Amazon Web Services – Receive Customized Notification for a Specific AWS Service Event Types Trigger

Sometimes users need to receive an email response with a custom notification for a specific AWS service event type trigger. In this article we are going to look into how can you receive customized notifications using an input transformer in AWS CloudWatch.

To do so follow the below steps:

Step 1: After logging into the AWS management console navigate to the Amazon CloudWatch Console.

Step 2: In the navigation pane choose Rules and then choose Create rule. 

Step 3: From the service name menu choose GuardDuty from the event type menu, choose GuardDuty finding.

In this article, we are configuring the trigger for unauthorized access EC2 TorIPCallar finding type as an example. 

Step 4: For this, we need to edit the event pattern as shown below:

Step 5: In Targets choose to Add target and in select target choose SNS topic. 

Step 6: Then in Topic choose your SNS topic. Here we have an SNS topic pre-configured so we are choosing the same. The expand Configure input and then choose Input Transformer.

Step 7: Copy the below code and then paste it into input path. 

{
    "severity": "$.detail.severity",
    "Account_ID": "$.detail.accountId",
    "Finding_ID": "$.detail.id",
    "Finding_Type": "$.detail.type",
    "region": "$.region",
    "Finding_description": "$.detail.description"
}                            

Step 8: Further copy the below code and then paste it into input template.

"AWS <Account_ID> has a severity <severity> GuardDuty finding type <Finding_Type>.
 in the <region> region."
"Finding Description:"
"<Finding_description>. "
"For more details open the GuardDuty console at
https://console.aws.amazon.com/guardduty/home?region=<region>#/findings?search=id=<Finding_ID>"
                            

Step 9: Then choose Configure details. In configure rule details enter a Name and Description for the rule and then choose Create rule.

From now on you will receive an Amazon Simple Notification Service email notification with the custom fields populated from what you configured in input template earlier for the unauthorized access EC2 TorIPCaller type guardian findings.