AWS Config Rules Notifications 🔔 | Overview.

AWS Config Rules Notifications 🔔  - Overview

Scope:

• Intro,
• Primary Notification Methods,
• Types of Notifications,
• Common Use Cases,
• Links to official documentation,
• The Concept of Config Notifications (deep dive),
• Types of Notifications (deep dive),
• Notification Delivery Mechanisms,
• Architecture,
• Notification Lifecycle (flow),
• Sample Notification Use Cases,
• Best Practices.

Intro:

• AWS Config provides several ways to receive notifications when resources change or when they are evaluated against your compliance rules. 
• These notifications are primarily delivered through Amazon Simple Notification Service (SNS) or Amazon EventBridge. 

Primary Notification Methods

• Amazon SNS (Native Delivery): twtech can configure a "Delivery Channel" in AWS Config to send all configuration changes and compliance notifications directly to an Amazon SNS topic.
• Amazon EventBridge: This is the recommended method for targeted alerting. 
• twtech can create EventBridge rules to filter for specific events, such as when a resource becomes "NON_COMPLIANT".
• AWS User Notifications: A centralized service to view and manage notifications across AWS accounts.
• AWS User Notifications allows twtech to set up pattern matching to fine-tune alerts sent to email, Slack, or mobile apps. 

Types of Notifications

• Compliance Change Notification: Sent whenever a rule evaluation result changes (e.g., from COMPLIANT to NON_COMPLIANT).
• Configuration Item (CI) Change: Triggered when the configuration of a tracked resource is created, updated, or deleted.
• Evaluation Started Notification: Indicates that a rule evaluation has begun.
• Oversized Notification: Sent when a configuration change exceeds the Amazon SNS message size limit. 

Common Use Cases

1. Immediate Security Alerts: Use Amazon EventBridge to trigger an SNS email immediately when a security group rule is added that allows public access.
2. Automated Remediation: Trigger an AWS Lambda function via EventBridge to automatically fix a non-compliant resource as soon as the notification is received.
3. Chat Integration: Use AWS Chatbot to send Config rule compliance updates directly to Slack or Microsoft Teams channels.

Links to official documentation

https://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html

 https://docs.aws.amazon.com/config/latest/developerguide/oversized-notification-example.html

https://docs.aws.amazon.com/chatbot/latest/adminguide/custom-notifs.html

1. The Concept of Config Notifications (deep dive)

• AWS Config doesn’t only evaluate resources.
• AWS Config also notifies stakeholders when:

• A resource changes state,
• A rule evaluation occurs,
• A compliance state changes,
• Remediation is triggered.

NB:

• Notifications ensure visibility.
• Notifications help connect Config with monitoring, alerting, and workflows.

2. Types of Notifications (deep dive)

a) Configuration Item Change Notifications

•         Generated when Config Recorder captures resource changes.
•         Example: An S3 bucket policy is updated.
•         Sent via SNS topics.

b) Compliance Change Notifications

•         Triggered when compliance state changes:

•   COMPLIANT → NON_COMPLIANT
•   NON_COMPLIANT → COMPLIANT

•         Example: Security group rule added that violates Config Rule.

c) Rule Evaluation Notifications

•         Sent after a Config Rule runs (periodic or event-based).
•         Includes compliance results.

d) Remediation Notifications

•         Sent when remediation execution starts or fails.
•         Typically integrated with EventBridge for automation.

3. Notification Delivery Mechanisms

        Amazon SNS

•    Push notifications (email, SMS, Lambda, HTTP endpoints).
•    Classic approach for alerts to humans or ticketing systems.

        Amazon EventBridge

•    Rich event patterns.
•    Enables automation workflows (e.g., invoke Step Functions, Lambda, SSM Automation).
•    Allows filtering: “Send only NON_COMPLIANT events for EC2.”

        CloudWatch Alarms + Logs

•     Track repeated NON_COMPLIANT events.
•     Escalate persistent drift.

      Security Hub

•    Aggregates Config compliance findings.
•    Standardized format (AWS Security Finding Format).

Architecture

4. Notification Lifecycle (flow):

1.     Resource Change

•    Config Recorder captures config item.
•    Event logged + evaluated.

2.     Rule Evaluation

•    Config Rule triggered.
•    Compliance results generated.

3.     Notification Trigger

•    Event type identified (change, compliance, remediation).

4.     Routing

•    Event delivered via SNS or EventBridge.

5.     Consumption

•    Humans (email/SMS via SNS).
•    Systems (Lambda, Step Functions, ticketing via EventBridge).
•    Security Hub (centralized compliance).

6.     Audit

•    Events stored in CloudTrail for traceability.

5. Sample Notification Use Cases

        Real-time Alerts

•    Send email when a rule fails (SNS).

        Automated Remediation Trigger

•    EventBridge rule invokes SSM Doc when EBS volume not encrypted.

        Compliance Dashboarding

•    Stream compliance events into Security Hub or a SIEM.

        Multi-Account Ops

•    Aggregate compliance + notifications across accounts via AWS Config Aggregator + Org-level EventBridge.

6. Best Practices

• Use EventBridge over SNS for fine-grained routing and automation.
• Apply filtering at EventBridge to reduce noise.
• Separate human alerts (SNS) from automation (EventBridge).
• Enrich notifications with tags, account IDs, and resource IDs.
• Integrate into SIEM/SOAR platforms for enterprise visibility.
• Test notification → remediation loops before production.