January 22, 2026

AWS to Airtable, prioritized alerts sent via Gmail

Q: Can I modify this AWS alert automation workflow for different use cases?

Yes, and you probably should. You can swap the Dispatch Email Alert step for Slack or Teams, adjust the AI Severity Triage prompt to match your risk policy, and extend Standardize Finding Data to include your own tags like environment, account owner, or runbook links.

AWS to Airtable, prioritized alerts sent via Gmail - n8n workflow automation template

Lisa Granqvist Partner Workflow Automation Expert

Get a free AI assessment → ⬇️ Use template

AWS alerting gets noisy fast. One small misconfiguration can create a flood of “findings,” and the important ones get buried under the “probably fine” ones.

Security leads feel this when the inbox turns into a backlog. Ops managers end up context-switching all day. And consultants supporting multiple client accounts need AWS alert automation that stays readable and consistent.

This workflow takes Security Hub or AWS Config events, normalizes them, uses AI to assign a clear priority (P0–P3), logs the result in Airtable without duplicates, and emails a compact summary through Gmail. You’ll see how it works, what you need, and how to customize it for your team.

How This Automation Works

Here’s the complete workflow you’ll be setting up:

n8n Workflow Template: AWS to Airtable, prioritized alerts sent via Gmail

Click to explore

flowchart LR

    subgraph sg0["AI Prioritizer Flow"]
        direction LR
        n0["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/webhook.dark.svg' width='40' height='40' /></div><br/>Webhook"]
        n1["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/code.svg' width='40' height='40' /></div><br/>Normalize Finding"]
        n2@{ icon: "mdi:message-outline", form: "rounded", label: "Send a message", pos: "b", h: 48 }
        n3@{ icon: "mdi:robot", form: "rounded", label: "AI Prioritizer", pos: "b", h: 48 }
        n4["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/airtable.svg' width='40' height='40' /></div><br/>Airtable - Create Record"]
        n5@{ icon: "mdi:swap-vertical", form: "rounded", label: "Edit Fields", pos: "b", h: 48 }
        n6["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/code.svg' width='40' height='40' /></div><br/>SNS Handler"]
        n7@{ icon: "mdi:swap-horizontal", form: "rounded", label: "If", pos: "b", h: 48 }
        n8["<div style='background:#f5f5f5;padding:10px;border-radius:8px;display:inline-block;border:1px solid #e0e0e0'><img src='https://flowpast.com/wp-content/uploads/n8n-workflow-icons/httprequest.dark.svg' width='40' height='40' /></div><br/>SNS Confirm"]
        n9@{ icon: "mdi:swap-vertical", form: "rounded", label: "Edit Fields1", pos: "b", h: 48 }
        n7 --> n8
        n7 --> n1
        n0 --> n6
        n8 --> n9
        n6 --> n7
        n3 --> n4
        n2 --> n5
        n1 --> n3
        n4 --> n2
    end

    %% Styling
    classDef trigger fill:#e8f5e9,stroke:#388e3c,stroke-width:2px
    classDef ai fill:#e3f2fd,stroke:#1976d2,stroke-width:2px
    classDef aiModel fill:#e8eaf6,stroke:#3f51b5,stroke-width:2px
    classDef decision fill:#fff8e1,stroke:#f9a825,stroke-width:2px
    classDef database fill:#fce4ec,stroke:#c2185b,stroke-width:2px
    classDef api fill:#fff3e0,stroke:#e65100,stroke-width:2px
    classDef code fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
    classDef disabled stroke-dasharray: 5 5,opacity: 0.5
    class n3 ai
    class n7 decision
    class n4 database
    class n0,n8 api
    class n1,n6 code
    classDef customIcon fill:none,stroke:none
    class n0,n1,n4,n6,n8 customIcon

Why This Matters: AWS Findings That Don’t Tell You What to Do

Security Hub and AWS Config are great at detecting issues, but they’re not great at helping humans respond quickly. Findings arrive with inconsistent structure, different severity systems, and wildly different levels of context depending on the service (S3 vs IAM vs Security Groups). Then the real problem starts: triaging in the inbox. Someone has to decide “Is this urgent?”, “Is it a duplicate?”, “Do we already have a ticket?”, and “What’s the fix?” That’s time you don’t get back, and it usually steals attention from work that actually reduces risk.

