def lambda_handler()

in UpdateMembers/src/UpdateMember/index.py [0:0]

• 62 lines of code
• 7 McCabe index (conditional complexity)

def lambda_handler(event, context):

    logger.info(event)

    try:
        # set variables and boto3 clients
        config = Config(
            retries = {
                'max_attempts': 23,
                'mode': 'standard'
                }
            )
        administrator_account_id = context.invoked_function_arn.split(":")[4]
        member_account_id = event["account"]

        role_arn = os.environ["MemberRole"].replace("<accountId>", member_account_id)
        global sts_client
        if not sts_client:
            sts_client = boto3.client("sts")
        assumed_role_object = sts_client.assume_role(
            RoleArn=role_arn, RoleSessionName="SecurityHubUpdater"
        )
        credentials = assumed_role_object["Credentials"]
        member_security_hub_client = boto3.client(
            "securityhub",
            aws_access_key_id=credentials["AccessKeyId"],
            aws_secret_access_key=credentials["SecretAccessKey"],
            aws_session_token=credentials["SessionToken"],
            config=config,
        )

        # Optimization - no need to reinitilize the administrator security hub client for every instance of this Lambda function
        global administrator_security_hub_client
        if not administrator_security_hub_client:
            administrator_security_hub_client = boto3.client("securityhub", config=config)

        # Get standard subscription controls
        standards = administrator_security_hub_client.describe_standards()
        administrator_enabled_standards = get_enabled_standard_subscriptions(
            standards, administrator_account_id, administrator_security_hub_client
        )
        member_enabled_standards = get_enabled_standard_subscriptions(
            standards, member_account_id, member_security_hub_client
        )

        logger.info("Update Account %s", member_account_id)

        # Update standard subscriptions in member account
        standards_updated = update_standard_subscription(
            administrator_enabled_standards,
            member_enabled_standards,
            member_security_hub_client,
        )
        if standards_updated:
            logger.info("Fetch enabled standards again.")
            member_enabled_standards = get_enabled_standard_subscriptions(
                standards, member_account_id, member_security_hub_client
            )

        # Get Controls
        admin_controls = get_controls(
            administrator_enabled_standards, administrator_security_hub_client
        )
        member_controls = get_controls(
            member_enabled_standards, member_security_hub_client
        )

        # Get exceptions
        exceptions = get_exceptions(event)
        logger.debug("Exceptions: %s", str(exceptions))

        # Disable/enable the controls in member account
        update_member(
            admin_controls, member_controls, member_security_hub_client, exceptions
        )

    except botocore.exceptions.ClientError as error:
        logger.error(error)
        return {"statusCode": 500, "account": member_account_id, "error": str(error)}

    return {"statusCode": 200, "account": member_account_id}