DTT

HOW TO SEND GUARD DUTY ALERTS TO EMAIL

Published: December 1, 2025 (Updated: Dec 1, 2025)

Enjoying this content? Subscribe to the Channel!

Stop Missing Threats: How to Set Up AWS GuardDuty Email Alerts the Right Way

Hey guys, Darren here from Darren’s Tech Tutorials!

If you’re running workloads on AWS, GuardDuty is an absolutely essential service for proactive threat detection. But if you’ve tried to configure email alerts, you’ve probably run into a wall. You’d think that sending a security alert to your inbox would be as simple as typing in your email address—but this is AWS, so of course, the process is a little convoluted!

We need to build a chain reaction: GuardDuty findings fire -> CloudWatch captures them -> Simple Notification Service (SNS) pushes them to email.

Don’t worry! While the setup isn’t straightforward, by the time you finish this guide, you will have instant email notifications for all your critical GuardDuty findings. This gives you the speed you need to respond to threats immediately, giving you that valuable peace of mind.

Let’s dive in!

Step 1: Create the Simple Notification Service (SNS) Topic

The first thing we need is a reliable destination for our alerts. We will use AWS Simple Notification Service (SNS) as the hub that receives the security alerts and distributes them to your email address.

  1. Navigate to the Simple Notification Service (SNS) console in AWS.
  2. Click Create Topic.
  3. Select the Standard type.
  4. Name the topic something clear, like GuardDuty-Alerts.
  5. You can leave all other settings at their default. Click Create topic.

Step 2: Set Up and Confirm the Email Subscription

Now that we have the Topic, we need to subscribe your email address to it. This is a crucial security step that requires confirmation.

  1. In the details page of your new GuardDuty-Alerts topic, click Create subscription.
  2. For Protocol, select Email.
  3. In the Endpoint field, enter the email address where you want to receive the alerts.
  4. Click Create subscription.

Crucial Action Required! AWS will immediately send a confirmation email to that address. You must open that email and click the confirmation link to activate the subscription. Until you confirm, the alerts will not send!

Once confirmed, the status will change to “Confirmed.” Great, the destination is ready!

Step 3: Configure the CloudWatch Rule (The Router)

This is the key step where we tell AWS to listen specifically for GuardDuty events and send them to our newly created SNS topic. We do this using Amazon CloudWatch Rules (now often referred to as EventBridge).

3a. Create the Rule

  1. Navigate to the CloudWatch console.
  2. In the left sidebar, click Events then Rules.
  3. Click Create rule.
  4. Give the rule a name, such as GuardDuty-Email-Rule.

3b. Define the Event Pattern

We need to filter for GuardDuty findings specifically.

  1. Under Event source, select Event pattern.
  2. From the dropdowns, select:
    • Service Name: GuardDuty
    • Event Type: GuardDuty Findings
  3. Next, switch the Edit view from “Form” to “Edit in JSON”.

We need to use a specific JSON pattern to ensure we capture all relevant finding types. This is the link to the AWS documentation page for the required JSON: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html

Copy the necessary JSON pattern (it specifies the source as aws.guardduty and the detail-type as GuardDuty Finding) and paste it into the editor:

{
  "source": [
    "aws.guardduty"
  ],
  "detail-type": [
    "GuardDuty Finding"
  ]
}
  1. Click Next.

3c. Set the Target

  1. Under Target types, ensure AWS service is selected.
  2. From the dropdown, select SNS topic.
  3. For Topic, select the SNS topic we created earlier: GuardDuty-Alerts.
  4. Click Next through the optional configuration screens, and then click Create rule.

Fantastic! The chain is now linked: GuardDuty findings are routed through the CloudWatch rule directly to your SNS topic, which sends them to your email.

Step 4: Test Your New Alert System

To ensure everything is working, let’s generate some temporary findings and confirm they land in your inbox.

  1. Navigate back to the GuardDuty console.
  2. In the sidebar, click Settings.
  3. (Optional but Recommended): While here, check your Finding export frequency. I highly recommend setting this to Every 15 minutes if you want fast updates, rather than the default of 6 hours.
  4. Scroll down to the Sample Findings section.
  5. Click Generate sample findings.

This action will simulate several high-severity security events. Give the system a couple of minutes to process the finding, route it through CloudWatch, and push the notification via SNS.

Troubleshooting Tip: If you don’t receive the alerts immediately (sometimes AWS just needs a minute to catch up), wait 60 seconds and click Generate sample findings again.

You should see multiple new emails in your inbox, each detailing a specific GuardDuty finding (e.g., “Backdoor:EC2/Spambot”). Success!

Conclusion: Respond Faster, Sleep Easier

It’s frustrating that such a crucial security feature requires three separate services, but now you have it set up. You’ve bypassed the typical complexity and created a robust system for immediate threat response. That’s how you give yourself that little bit of extra comfort—knowing that if something happens in your AWS environment, you’ll know instantly and can respond quickly!

I hope this tutorial was helpful! If you ran into any issues, drop a comment below and I’ll certainly help if I can.

Don’t forget to like this post and subscribe to the Darren’s Tech Tutorials channel for more clear, actionable tech guides! Thanks for watching!