The friction compounds. Here’s where it breaks down in real teams.

Important misconfigurations show up mixed with low-value alerts, so you end up scanning everything “just in case.”
Two services can report the same underlying issue, and your team handles it twice because there’s no simple dedupe.
Findings aren’t normalized, which means your “process” is basically re-reading JSON and guessing impact.
When alerts live only in email, you lose history, ownership, and the ability to spot repeat offenders.

What You’ll Build: AWS → AI Priority → Airtable Log → Gmail Summary

This workflow turns raw AWS events into an actionable incident-style brief your team can actually use. It starts when AWS sends a Security Hub finding or an AWS Config compliance change through EventBridge and SNS, which then posts into an n8n webhook. The workflow validates the message (including SNS subscription confirmation), unwraps the payload, and converts each service’s “shape” into one consistent JSON format. Next, an AI step reviews the normalized finding and assigns a priority from P0 to P3, plus a short rationale and concrete remediation steps. Finally, the workflow upserts the finding into Airtable by Finding ID to prevent duplicates, then sends a clean Gmail summary to the right recipients.

The workflow begins with an HTTP webhook that receives SNS messages. It then standardizes the finding, runs AI severity triage, writes the final record to Airtable, and emails a compact alert your team can act on. No hunting through AWS consoles to understand what just happened.

What You’re Building

What Gets Automated

What You’ll Achieve

AWS Security Hub and AWS Config findings are accepted through a single webhook endpoint.
SNS confirmation messages are handled automatically so subscriptions don’t stall.
Findings are normalized into consistent fields before any triage happens.
Airtable upserts by Finding ID so duplicates don’t spam your team.

Cut triage from “read everything” to a 30-second skim per alert.
Get a P0–P3 priority that’s consistent across S3, IAM, RDS, and Security Groups.
Build an audit trail in Airtable you can filter, assign, and review later.
Reduce repeat handling because the same finding updates instead of re-creating noise.
Send a readable incident brief via Gmail that a non-specialist can still follow.

Expected Results

Say your account generates about 20 findings a day across Security Hub and AWS Config. Manually, if you spend roughly 6 minutes opening the alert, figuring out severity, checking if it’s already known, and writing a short note, that’s about 2 hours a day. With this workflow, the “human time” becomes: glance at a prioritized Gmail brief (maybe 30 seconds each) and act on only the P0/P1 items. The workflow runs in the background after the initial 10–15 minute setup.

Before You Start

n8n instance (try n8n Cloud free)
Self-hosting option if you prefer (Hostinger works well)
AWS (Security Hub or AWS Config) to generate findings via EventBridge.
Airtable for deduping and logging findings.
OpenAI API key (get it from the OpenAI API dashboard)
Gmail account to deliver readable incident summaries.

Skill level: Beginner–Intermediate. You’ll paste in a webhook URL, connect credentials, and make one small AWS configuration (SNS + EventBridge).

Want someone to build this for you? Talk to an automation expert (free 15-minute consultation).

Step by Step

AWS pushes an event to your webhook. EventBridge rules send Security Hub findings or AWS Config compliance events to an SNS topic, and SNS posts that message to your n8n webhook endpoint.

The workflow validates and unwraps the SNS payload. It checks the shared token in the URL, then detects whether the incoming message is a one-time SNS subscription confirmation or a real notification that contains a finding.

The finding is standardized and prioritized. A code step converts messy, service-specific fields into one consistent JSON. Then the AI prioritizer assigns P0–P3 and produces a short rationale plus remediation steps that you can hand to an engineer without rewriting.

Airtable becomes your source of truth, and Gmail becomes your delivery layer. The workflow upserts the record by Finding ID (so repeats update instead of duplicating), then emails a compact summary that’s readable on mobile.

You can easily modify Gmail recipients to send to a shared mailbox, or swap the email step for Slack or Microsoft Teams based on your needs. See the full implementation guide below for customization options.

Step-by-Step Implementation Guide

Step 1: Configure the Webhook Trigger

Set up the inbound webhook that receives AWS SNS notifications and drives the rest of the workflow.

Add and open Incoming Webhook Trigger.
Set Path to aws-misconfig.
Set HTTP Method to POST.
Set Response Mode to lastNode so the workflow replies with the final status payload.

Make sure your AWS SNS subscription points to the full webhook URL shown in Incoming Webhook Trigger.

Step 2: Parse and Route Incoming SNS Events

Normalize SNS payloads and route subscription confirmations versus actual notifications.

Open SNS Event Parser and update the token check to your secret by replacing [CONFIGURE_YOUR_TOKEN] inside the code.
Verify the parser returns mode as either confirm or notify depending on the SNS event type.
Open Branch Logic and confirm the condition uses =={{ $json.mode === 'confirm' }} to branch confirmations from notifications.

⚠️ Common Pitfall: Forgetting to update [CONFIGURE_YOUR_TOKEN] will cause all requests to fail with an unauthorized error.

Step 3: Handle SNS Subscription Confirmation

Confirm SNS subscriptions automatically when AWS sends a subscription confirmation event.

Open Confirm SNS Subscription and set URL to =={{ $json.subscribeUrl }}.
Open Compose Confirmation Response and ensure the response is assigned with =resp = { status: "subscribed", statusCode: $json.statusCode || 200 }.

This branch only runs when Branch Logic evaluates the confirmation path.

Step 4: Normalize Findings and Run AI Severity Triage

Standardize security findings and classify priority using AI before storing and notifying.

Open Standardize Finding Data and keep Mode as runOnceForEachItem.
Confirm the code returns a single object with fields like finding_id, title, severity, and service.
Open AI Severity Triage and confirm the prompt includes {{ JSON.stringify($json, null, 2) }} for the normalized finding input.
Credential Required: Connect your openAiApi credentials in AI Severity Triage.

Use the AI Severity Triage model gpt-4.1-mini as configured to keep costs low while maintaining quality.

Step 5: Store Findings in Airtable

Upsert each triaged finding into Airtable for tracking and reporting.

Open Airtable Upsert Record and select your Base and Table.
Keep Operation set to upsert and map fields using the existing expressions, such as ={{ $('Standardize Finding Data').item.json.finding_id }} for the record ID.
Verify tags and remediation concatenation fields use the expressions shown in the node, for example ={{ $json.message.content.tags[0] }}{{ $json.message.content.tags[1] }}{{ $json.message.content.tags[2] }}{{ $json.message.content.tags[3] }}{{ $json.message.content.tags[4] }}.
Credential Required: Connect your airtableTokenApi credentials in Airtable Upsert Record.

Step 6: Configure Email Alerts and Webhook Reply

Send the triage summary to email and return a structured webhook response.

Open Dispatch Email Alert and set Send To to your recipient address (replace [YOUR_EMAIL]).
Confirm Subject uses =={{ `[${JSON.parse($node["AI Severity Triage"].json.message.content).priority}] ${$node["Standardize Finding Data"].json.title} — ${$node["Standardize Finding Data"].json.resource_id} (${ $node["Standardize Finding Data"].json.service })` }}.
Confirm Message uses the HTML template with AI remediation steps and embedded raw finding data: =={{ (() => { const nf = $node["Standardize Finding Data"].json; const ai = typeof $node["AI Severity Triage"].json.message.content === 'string' ? JSON.parse($node["AI Severity Triage"].json.message.content) : $node["AI Severity Triage"].json.message.content; const steps = (ai.remediation || []).map(s => `
${s}

`).join('');  const tags  = (ai.tags || []).join(', ');  const airtableId = $node["Airtable Upsert Record"].json?.id || '';  const airtableLine = airtableId ? `Airtable Record ID: ${airtableId}
` : '';  return `    AWS Misconfig Alert
    Priority: ${ai.priority}   Severity: ${nf.severity}
    Title: ${nf.title}
    Service: ${nf.service}   Resource: ${nf.resource_id}
    Account: ${nf.account}   Region: ${nf.region}
    Why: ${ai.rationale}
    Remediation:
    ${steps}
    Tags: ${tags || '—'}
    ${airtableLine}    Raw finding
      ${JSON.stringify(nf.raw || nf, null, 2)}
    
  `;})() }}

Credential Required: Connect your gmailOAuth2 credentials in Dispatch Email Alert.
Open Build Webhook Reply and confirm Mode is raw with JSON Output set to ={{ { resp: { status: "processed", priority: $node["Airtable Upsert Record"].json.fields.Priority, finding_id: $node["Standardize Finding Data"].json.finding_id } } }}.

