I have used a lambda function to automatically deactivate any access key associated with a high severity GuardDuty alert.

aws-guardduty-lambda-security

#!/usr/bin/env python
#developed for blog post at http://www.cloudten.com.au/aws-guardduty-intelligent-threat-detection/
from __future__ import print_function
import boto3
import json
 
def lambda_handler(event, context):
    print("Received event: " + json.dumps(event))
 
    try:
        if (     event['service']['serviceName'] == 'guardduty'
             and event['resource']['resourceType'] == "AccessKey"
             and event['resource']['resourceRole'] == "TARGET"
             and event['severity'] >= 5
            ):
            iam= boto3.resource('iam')
            access_details = event['detail']['resource']['accessKeyDetails']
            access_key = iam.AccessKey(access_details['userName'],access_details['accessKeyId'])
            response_status = access_key.deactivate()
            status_code = response_status['ResponseMetadata']['HTTPStatusCode']
            if status_code == 200:
                print("Key Disabled Successfully")
            else:
                print("Key deactivation failed")
 
            return event['title'] 
    except:
        pass
    return 'AccessKey not found'