tomofuminijo/guardduty-disabled-all-region.sh

## guardduty-disabled-all-region.sh
#!/bin/bash
OPERATION_REGION=us-east-1
ROLE_NAME=OrganizationAccountAccessRole
#Change your master account id
MASTAR_ACCOUNT_ID=<YOUR_MASTER_ACCOUNT_ID>

regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --region $OPERATION_REGION --output text)

function delete_detector () {
    region=$1
    if [ -n "$2" ]; then
        profile_arg="--profile $2"
    fi

    # Get detector Id
    detector_id=$(aws guardduty list-detectors --region us-east-1 --query "DetectorIds[0]" --output text --region $region $profile_arg)

    # if detector not exist, continue
    if [ $detector_id = "None" ]; then
        continue
    fi

    # delete members if exist
    # get associated accounts
    associated_account_ids=$(aws guardduty list-members --detector-id $detector_id --only-associated true --query "Members[].AccountId" --output text --region $region $profile_arg)
    if [ -n "$associated_account_ids" ]; then
        aws guardduty disassociate-members --detector-id $detector_id --account-ids $associated_account_ids --region $region $profile_arg
    fi
    # diassociate members
    # delete members
    member_account_ids=$(aws guardduty list-members --detector-id $detector_id --only-associated false --query "Members[].AccountId" --output text --region $region $profile_arg)
    if [ -n "$member_account_ids" ]; then
        aws guardduty delete-members --detector-id $detector_id --account-ids $member_account_ids --region $region $profile_arg
    fi
    aws guardduty delete-detector --detector-id $detector_id --region $region $profile_arg

}

function switch_role () {
    account_id=$1
    profile=$2

    credentials=$(aws sts assume-role --role-session-name devdemo --role-arn arn:aws:iam::$account_id:role/$ROLE_NAME \
        --query "Credentials.[AccessKeyId, SecretAccessKey,SessionToken]" \
        --output text)

    access_key_id=$(echo $credentials | cut -d ' ' -f 1)
    secret_access_key=$(echo $credentials | cut -d ' ' -f 2)
    session_token=$(echo $credentials | cut -d ' ' -f 3)
    aws configure set profile.$profile.aws_access_key_id "$access_key_id"
    aws configure set profile.$profile.aws_secret_access_key "$secret_access_key"
    aws configure set profile.$profile.aws_session_token "$session_token"
}


# Delete all region's detector for Master Account
for region in ${regions[@]}; do
    echo "Detete detector for master account: " $region
    delete_detector $region

done

# Delete member's detector
while read account; do
    if [ -z ${account} ]; then
        continue
    fi
    account_id=`echo ${account} | cut -d ',' -f 1`
    profile="tmp"

    # Switch Role to the member account
    echo "Switch Role to the account " $account_id
    switch_role $account_id $profile

    for region in ${regions[@]}; do
        echo "Detete detector for the account: " $account_id $region
        delete_detector $region $profile

    done

done < accounts.csv
	#!/bin/bash
	OPERATION_REGION=us-east-1
	ROLE_NAME=OrganizationAccountAccessRole
	#Change your master account id
	MASTAR_ACCOUNT_ID=<YOUR_MASTER_ACCOUNT_ID>

	regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --region $OPERATION_REGION --output text)

	function delete_detector () {
	region=$1
	if [ -n "$2" ]; then
	profile_arg="--profile $2"
	fi

	# Get detector Id
	detector_id=$(aws guardduty list-detectors --region us-east-1 --query "DetectorIds[0]" --output text --region $region $profile_arg)

	# if detector not exist, continue
	if [ $detector_id = "None" ]; then
	continue
	fi

	# delete members if exist
	# get associated accounts
	associated_account_ids=$(aws guardduty list-members --detector-id $detector_id --only-associated true --query "Members[].AccountId" --output text --region $region $profile_arg)
	if [ -n "$associated_account_ids" ]; then
	aws guardduty disassociate-members --detector-id $detector_id --account-ids $associated_account_ids --region $region $profile_arg
	fi
	# diassociate members
	# delete members
	member_account_ids=$(aws guardduty list-members --detector-id $detector_id --only-associated false --query "Members[].AccountId" --output text --region $region $profile_arg)
	if [ -n "$member_account_ids" ]; then
	aws guardduty delete-members --detector-id $detector_id --account-ids $member_account_ids --region $region $profile_arg
	fi
	aws guardduty delete-detector --detector-id $detector_id --region $region $profile_arg

	}

	function switch_role () {
	account_id=$1
	profile=$2

	credentials=$(aws sts assume-role --role-session-name devdemo --role-arn arn:aws:iam::$account_id:role/$ROLE_NAME \
	--query "Credentials.[AccessKeyId, SecretAccessKey,SessionToken]" \
	--output text)

	access_key_id=$(echo $credentials \| cut -d ' ' -f 1)
	secret_access_key=$(echo $credentials \| cut -d ' ' -f 2)
	session_token=$(echo $credentials \| cut -d ' ' -f 3)
	aws configure set profile.$profile.aws_access_key_id "$access_key_id"
	aws configure set profile.$profile.aws_secret_access_key "$secret_access_key"
	aws configure set profile.$profile.aws_session_token "$session_token"
	}


	# Delete all region's detector for Master Account
	for region in ${regions[@]}; do
	echo "Detete detector for master account: " $region
	delete_detector $region

	done

	# Delete member's detector
	while read account; do
	if [ -z ${account} ]; then
	continue
	fi
	account_id=`echo ${account} \| cut -d ',' -f 1`
	profile="tmp"

	# Switch Role to the member account
	echo "Switch Role to the account " $account_id
	switch_role $account_id $profile

	for region in ${regions[@]}; do
	echo "Detete detector for the account: " $account_id $region
	delete_detector $region $profile

	done

	done < accounts.csv