Issues with enabledguardduty script

aws-samples / amazon-guardduty-multiaccount-scripts

This script automates the process of running the GuardDuty multi-account workflow across a group of accounts that are in your control

Apache License 2.0

130 stars 71 forks source link

Issues with enabledguardduty script #16

Closed shreyasdamle closed 6 years ago

shreyasdamle commented 6 years ago

Script stuck in ap-northeast-1 region:

Assumed session for XXXXXXXXXXXX.
Beginning XXXXXXXXXXXX in ap-northeast-1
Found existing detector 26a6a6a6a6a6a6a7a451 in ap-northeast-1 for XXXXXXXXXXXX
Account XXXXXXXXXXXX is already a member of YYYYYYYYYYY in region ap-northeast-1

But, did not get any problem with disabledguardduty script (enabled GuardDuty manually). Any reason it is failing while enabling GuardDuty?

ryanholland commented 6 years ago

Damle, the reason is that account was already a member account and an account can only be a member of 1 account. The disable script would have removed that membership, so if now run the enable script again it should work without issue. I will make an update to better handle this condition. thanks ryan

shreyasdamle commented 6 years ago

Thanks Ryan.

I removed the existing membership and ran the enable script again. However, it is still stuck at ap-northeast-1 region. Does it take time? I waited for like 30 mins :

Assumed session for XXXXXXXXXXXX.
Beginning XXXXXXXXXXXX in ap-northeast-1
Created detector 26a6a6a6a6a6a6a7a4517d38093 in ap-northeast-1 for XXXXXXXXXXXX
Added Account XXXXXXXXXXXX to member list in GuardDuty master account YYYYYYYYYYY for region ap-northeast-1
Invited Account XXXXXXXXXXXX to GuardDuty master account YYYYYYYYYYY in region ap-northeast-1

Also, I checked in the console, GuardDuty is enabled in ap-northeast-1 region. However, there is no invitation from the Master account.

I'm certain that I am using the correct root account email address. It works when I send an invite through the console. An invitation does appear in the Accounts tab.

ryanholland commented 6 years ago

It should not take more than a few seconds, on the Master account can you check the Accounts page to see the status, if there was a mis-match on the email it would show there.

shreyasdamle commented 6 years ago

I checked Master account, Status says "Verification failed" for XXXXXXXXXXXX account. However, for the same AccountId and EmailAddress, Status is "Enabled" if I go through the console.

ryanholland commented 6 years ago

Verification fails only if the email address is not correct, can you check there are no extra characters or escape characters in the CSV file and that its formatted as AccountID,EmailAddress

shreyasdamle commented 6 years ago

Thanks Ryan! It is working now. There was an extra escape character in the CSV file.