Step 7: Test and Activate Your Workflow

Validate end-to-end behavior before enabling production execution.

Click Execute Workflow and send a sample SNS notification payload to the Incoming Webhook Trigger URL.
Confirm that SNS Event Parser passes to Branch Logic, then to Standardize Finding Data for notification events.
Verify AI Severity Triage returns structured JSON and Airtable Upsert Record creates/updates a row.
Check that Dispatch Email Alert sends an email with the formatted summary and Build Webhook Reply returns a processed response.
Turn the workflow Active to start processing live SNS events.

A successful execution ends with Build Webhook Reply responding with the priority and finding ID.

🔒

Unlock Full Step-by-Step Guide

Get the complete implementation guide + downloadable template

Troubleshooting Tips

Airtable credentials can expire or the base/table permissions might be too limited. If upserts fail, check the connected account access and the “Finding ID” field type first.
If you’re using Wait nodes or external rendering, processing times vary. Bump up the wait duration if downstream nodes fail on empty responses.
Default prompts in AI nodes are generic. Add your brand voice early or you’ll be editing outputs forever.
AWS SNS confirmations can get stuck if the webhook URL is wrong or blocked. Check the SNS subscription status in the AWS console and confirm your n8n instance is reachable over HTTP.
Gmail can fail quietly when the sender account needs re-authentication. If emails stop, re-connect the Gmail credential in n8n and verify sending limits on that mailbox.

Quick Answers

What’s the setup time for this AWS alert automation automation?

About 10–15 minutes if your AWS pieces are ready.

Is coding required for this alert automation?

No. You’ll import the workflow, connect accounts, and copy a webhook URL into AWS. There is a code node inside the workflow, but you typically don’t need to edit it unless you want custom parsing or extra validation.

Is n8n free to use for this AWS alert automation workflow?

Yes. n8n has a free self-hosted option and a free trial on n8n Cloud. Cloud plans start at $20/month for higher volume. You’ll also need to factor in OpenAI API usage (usually pennies per alert) and any Airtable plan limits based on how many findings you log.

Where can I host n8n to run this automation?

Two options: n8n Cloud (managed, easiest setup) or self-hosting on a VPS. For self-hosting, Hostinger VPS is affordable and handles n8n well. Self-hosting gives you unlimited executions but requires basic server management.

Can I modify this AWS alert automation workflow for different use cases?

Yes, and you probably should. You can swap the Dispatch Email Alert step for Slack or Teams, adjust the AI Severity Triage prompt to match your risk policy, and extend Standardize Finding Data to include your own tags like environment, account owner, or runbook links.

Why is my Airtable connection failing in this workflow?

Usually it’s permissions or a mismatched field. Confirm the connected Airtable account can edit the target base, then verify the workflow is upserting into the right table and that “Finding ID” is present and consistent (blank IDs cause ugly duplicates and failed updates). If it suddenly stopped working, re-authenticate the Airtable credential in n8n.

What volume can this AWS alert automation workflow process?

For most small teams, hundreds of findings a day is fine as long as your n8n instance stays online and your AI/Airtable limits aren’t hit. On n8n Cloud, capacity depends on plan and execution limits; on self-hosted n8n there’s no hard execution cap, but your server size becomes the bottleneck. If you expect bursts (for example, after enabling Security Hub controls), consider routing only specific severities through EventBridge first, then widening coverage once you’re confident.

Is this AWS alert automation automation better than using Zapier or Make?

Often, yes. This workflow needs branching (SNS confirm vs notification), data normalization, and structured AI output, and n8n handles that without turning every extra step into a pricing problem. It also gives you self-hosting, which is useful when you want the webhook endpoint under your control. Zapier or Make can still work if your setup is simpler, but SNS confirmation handling and JSON parsing get awkward fast. Talk to an automation expert if you want a quick recommendation for your exact stack.

