Last active
February 14, 2020 23:38
-
-
Save tomofuminijo/ac321d7b6423bab7f175c8795546bd9a to your computer and use it in GitHub Desktop.
Sample script to delete a GuardDuty master and some members configuration in all regions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
OPERATION_REGION=us-east-1 | |
ROLE_NAME=OrganizationAccountAccessRole | |
#Change your master account id | |
MASTAR_ACCOUNT_ID=<YOUR_MASTER_ACCOUNT_ID> | |
regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --region $OPERATION_REGION --output text) | |
function delete_detector () { | |
region=$1 | |
if [ -n "$2" ]; then | |
profile_arg="--profile $2" | |
fi | |
# Get detector Id | |
detector_id=$(aws guardduty list-detectors --region us-east-1 --query "DetectorIds[0]" --output text --region $region $profile_arg) | |
# if detector not exist, continue | |
if [ $detector_id = "None" ]; then | |
continue | |
fi | |
# delete members if exist | |
# get associated accounts | |
associated_account_ids=$(aws guardduty list-members --detector-id $detector_id --only-associated true --query "Members[].AccountId" --output text --region $region $profile_arg) | |
if [ -n "$associated_account_ids" ]; then | |
aws guardduty disassociate-members --detector-id $detector_id --account-ids $associated_account_ids --region $region $profile_arg | |
fi | |
# diassociate members | |
# delete members | |
member_account_ids=$(aws guardduty list-members --detector-id $detector_id --only-associated false --query "Members[].AccountId" --output text --region $region $profile_arg) | |
if [ -n "$member_account_ids" ]; then | |
aws guardduty delete-members --detector-id $detector_id --account-ids $member_account_ids --region $region $profile_arg | |
fi | |
aws guardduty delete-detector --detector-id $detector_id --region $region $profile_arg | |
} | |
function switch_role () { | |
account_id=$1 | |
profile=$2 | |
credentials=$(aws sts assume-role --role-session-name devdemo --role-arn arn:aws:iam::$account_id:role/$ROLE_NAME \ | |
--query "Credentials.[AccessKeyId, SecretAccessKey,SessionToken]" \ | |
--output text) | |
access_key_id=$(echo $credentials | cut -d ' ' -f 1) | |
secret_access_key=$(echo $credentials | cut -d ' ' -f 2) | |
session_token=$(echo $credentials | cut -d ' ' -f 3) | |
aws configure set profile.$profile.aws_access_key_id "$access_key_id" | |
aws configure set profile.$profile.aws_secret_access_key "$secret_access_key" | |
aws configure set profile.$profile.aws_session_token "$session_token" | |
} | |
# Delete all region's detector for Master Account | |
for region in ${regions[@]}; do | |
echo "Detete detector for master account: " $region | |
delete_detector $region | |
done | |
# Delete member's detector | |
while read account; do | |
if [ -z ${account} ]; then | |
continue | |
fi | |
account_id=`echo ${account} | cut -d ',' -f 1` | |
profile="tmp" | |
# Switch Role to the member account | |
echo "Switch Role to the account " $account_id | |
switch_role $account_id $profile | |
for region in ${regions[@]}; do | |
echo "Detete detector for the account: " $account_id $region | |
delete_detector $region $profile | |
done | |
done < accounts.csv | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment