DTT

HOW TO SEND GUARD DUTY ALERTS TO EMAIL

Published: August 22, 2024 (Updated: Aug 22, 2024)
#AWS GuardDuty #AWS SNS #AWS CloudWatch

Enjoying this content? Subscribe to the Channel!

Stop Missing Critical Threats: How to Send AWS GuardDuty Alerts Directly to Your Email

Hey guys, Darren from Darren’s Tech Tutorials here!

If you’ve ever tried to set up automated email notifications for AWS GuardDuty, you’ve likely experienced the frustration. You would think that a critical security service would have a simple “Enter Email Here” box, right? Unfortunately, this is AWS, and the solution is a bit convoluted, requiring a strategic detour through the Simple Notification Service (SNS) and CloudWatch.

But don’t worry! I’ve cracked the code. By the end of this tutorial, you will have a robust system ensuring that every critical security finding from GuardDuty fires straight to your inbox, allowing you to respond in minutes, not hours.

Let’s dive into the required steps!

Step 1: Set Up the Email Destination using SNS

The first step is to create a channel that AWS can use to send the notification payload. We will use the Simple Notification Service (SNS) for this.

1. Create an SNS Topic

  1. Navigate to the Simple Notification Service (SNS) in the AWS Console.
  2. Click Create Topic.
  3. Select the Standard type.
  4. Name the topic something clear, like GuardDuty-Email-Alerts.
  5. Click Create Topic.

2. Subscribe Your Email Address

Now we need to link your email address to this new topic.

  1. Select the topic you just created (GuardDuty-Email-Alerts).
  2. Click Create Subscription.
  3. For Protocol, select Email.
  4. In the Endpoint field, enter the email address where you want to receive the alerts.
  5. Click Create Subscription.

🚨 IMPORTANT: AWS will send a confirmation email immediately. You must go to your inbox and click the confirmation link to activate the subscription before proceeding to the next steps.

Step 2: Creating the CloudWatch Event Rule

Since GuardDuty doesn’t talk directly to email, we use Amazon CloudWatch (or EventBridge, its modern iteration) to act as the traffic cop. This rule monitors GuardDuty for new findings and, when one appears, triggers the SNS notification we set up in Step 1.

  1. Navigate to Amazon CloudWatch in the AWS Console.
  2. In the left-hand navigation pane, look for Events and click on Rules (or navigate to EventBridge Rules).
  3. Click Create Rule.
  4. Give the rule a descriptive name, such as GuardDuty-Email-Rule.

Step 3: Configuring the Event Pattern (The JSON Magic)

This is the most critical part of the setup. We need to tell the CloudWatch rule exactly what kind of event to listen for—specifically, GuardDuty findings. We do this using a JSON event pattern.

  1. Under Event Source, select Event Pattern.
  2. Choose the Edit option to customize the JSON pattern.
  3. Paste the following specific JSON structure. This pattern filters all events originating from the GuardDuty service:
{
  "source": [
    "aws.guardduty"
  ],
  "detail-type": [
    "GuardDuty Finding"
  ]
}

This ensures the rule only fires when a GuardDuty finding is generated. If you want more details on the structure, check the official documentation link I followed: AWS GuardDuty Findings CloudWatch Documentation

  1. Click Next.

5. Define the Target Action

Now we link the monitoring rule to the notification service.

  1. In the Select targets section, choose AWS Service.
  2. For the Target type, select SNS Topic.
  3. In the Topic dropdown, select the topic you created earlier (e.g., GuardDuty-Email-Alerts).
  4. Click Next twice to review the settings.
  5. Finally, click Create Rule.

Your GuardDuty alerts now have a clear path to your email!

Step 4: Testing and Validating the Alerts

To make sure everything is working perfectly, we need to generate a test alert and confirm it lands in your inbox.

  1. Navigate back to the GuardDuty console.
  2. Click on Settings in the left navigation menu.
  3. (Optional but Recommended): I recommend changing the Finding update frequency to 15 minutes during testing. This ensures that findings are processed and routed quickly.
  4. Scroll down to the bottom and click on Generate Sample Findings. This action creates several dummy findings (like unexpected API calls) which should trigger your CloudWatch rule.

Troubleshooting Tip

If you generate the findings and the email doesn’t arrive within 2 minutes:

  • Check your SNS subscription status. Make sure it still says “Confirmed.”
  • Wait a few more minutes. Sometimes, the initial propagation takes slightly longer.
  • Generate the sample findings again. As I saw during the video tutorial, sometimes just regenerating them after a short pause gets the mechanism firing.

Once you see the detailed finding notification email come through, you know the entire pipeline is configured successfully!

Conclusion

It’s true—setting up AWS GuardDuty alerts to email is far from intuitive. You have to thread the needle by connecting GuardDuty to CloudWatch, and then CloudWatch to SNS, and finally SNS to your inbox.

But by completing these steps, you’ve given yourself the incredible advantage of real-time security alerts. No more sifting through logs! You can now rest easier, knowing that if something critical happens in your AWS environment, you can respond instantly. That peace of mind is invaluable.

If this guide helped you conquer the complexities of AWS security notifications, please let me know in the comments below! And, as always, don’t forget to Like this post and Subscribe to Darren’s Tech Tutorials for more clear, accessible technology guides.

Thanks for watching!