Once this is live, your team stops reacting to “an alert” and starts responding to a prioritized, deduped queue with clear next actions. Set it up once, and the workflow does the repetitive part from then on.

Need Help Setting This Up?

Our automation experts can build and customize this workflow for your specific needs. Free 15-minute consultation—no commitment required.

Lisa Granqvist

Workflow Automation Expert

Expert in workflow automation and no-code tools.

{
"id": null,
"meta": {
"instanceId": "6ffa0b9425e5bdbbe92d21669ab4f190b49529a16480551019f846d3b2d25d7c",
"templateId": null,
"templateCredsSetupCompleted": null
},
"name": "Automated Security Alert Triage",
"tags": [],
"nodes": [
{
"id": "flowpast-topbar-7202",
"name": "Flowpast Branding",
"type": "n8n-nodes-base.stickyNote",
"position": [
0,
20
],
"parameters": {
"color": 7,
"width": 1050,
"height": 80,
"content": "## Flowpast.com | Automation Workflow Library\n**\ud83d\udcd6 Full tutorial & setup guide:** flowpast.com"
},
"typeVersion": 1
},
{
"id": "7be0eeba-8700-4b51-a40f-db84c7c533b1",
"name": "Incoming Webhook Trigger",
"type": "n8n-nodes-base.webhook",
"position": [
700,
125
],
"webhookId": "bebea408-3564-49c8-9407-14a4102fe0cf",
"parameters": {
"path": "aws-misconfig",
"options": [],
"httpMethod": "POST",
"responseMode": "lastNode"
},
"typeVersion": 2
},
{
"id": "fbb5d2af-7eb2-414f-b79e-2a51ddb9b21f",
"name": "SNS Event Parser",
"type": "n8n-nodes-base.code",
"position": [
420,
155
],
"parameters": {
"jsCode": "const b = $json.body ?? $json;\nconst token = $json.query?.token ?? b.token;\nif (token !== '[CONFIGURE_YOUR_TOKEN]') throw new Error('unauthorized');\n\nif (b.Type === 'SubscriptionConfirmation' && b.SubscribeURL) {\n  return { mode: 'confirm', subscribeUrl: b.SubscribeURL };\n}\n\nlet event = b;\nif (b.Type === 'Notification' && b.Message) {\n  try { event = JSON.parse(b.Message); } catch {}\n}\nreturn { mode: 'notify', event };\n"
},
"typeVersion": 2
},
{
"id": "b61e5e70-697d-4fe4-9897-9a116aa5aff1",
"name": "Branch Logic",
"type": "n8n-nodes-base.if",
"position": [
170,
120
],
"parameters": {
"options": [],
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "d192995f-8809-4b60-8f6a-b7bd2e3e47b0",
"operator": {
"name": "filter.operator.equals",
"type": "string",
"operation": "equals"
},
"leftValue": "=={{ $json.mode === 'confirm' }}",
"rightValue": ""
}
]
}
},
"typeVersion": 2.2
},
{
"id": "5c1145c7-6dd6-47e3-9fee-e1fb15318a22",
"name": "Confirm SNS Subscription",
"type": "n8n-nodes-base.httpRequest",
"position": [
390,
325
],
"parameters": {
"url": "=={{ $json.subscribeUrl }}",
"options": {
"timeout": 15000,
"response": {
"response": {
"fullResponse": true,
"responseFormat": "json"
}
}
}
},
"typeVersion": 4.2
},
{
"id": "831507c3-b00f-44ec-8506-c0310904eb6e",
"name": "Compose Confirmation Response",
"type": "n8n-nodes-base.set",
"position": [
140,
370
],
"parameters": {
"options": [],
"assignments": {
"assignments": [
{
"id": "346708e7-629e-4d8a-8a98-994b9526b55d",
"name": "resp",
"type": "object",
"value": "=resp = { status: \"subscribed\", statusCode: $json.statusCode || 200 }"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "ac0b1a8d-14a0-4e6d-be3a-779a57603869",
"name": "Standardize Finding Data",
"type": "n8n-nodes-base.code",
"position": [
0,
495
