in security/guardduty/index.py [0:0]
def enable_gd_master(region):
"""
Enable the delegated admin account from the AWS Organization root
account
:param region: the region where GuardDuty master to be enabled
"""
logger.info(f'Enabling GuardDuty in Management account for region {region}')
master = session.client('guardduty', region_name=region)
skipregion = False
try:
detectors = master.list_detectors()
delegatedadmin = master.list_organization_admin_accounts()
if len(detectors['DetectorIds']) > 0:
logger.info(f'GuardDuty already enabled in Management Account in region: {region}. Skipping.')
logger.debug('Detectors: {}'.format(detectors['DetectorIds']))
else:
# detector not found, creating detector to force enable of GuardDuty
logger.info(f'Creating detector in Management Account in {region}')
newdetector = master.create_detector(Enable=True)
logger.info('Created detector in Management Account in {0}: {1}'.format(region, newdetector['DetectorId']))
except Exception as e:
if str(e).find("security token included in the request is invalid") > 0:
skipregion = True
logger.warning(f'Region {region} is likely not enabled. Skipping {region}. Error: {e}')
else:
logging.error(f'Error connecting to GuardDuty service in management account in region {region}. Error: {e}')
try:
if skipregion:
return skipregion
elif delegatedadmin['AdminAccounts'] and delegatedadmin['AdminAccounts'][0]['AdminAccountId'] == gdmaster_account_number:
logger.info(f'{gdmaster_account_number} is GuardDuty delegated admin.')
else:
logger.info(f'Delegating GuardDuty admin to account: {gdmaster_account_number}')
newdelegateadmin = master.enable_organization_admin_account(
AdminAccountId=gdmaster_account_number
)
return skipregion
except Exception as e:
logger.error(e)