⚙️ Configurations
The behavior of the GuardDuty-SOAR application is controlled by the gd.cfg file, which uses a standard INI format. This file serves as the central point for customizing playbook actions and notification settings without modifying the source code. The configuration is loaded once when the Lambda function starts.
General
This section contains application-wide settings for logging and core functionality.
| Settings | Description | Options |
|---|---|---|
log_level | Sets the logging verbosity for the main application. DEBUG is highly verbose for development, while INFO is recommended for production. | DEBUG, INFO, WARNING, ERROR, CRITICAL |
boto_log_level | Controls the logging verbosity for the underlying AWS SDK (Boto3). Use DEBUG only when diagnosing issues with AWS API calls. | DEBUG, INFO, WARNING, ERROR, CRITICAL |
ignored_findings | A multiline list of GuardDuty finding types that the application should ignore entirely. Each finding type must be on a new, indented line. | A list of GuardDuty finding types |
EC2
These parameters control the behavior of playbooks and actions that target Amazon EC2 resources.
| Settings | Description |
|---|---|
snapshot_description_prefix | A string prefix used for the descriptions of EBS snapshots created during forensic procedures (e.g., GD-SOAR-Snapshot-). |
allow_terminate | (Destructive) If True, allows playbooks to terminate compromised EC2 instances. Use with caution. |
allow_remove_public_access | If True, allows playbooks to remove rules that grant public access (e.g., 0.0.0.0/0) from an instance's security group. Disable this if your instances are intentionally public-facing (e.g., web servers). |
IAM
These parameters control the behavior of playbooks that target IAM principals.
| Settings | Description |
|---|---|
cloudtrail_history_max_results |
The maximum number of recent CloudTrail events to retrieve for an IAM principal involved in a finding. (Min: 1, Max: 50, Default: 25) |
analyze_iam_permissions |
If True, enables the analysis of a principal's attached and inline policies to identify overly permissive rules. |
allow_iam_quarantine |
If True, enables the attachment of a quarantine IAM policy to the identity from a finding. Not utilized in IAM playbooks, but is utilized in S3 playbooks. |
iam_deny_all_policy_arn |
A IAM policy arn that will be utilized to quarantine IAM principals (attach a deny-all policy). By default we provide the AWS managed AWSDenyAll policy. |
S3
| Settings | Description |
|---|---|
allow_s3_public_block |
If true, enables S3AttachPublicAccessBlockAction to attach public access block policy to an S3 bucket. Utilized in S3BucketExposurePlaybook. |
Notifications
Configure one or more channels to receive alerts about findings and remediation actions. For each channel enabled (e.g., allow_ses = True), the corresponding parameters are required.
| Setting | Description |
|---|---|
allow_ses | If True, enables notifications via Amazon Simple Email Service (SES). |
registered_email_address | The destination email address for alerts. This address must be verified within Amazon SES. |
allow_sns | If True, enables notifications via Amazon Simple Notification Service (SNS). |
sns_topic_arn | The ARN of the SNS topic where notification messages will be published. |