coingraham · February 5, 2020 19:51 · Feb 5, 2020
diff --git a/guard-duty-custodian.yaml b/guard-duty-custodian.yaml
@@ -0,0 +1,28 @@
+policies:
+
+ - name: ec2-guard-remediate
+   resource: ec2
+   mode:
+     role: arn:aws:iam::{account_id}:role/CustodianPolicyExecution
+     type: guard-duty
+   filters:
+     # Filter for medium and high severity events
+     - type: event
+       key: detail.severity
+       op: gte
+       value: 4.5
+   actions:
+     - stop
+
+ - name: iam-guard-remediate
+   resource: iam-user
+   mode:
+     role: arn:aws:iam::{account_id}:role/CustodianPolicyExecution
+     type: guard-duty
+   filters:
+     # Only a particular type of event, go ahead and remove keys
+     - type: event
+       key: detail.type
+       value: "UnauthorizedAccess:IAMUser/TorIPCaller"
+   actions:
+     - remove-keys