Example alert:

Access denied on event CreateNetworkInterface occured in account 123456789012 by <N/A>
Event source: ec2.amazonaws.com
Source agent: 1.2.3.4
Useragent: aws-internal/3 aws-sdk-java/1.11.526n

Hello, I have a solution that takes incidents in GuardDuty, fed into CloudWatch Events and using an Event Rule, triggers an SNS notification and fires a Lambda function that drops a ring fence security group around the instance and tags it as quarantined. This is based on a session that I have been running with AWS customers in ANZ and the feedback has been positive. I use the session to highlight some other nice features in CloudWatch Events, such as applying transforms and customizing SNS messages based on the JSON input received in the event and filtering options when creating CloudWatch Events rules for GuardDuty events.

I've been working with a colleague who has packaged this up into a CloudFormation template, and we've also incorporated the high-level design schematic that I use in the aforementioned presentation.

We'd like to contribute this solution to this repository, as it seems like the most logical home for it.

Please let me know if you need additional information, files, etc.

I am having trouble understanding the pre-requisite item:
"Edit the run commands in runForensicAnalysis.py - Update the S3 bucket details where EC2 instance launched is access"

Can you point to the exact line number in the lambda function that needs to be updated?

python version is deprecated for https://github.com/awslabs/aws-security-automation/tree/master/IAM%20Access%20Denied%20Responder

EC2 Auto Clean Room Forensics package docs indicate forensics AMI creation process will be documented, but said documentation has not been added yet.