search

aws-samples / amazon-guardduty-multiaccount-scripts

This script automates the process of running the GuardDuty multi-account workflow across a group of accounts that are in your control
Apache License 2.0
130 stars 71 forks source link

Enable Guard Duty on Asia Pacific (Hong Kong) region #31

Closed dasbiswajit closed 5 years ago

dasbiswajit commented 5 years ago

Hello Team We are enabling Guard duty using enableguardduty.py via switch role. But we can see it is not working properly for Asia Pacific (Hong Kong)region it is not working.

We are executing the following command to enabling Guard duty - python amazon-guardduty-multiaccount-scripts/enableguardduty.py --master_account --assume_role

guardduty_fileName contents - AccountxNoxxxxxxxxxxxxxx,account_root_email

boto version -

-bash-4.2$ aws --version aws-cli/1.16.183 Python/2.7.5 Linux/3.10.0-862.6.3.el7.x86_64 botocore/1.12.173

dasbiswajit commented 5 years ago

is this because of Aws cli version?

dasbiswajit commented 5 years ago

the error is as attached.

ryanholland commented 5 years ago

This is caused by an older version of boto/botocore that do not yet have the ap-east-1 region updated as supported by GuardDuty. Ensure you have updated both boto3 and botocore packages to the latest version (boto3: 1.9.197 / botocore: 1.12.197)

visenn commented 5 years ago

This is caused by an older version of boto/botocore that do not yet have the ap-east-1 region updated as supported by GuardDuty. Ensure you have updated both boto3 and botocore packages to the latest version (boto3: 1.9.197 / botocore: 1.12.197)

I am afraid that issue is in the code implementation.

When the script is executed without providing any region explicitly, then function: _guardduty_regions = [str(item) for item in args.enabledregions.split(',')]

will provide on the list of regions where GuardDuty is enabled also region "HongKong". The problem is - according to the new AWS approach to the new regions, new region can be disabled and client needn't to want to enable this.

In such case in the loop which is several lines lower, the code will fail with the information that the session token is invalid, when it will try to list detectors in the region which is not enabled in the account:

_detector_dict = list_detectors(gd_client, awsregion)

Script must be modified to provide on the list of guardduty_regions only these regions where GuardDuty is enabled AND which are enabled in the account.

ryanholland commented 5 years ago

@visenn You are correct, thanks for that - I just pushed an update that will correctly handle that error in the Master account and remove the region from the list.