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "// n8n Code node (Run Once for Each Item)\n// Normalizes Security Hub / AWS Config events whether they arrive at root or under body\nconst evt = $json.body ?? $json;\n\n// Security Hub finding (EventBridge or raw)\nconst sh = evt?.detail?.findings?.[0] || (Array.isArray(evt.findings) ? evt.findings[0] : null);\n// AWS Config notification\nconst cfg = evt?.detail?.configRuleName ? evt.detail : null;\n// Raw Security Hub finding at root\nconst rawSh = (!sh && evt?.ProductArn) ? evt : null;\n\nconst f = sh || rawSh || {};\n\nconst sev   = f?.Severity?.Label || (cfg ? \"MEDIUM\" : \"UNKNOWN\");\nconst title = f?.Title || cfg?.configRuleName || \"Finding\";\nconst desc  = f?.Description || cfg?.newEvaluationResult?.annotation || \"\u2014\";\nconst id    = f?.Id\n  || cfg?.newEvaluationResult?.evaluationResultIdentifier?.evaluationResultQualifier?.configRuleName\n  || String(Date.now());\nconst res   = f?.Resources?.[0]?.Id || cfg?.resourceId || \"unknown\";\nconst types = f?.Types || [];\nconst account = evt?.account || f?.AwsAccountId || \"unknown\";\nconst region  = evt?.region  || f?.Region       || \"unknown\";\n\n// Derive service + hints\nlet service = \"UNKNOWN\";\nif (/^arn:aws:s3:::/.test(res) || types.some(t => t.includes(\"S3\"))) service = \"S3\";\nelse if (types.some(t => /SecurityGroup/i.test(t)) || /sg-/.test(res)) service = \"EC2-SG\";\nelse if (types.some(t => /IAM/i.test(t))) service = \"IAM\";\nelse if (types.some(t => /RDS|SQL|DB/i.test(t))) service = \"RDS\";\nelse if (f?.ProductArn) service = (f.ProductArn.split(\":\")[5] || \"UNKNOWN\");\n\nconst misconfig_hints = [];\nif (service === \"S3\") misconfig_hints.push(\"s3\");\nif (/0\\.0\\.0\\.0\\/0|Public|Open|world/i.test(desc)) misconfig_hints.push(\"public\");\nif (service === \"EC2-SG\") misconfig_hints.push(\"sg\");\nif (service === \"IAM\")    misconfig_hints.push(\"iam\");\nif (service === \"RDS\")    misconfig_hints.push(\"db\");\n\n// IMPORTANT: return a SINGLE object (not an array) in this mode\nreturn {\n  finding_id: id,\n  title,\n  description: desc,\n  severity: sev,\n  resource_id: res,\n  service,\n  account,\n  region,\n  product_types: types,\n  misconfig_hints,\n  raw: evt,\n};"
},
"typeVersion": 2
},
{
"id": "c0fb42e3-e670-44f9-a3fa-0b2c3dec2ae1",
"name": "AI Severity Triage",
"type": "@n8n/n8n-nodes-langchain.openAi",
"position": [
240,
530
],
"parameters": {
"modelId": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini",
"cachedResultName": "GPT-4.1-MINI"
},
"options": [],
"messages": {
"values": [
{
"content": "=You are a cloud SecOps triage assistant. Given a normalized AWS finding JSON, return a STRICT JSON object:\n\n{\n  \"priority\": \"P0|P1|P2|P3\",\n  \"rationale\": \"one-paragraph reason referencing severity, resource, and exposure\",\n  \"remediation\": [\"step 1\", \"step 2\", \"...\"],\n  \"tags\": [\"s3\",\"iam\",\"public\", \"...\"]\n}\n\nMapping guidance:\n- Treat publicly accessible data (e.g., public S3 buckets, 0.0.0.0/0 on admin ports, open RDS) as P0 or P1 depending on blast radius.\n- Internal-only or low impact \u2192 P2/P3.\n- If severity label is CRITICAL/HIGH, bias to P0/P1.\n\nFinding:\n{{ JSON.stringify($json, null, 2) }}\n"
}
]
},
"jsonOutput": true
},
"credentials": {
"openAiApi": {
"id": "credential-id",
"name": ""
}
},
"typeVersion": 1.8
},
{
"id": "42721c67-8c6d-4063-826b-b59e01a3d8ca",
"name": "Airtable Upsert Record",
