Triage AWS Security Misconfigurations with GPT-4.1 Mini and Send Alerts to Gmail

What this workflow does

Automatically triages risky AWS misconfigurations and alerts your team.

Pipeline: Security Hub or AWS Config -> EventBridge rules -> SNS (HTTP) -> n8n Webhook -> Normalize -> AI Prioritizer -> Airtable (log) -> Gmail (email)

Normalizes incoming findings (S3 / Security Groups / IAM / RDS) into a consistent JSON.

Uses an LLM to assign a priority (P0–P3) with rationale and remediation steps.

Upserts the finding into Airtable (avoids duplicates).

Emails a compact incident summary to your inbox. This can be swapped for Microsoft Teams or Slack, etc.

Category: Security / Cloud / Alerting
Time to set up: ~10–15 minutes
Difficulty: Beginner–Intermediate
Cost: Mostly free (n8n CE + AWS SNS/EventBridge; OpenAI + Airtable/Gmail as used)

What you’ll need

An n8n instance reachable over HTTP.

AWS account (one region) with permissions to create SNS topics and EventBridge rules.

Security Hub** enabled (or AWS Config rules that emit compliance events).

n8n credentials: OpenAI, Airtable, Gmail. Nodes used

Webhook** (POST /aws-misconfig)

Code:** SNS Handler (token check, confirm/unwrap)

IF:** route mode === "confirm" vs notification

HTTP Request:** SNS SubscriptionConfirmation (GET)

Code:** Normalize Finding

Message a model:** AI Prioritizer (JSON out)

Airtable:** Create/Upsert

Gmail:** Send message

Edit Fields:** final JSON response Setup steps

Import and activate the workflow in n8n.

Webhook Respond: When Last Node Finishes -> First Entry JSON.
    
Append a shared secret to the URL, e.g. ?token=MY_SUPER_TOKEN, and keep the check in the SNS Handler code node.
    

Create an SNS topic (e.g., misconfig-events) in the same region as your EventBridge rules.

Create EventBridge rules targeting the SNS topic:

Rule A (Security Hub): source = aws.securityhub, detail-type = Security Hub Findings - Imported
    
Rule B (AWS Config): source = aws.config, detail-type = Config Rules Compliance Change
    

Create an SNS subscription with Protocol = HTTP and Endpoint = your production webhook URL:
http://YOUR_HOST:5678/webhook/aws-misconfig?token=MY_SUPER_TOKEN
(The workflow auto-confirms the subscription on first POST.)

Configure Airtable (Upsert on Finding ID) and Gmail recipients.