in aws_sra_examples/solutions/securityhub/securityhub_enabler_acct/lambda/src/app.py [0:0]
def disable_mgmt(mgmt_session, role, securityhub_regions):
"""
Disable SecurityHub in the Management Account
:param mgmt_session: Management account session
:param role: Role to assume
:param securityhub_regions: regions to enable
:return: None
"""
for region in securityhub_regions:
sh_mgmt_client = mgmt_session.client("securityhub", region_name=region)
mgmt_members = get_mgmt_members(mgmt_session, region)
member_accounts = []
for member in mgmt_members:
member_accounts.append(member)
if member_accounts:
sh_mgmt_client.disassociate_members(AccountIds=member_accounts)
logger.info(
f"Disassociated Member Accounts {member_accounts} "
f"from the Management Account in {region}"
)
sh_mgmt_client.delete_members(AccountIds=member_accounts)
logger.info(
f"Deleted Member Accounts {member_accounts} "
f"from the Management Account in {region}"
)
for member in mgmt_members:
member_session = assume_role(member, role)
member_client = member_session.client("securityhub", region_name=region)
member_client.disable_security_hub()
logger.info(
f"Disabled SecurityHub in member Account {member} " f"in {region}"
)
try:
sh_mgmt_client.disable_security_hub()
logger.info(f"Disabled SecurityHub in Management Account in {region}")
except ClientError:
logger.info(
f"SecurityHub already Disable in Management Account " f"in {region}"
)
return