluster still showing as compliant or noncompliant in my AWS Config rule?
Stefan
asked 3 years ago
How do you get specific details for noncompliant resources under Tag Policies?
Accepted Answer
Ryan
asked 3 years ago
How can I receive custom email notifications when a resource is created in my multiples accounts of AWS Organizations
Mayra Hernandez
asked 4 years ago
Unable to take action on non-compliant resources in child accounts despite AWS Config configuration in root account
Accepted Answer
rePost-User-1506060
asked 3 years ago
How can I use AWS Config to receive custom email notifications when a resource is deleted in my AWS account?
AWS OFFICIALUpdated a year ago
How do I troubleshoot the error "Action execution failed" with auto remediation for the AWS Config rule s3-bucket-logging-enabled?
AWS OFFICIALUpdated 2 years ago
Why is my deleted EBS volume still showing as compliant or noncompliant in my AWS Config rule?
AWS OFFICIALUpdated 2 years ago
How do I set up custom email notifications when AWS Config detects new resources?
AWS OFFICIALUpdated a year ago
Responding to Amazon EC2 abuse notifications
AWS OFFICIALUpdated 2 days ago