in src/securityhub_enabler.py [0:0]
def disable_admin(admin_session, role, securityhub_regions, partition):
for region in securityhub_regions:
sh_admin_client = admin_session.client(
'securityhub',
endpoint_url=f"https://securityhub.{region}.amazonaws.com",
region_name=region
)
admin_members = get_admin_members(admin_session, region)
member_accounts = []
for member in admin_members:
member_accounts.append(member)
member_session = assume_role(member, role)
member_client = member_session.client(
'securityhub',
endpoint_url=f"https://securityhub.{region}.amazonaws.com",
region_name=region
)
try:
member_client.disassociate_from_administrator_account()
except Exception as e:
LOGGER.warning(f"Dissassociating member {member} from Security Hub Admin in {region} failed")
try:
member_client.disable_security_hub()
LOGGER.info(f"Disabled SecurityHub in member account {member} in {region}")
except Exception as e:
LOGGER.warning(f"Failed to disable SecurityHub in member account {member} in {region}")
sh_admin_client.disassociate_members(AccountIds=member_accounts)
LOGGER.info(f"Disassociated Member Accounts {member_accounts} "
f"from the Admin Account in {region}")
sh_admin_client.delete_members(AccountIds=member_accounts)
LOGGER.info(f"Deleted Member Accounts {member_accounts} "
f"from the Admin Account in {region}")
try:
sh_admin_client.disable_security_hub()
LOGGER.info(f"Disabled SecurityHub in Admin Account in {region}")
except Exception as e:
LOGGER.info(f"SecurityHub already Disabled in Admin Account "
f"in {region}")
return