in security/guardduty/index.py [0:0]
def enable_gd_member(session, region, properties, accounts):
"""
Enable the delegated admin account from the AWS Organization root
account for testing purpose only
:param session: STS sesion of the GuardDuty master account
:param region: the region wherre GuardDuty master to be enabled
:param properties: properties for the GuardDuty publishing destination
"""
delegated_admin_client = session.client('guardduty', region_name=region)
try:
detector_ids = delegated_admin_client.list_detectors()
except Exception as ex:
logger.debug(f'Unable to list detectors in region {region}')
return
logger.debug(f'detector ids is {detector_ids}')
detector_id = detector_ids['DetectorIds'][0]
logger.debug(f'detector id is {detector_id}')
publishing_destinations = delegated_admin_client.list_publishing_destinations(
DetectorId=detector_id
)
logger.debug(f'publishing destinations response: {publishing_destinations}')
try:
if not publishing_destinations['Destinations']:
delegated_admin_client.create_publishing_destination(
DetectorId=detector_id,
DestinationType='S3',
DestinationProperties=properties,
ClientToken=detector_id
)
logger.info(f'Set GuardDuty GuardDuty destination for region {region}.')
else:
delegated_admin_client.update_publishing_destination(
DetectorId=detector_id,
DestinationId=publishing_destinations['Destinations'][0]['DestinationId'],
DestinationProperties=properties
)
logger.info(f'Updated GuardDuty GuardDuty destination for region {region}.')
except Exception as e:
logger.error(f'Error creating or updating destination: {e}')
details = []
failed_accounts = []
s3_failed_accounts = []
all_account_ids = []
for account in accounts:
if (account['Id'] != gdmaster_account_number):
details.append(
{
'AccountId': account['Id'],
'Email': account['Email']
}
)
all_account_ids.append(account['Id'])
details_batch = chunks(details, 50)
ids_batch = chunks(all_account_ids, 50)
try:
for b in details_batch:
unprocessed_accounts = delegated_admin_client.create_members(
DetectorId=detector_id,
AccountDetails=details
)['UnprocessedAccounts']
if (len(unprocessed_accounts) > 0):
failed_accounts.append(unprocessed_accounts)
delegated_admin_client.update_organization_configuration(
DetectorId=detector_id,
AutoEnable=True,
DataSources={
'S3Logs': {
'AutoEnable': True
}
}
)
logger.info(f'Enabled AutoEnable S3 in region {region}')
# Enable S3Log in all accounts, not including admin account
try:
for i in ids_batch:
s3_unprocessed_accounts = delegated_admin_client.update_member_detectors(
DetectorId=detector_id,
AccountIds=i,
DataSources={
'S3Logs': {
'Enable': True
}
}
)['UnprocessedAccounts']
logger.info(f'enabled S3Logging for {i} in {region}')
if (len(s3_unprocessed_accounts)>0):
s3_failed_accounts.extend( s3_unprocessed_accounts )
except ClientError as s3_excpetion:
logger.error(f'Error enabling S3Log in Account : {account} Region: {region}')
s3_failed_accounts.append({
account: repr(s3_excpetion)
})
except ClientError as e:
logger.debug(f'Error Processing Account {account}')
failed_accounts.append({account: repr(e)})
logger.debug(f'region is {region}')
if bool(failed_accounts):
failed_members.update(region=failed_accounts)
if bool(s3_failed_accounts):
failed_s3_members.update(region=failed_accounts)