"type": "n8n-nodes-base.airtable",
"position": [
480,
490
],
"parameters": {
"base": {
"__rl": true,
"mode": "list",
"value": "[YOUR_ID]",
"cachedResultUrl": "",
"cachedResultName": "misconfigs"
},
"table": {
"__rl": true,
"mode": "list",
"value": "[YOUR_ID]",
"cachedResultUrl": "",
"cachedResultName": "finding_table"
},
"columns": {
"value": {
"id": "={{ $('Standardize Finding Data').item.json.finding_id }}",
"Tags": "={{ $json.message.content.tags[0] }}{{ $json.message.content.tags[1] }}{{ $json.message.content.tags[2] }}{{ $json.message.content.tags[3] }}{{ $json.message.content.tags[4] }}",
"Title": "={{ $('Standardize Finding Data').item.json.title }}",
"Region": "={{ $('Standardize Finding Data').item.json.region }}",
"Account": "={{ $('Standardize Finding Data').item.json.account }}",
"Service": "={{ $('Standardize Finding Data').item.json.service }}",
"Priority": "={{ $json.message.content.priority }}",
"Resource": "={{ $('Standardize Finding Data').item.json.raw.detail.findings[0].Resources[0].Id }}",
"Severity": "={{ $('Standardize Finding Data').item.json.severity }}",
"Rationale": "={{ $json.message.content.rationale }}",
"Finding ID": "={{ $('Standardize Finding Data').item.json.raw.detail.findings[0].Id }}",
"Remediation": "={{ $json.message.content.remediation[0] }}{{ $json.message.content.remediation[1] }}{{ $json.message.content.remediation[2] }}{{ $json.message.content.remediation[3] }}"
},
"schema": [
{
"id": "id",
"type": "string",
"display": true,
"removed": false,
"readOnly": true,
"required": false,
"displayName": "id",
"defaultMatch": true
},
{
"id": "Finding ID",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Finding ID",
"defaultMatch": false,
"canBeUsedToMatch": true
},
{
"id": "Title",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Title",
"defaultMatch": false,
"canBeUsedToMatch": true
},
{
"id": "Severity",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Severity",
"defaultMatch": false,
"canBeUsedToMatch": true
},
{
"id": "Priority",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Priority",
"defaultMatch": false,
"canBeUsedToMatch": true
},
{
"id": "Resource",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Resource",
"defaultMatch": false,
"canBeUsedToMatch": true
},
{
"id": "Service",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Service",
"defaultMatch": false,
"canBeUsedToMatch": true
},
{
"id": "Account",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Account",
"defaultMatch": false,
"canBeUsedToMatch": true
},
{
"id": "Region",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Region",
"defaultMatch": false,
"canBeUsedToMatch": true
},
{
"id": "Tags",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Tags",
"defaultMatch": false,
"canBeUsedToMatch": true
},
{
"id": "Rationale",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Rationale",
"defaultMatch": false,
"canBeUsedToMatch": true
},
{
"id": "Remediation",
"type": "string",
"display": true,
"removed": false,
"readOnly": false,
"required": false,
"displayName": "Remediation",
"defaultMatch": false,
"canBeUsedToMatch": true
}
],
"mappingMode": "defineBelow",
"matchingColumns": [
"id"
],
"attemptToConvertTypes": false,
"convertFieldsToString": false
},
"options": [],
"operation": "upsert"
},
"credentials": {
"airtableTokenApi": {
"id": "credential-id",
"name": ""
}
},
"typeVersion": 2.1
