in security/guardduty/index.py [0:0]
def handler(event, context):
logger.debug(f'boto3 version: {boto3.__version__}')
logger.debug(f'botocore version: {botocore.__version__}')
guardduty_regions = session.get_available_regions('guardduty')
gdmaster_account_session = assume_role(
gdmaster_account_number,
role_to_assume
)
accounts = get_all_accounts()
# handle Custom Resource Call
if 'RequestType' in event and (
event['RequestType'] == "Delete" or
event['RequestType'] == "Create" or
event['RequestType'] == "Update"):
action = event['RequestType']
else:
action = "Update"
if action == "Create" or action == "Update":
destination = create_s3_destination(gdmaster_account_session)
skipregion = False
for region in guardduty_regions:
try:
if action == "Create" or action == "Update":
logger.info(f'region is {region}')
skipregion = enable_gd_master(region)
if skipregion:
continue
else:
enable_gd_member(
gdmaster_account_session, region, destination, accounts)
logger.debug(f'properties is {destination}')
elif action == "Delete":
disable_gd_master(region)
except Exception as e:
logger.error(
f'Error enabling master or member in region {region}: {e}',
exc_info=True
)
continue
responseValue = 120
responseData = {}
responseData['Data'] = responseValue
cfnresponse(event, context, 'SUCCESS', responseData)
# log unprocessed account only when they are not empty
if failed_regions:
logger.info('Failed to enable GuardDuty master: ')
logger.info(json.dumps(failed_regions, indent=2))
if bool(failed_members):
logger.info('Failed to enable GuardDuty members: ')
logger.info(json.dumps(failed_members, indent=2))
if bool(failed_s3_members):
logger.info('Failed to enable GuardDuty for S3: ')
logger.info(json.dumps(failed_s3_members, indent=2))