search

aws-samples / amazon-guardduty-multiaccount-scripts

This script automates the process of running the GuardDuty multi-account workflow across a group of accounts that are in your control
Apache License 2.0
130 stars 71 forks source link

disableguardduty.py does not work #24

Closed jimsmith closed 5 years ago

jimsmith commented 5 years ago

When running disableguardduty.py this comes back:

GuardDuty is active in eu-west-1
There are members in eu-west-1
Traceback (most recent call last):
  File "disableguardduty.py", line 164, in <module>
    DetectorId=detector_id
  File "/Users/jimsmith/.local/lib/python3.6/site-packages/botocore/client.py", line 357, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/Users/jimsmith/.local/lib/python3.6/site-packages/botocore/client.py", line 634, in _make_api_call
    api_params, operation_model, context=request_context)
  File "/Users/jimsmith/.local/lib/python3.6/site-packages/botocore/client.py", line 682, in _convert_to_request_dict
    api_params, operation_model)
  File "/Users/jimsmith/.local/lib/python3.6/site-packages/botocore/validate.py", line 297, in serialize_to_request
    raise ParamValidationError(report=report.generate_report())
botocore.exceptions.ParamValidationError: Parameter validation failed:

Command that was used:

python disableguardduty.py --master_account=<aws guardduty master account id> --assume_role=OrganizationAccountAccessRole ./guardduty_account_list.txt --enabled_regions=eu-west-1 --delete_master

ryanholland commented 5 years ago

Hi, I am not able to reproduce this, can you provide the full error output and ensure you have the most recent version of the script.

jimsmith commented 5 years ago

Hi thanks.

That is the entire output and the version I used was latest pulled down on the day I logged this issue.

What do you suggest next for entire output?

ryanholland commented 5 years ago

There would have been more to the error output, specifically what parameter validation failed, after "Parameter validation failed:"

jimsmith commented 5 years ago

I'll rerun this tomorrow seeing its getting close to midnight over at my end.... and will update here in due course 👍🏻

Thanks!

WFAKEN11 commented 5 years ago

I had the same issue too. The problem is the paramter type for "AccountIds", it is expected to be from type list, but it isn't. Simply converting the paramters to list fixed it for me. This has to be done 4 times in the script. for example: AccountIds=member_dict.keys() --> AccountIds=list(member_dict.keys())

scanjam commented 5 years ago

Hey all, I have this problem too. With Python 3.7.3 x64 bit (downloaded today) and having cloned this repo today also on Windows10 endpoint.

Just tested the enableguardduty script and it worked beautifully! Thanks!

But when running disableguardduty like so .\disableguardduty.py --master_account <XXXX> .\accounts.csv --assume_role ManageGuardDuty

it starts off ok and cycles through the regions - then stops when it finds an enabled region with:

PS C:\bitbucket\amazon-guardduty-multiaccount-scripts> python .\disableguardduty.py --master_account .\accounts.csv --assume_role ManageGuardDuty --delete_master Disabling members in all available GuardDuty regions ['ap-northeast-1', 'ap-northeast-2', 'ap-south-1', 'ap-southeast-1', 'ap-southeast-2', 'ca-central-1', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'sa-east-1', 'us-east-1', 'us-east-2', 'us-west-1', 'us-west-2'] Assumed session for No detector found for in ap-northeast-1 No detector found for in ap-northeast-2 No detector found for in ap-south-1 No detector found for in ap-southeast-1 No detector found for in ap-southeast-2 No detector found for in ca-central-1 No detector found for in eu-central-1 GuardDuty is active in eu-west-1 There are members in eu-west-1 Traceback (most recent call last): File ".\disableguardduty.py", line 164, in DetectorId=detector_id File "C:\Users\scanjam\AppData\Local\Programs\Python\Python37\lib\site-packages\botocore\client.py", line 357, in _api_call return self._make_api_call(operation_name, kwargs) File "C:\Users\scanjam\AppData\Local\Programs\Python\Python37\lib\site-packages\botocore\client.py", line 634, in _make_api_call api_params, operation_model, context=request_context) File "C:\Users\scanjam\AppData\Local\Programs\Python\Python37\lib\site-packages\botocore\client.py", line 682, in _convert_to_request_dict api_params, operation_model) File "C:\Users\scanjam\AppData\Local\Programs\Python\Python37\lib\site-packages\botocore\validate.py", line 297, in serialize_to_request raise ParamValidationError(report=report.generate_report()) botocore.exceptions.ParamValidationError: Parameter validation failed: Invalid type for parameter AccountIds, value: dict_keys(['']), type: <class 'dict_keys'>, valid types: <class 'list'>, <class 'tuple'> PS C:\bitbucket\amazon-guardduty-multiaccount-scripts>

Following @WFAKEN11 comments from 11 Mar I edited the following and it seems to have fixed the problem. (Thanks @WFAKEN11!!)

LINES 163-179

AccountIds=list(member_dict.keys()),
                        DetectorId=detector_id
                    )
                                        response = gd_client.delete_members(
                        DetectorId=detector_id,
                        AccountIds=list(member_dict.keys())
                    )

                else:
                    response = gd_client.disassociate_members(
                        AccountIds=list(aws_account_dict.keys()),
                        DetectorId=detector_id
                    )

                    response = gd_client.delete_members(
                        DetectorId=detector_id,
                        AccountIds=list(aws_account_dict.keys())
ryanholland commented 5 years ago

This has been corrected, thanks for calling out the incompatibility with 3.7