},
{
"id": "be7fa618-9c8c-4418-a405-a4f2787faaf5",
"name": "Dispatch Email Alert",
"type": "n8n-nodes-base.gmail",
"position": [
710,
530
],
"webhookId": "cfac9d61-e17a-467c-a742-7cb9da960a7f",
"parameters": {
"sendTo": "[YOUR_EMAIL]",
"message": "=={{ (() => {  const nf = $node[\"Standardize Finding Data\"].json;  const ai = typeof $node[\"AI Severity Triage\"].json.message.content === 'string'    ? JSON.parse($node[\"AI Severity Triage\"].json.message.content)    : $node[\"AI Severity Triage\"].json.message.content;  const steps = (ai.remediation || []).map(s => `<li>${s}</li>`).join('');  const tags  = (ai.tags || []).join(', ');  const airtableId = $node[\"Airtable Upsert Record\"].json?.id || '';  const airtableLine = airtableId ? `<p><b>Airtable Record ID:</b> ${airtableId}</p>` : '';  return `    <h2>AWS Misconfig Alert</h2>    <p><b>Priority:</b> ${ai.priority}   <b>Severity:</b> ${nf.severity}</p>    <p><b>Title:</b> ${nf.title}</p>    <p><b>Service:</b> ${nf.service}   <b>Resource:</b> ${nf.resource_id}</p>    <p><b>Account:</b> ${nf.account}   <b>Region:</b> ${nf.region}</p>    <p><b>Why:</b> ${ai.rationale}</p>    <p><b>Remediation:</b></p>    <ol>${steps}</ol>    <p><b>Tags:</b> ${tags || '\u2014'}</p>    ${airtableLine}    <details><summary>Raw finding</summary>      <pre style=\"background:#f6f8fa;padding:12px;border-radius:6px;white-space:pre-wrap\">${JSON.stringify(nf.raw || nf, null, 2)}</pre>    </details>  `;})() }}",
"options": [],
"subject": "=={{ `[${JSON.parse($node[\"AI Severity Triage\"].json.message.content).priority}] ${$node[\"Standardize Finding Data\"].json.title} \u2014 ${$node[\"Standardize Finding Data\"].json.resource_id} (${ $node[\"Standardize Finding Data\"].json.service })` }}"
},
"credentials": {
"gmailOAuth2": {
"id": "credential-id",
"name": ""
}
},
"typeVersion": 2.1
},
{
"id": "6f9bf9c6-61ee-4b25-844c-5f03c9979f9e",
"name": "Build Webhook Reply",
"type": "n8n-nodes-base.set",
"position": [
950,
490
],
"parameters": {
"mode": "raw",
"options": [],
"jsonOutput": "={{\n  {\n    resp: {\n      status: \"processed\",\n      priority: $node[\"Airtable Upsert Record\"].json.fields.Priority,\n      finding_id: $node[\"Standardize Finding Data\"].json.finding_id\n    }\n  }\n}}\n"
},
"typeVersion": 3.4
}
],
"active": true,
"pinData": [],
"settings": {
"executionOrder": "v1"
},
"versionId": null,
"connections": {
"Branch Logic": {
"main": [
[
{
"node": "Confirm SNS Subscription",
"type": "main",
"index": 0
}
],
[
{
"node": "Standardize Finding Data",
"type": "main",
"index": 0
}
]
]
},
"Incoming Webhook Trigger": {
"main": [
[
{
"node": "SNS Event Parser",
"type": "main",
"index": 0
}
]
]
},
"Confirm SNS Subscription": {
"main": [
[
{
"node": "Compose Confirmation Response",
"type": "main",
"index": 0
}
]
]
},
"SNS Event Parser": {
"main": [
[
{
"node": "Branch Logic",
"type": "main",
"index": 0
}
]
]
},
"Compose Confirmation Response": {
"main": [
[]
]
},
"AI Severity Triage": {
"main": [
[
{
"node": "Airtable Upsert Record",
"type": "main",
"index": 0
}
]
]
},
"Dispatch Email Alert": {
"main": [
[
{
"node": "Build Webhook Reply",
"type": "main",
"index": 0
}
]
]
},
"Standardize Finding Data": {
"main": [
[
{
"node": "AI Severity Triage",
"type": "main",
"index": 0
}
]
]
},
"Airtable Upsert Record": {
"main": [
[
{
"node": "Dispatch Email Alert",
"type": "main",
"index": 0
}
]
]
}
}
}