Skip to content

Instantly share code, notes, and snippets.

@cdelashmutt-pivotal
Last active June 8, 2023 21:57
Show Gist options
  • Save cdelashmutt-pivotal/89976ef9fa590b856dc81c5ae2966509 to your computer and use it in GitHub Desktop.
Save cdelashmutt-pivotal/89976ef9fa590b856dc81c5ae2966509 to your computer and use it in GitHub Desktop.
Disable GuardDuty in all regions
#!/bin/bash
# Borrowed heavily from https://gist.github.com/tomofuminijo/ac321d7b6423bab7f175c8795546bd9a
for region in $(aws ec2 describe-regions --query "Regions[].RegionName" --output json | jq -r '.[]' | tr '\n' ' '); do
echo Checking for detectors in $region
detector_id=$(aws guardduty list-detectors --region $region --query "DetectorIds[0]" --output text)
# if detector not exist, continue
if [ $detector_id = "None" ]; then
continue
fi
# delete members if exist
# get associated accounts
echo + Found $detector_id. Checking for associated accounts.
associated_account_ids=$(aws guardduty list-members --detector-id $detector_id --only-associated true --query "Members[].AccountId" --output text --region $region)
if [ -n "$associated_account_ids" ]; then
echo + Disassociating accounts $associated_account_ids from detector $detector_id
aws guardduty disassociate-members --detector-id $detector_id --account-ids $associated_account_ids --region $region
fi
# diassociate members
# delete members
member_account_ids=$(aws guardduty list-members --detector-id $detector_id --only-associated false --query "Members[].AccountId" --output text --region $region)
if [ -n "$member_account_ids" ]; then
echo + Deleting members $member_account_ids from detector $detector_id
aws guardduty delete-members --detector-id $detector_id --account-ids $member_account_ids --region $region
fi
echo + Deleting detector $detector_id
aws guardduty delete-detector --detector-id $detector_id --region $region
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment