Split the account-wide delgations done via Organizations from the regional GuardDuty delegation

jchrisfarris · jchrisfarris · commit 5462c731e7bb · 2020-05-12T11:25:10.000-04:00
diff --git a/org-delegation/README.md b/org-delegation/README.md
@@ -1,6 +1,6 @@
 # Organizations Delegated Access
 
-This script will configure Delegated Administrator in a payer account for GuardDuty and IAM Access Analyzer.
+These scripts will configure Delegated Administrator in a payer account for GuardDuty and IAM Access Analyzer.
 
 ## Why?
 
@@ -9,9 +9,9 @@ This script will configure Delegated Administrator in a payer account for GuardD
 The concept of Delegated Admin accounts for specific services is new. It allows the Organization master to grant an account in the organization full ability to deploy and manage the service in all accounts in the Organization. This eliminates the need for teams to login the payer account or individually deploy tooling in an organization's child accounts.
 
 
-## What the script does.
+## What the delegate-admin script does.
 
-This script will enable delegated admin for GuardDuty and IAM Access Analyzer (plus any future services).
+This script will enable delegated admin for IAM Access Analyzer (plus any future services).
 
 Then, because GuardDuty has to be special, the script iterates through all the regions returned by ec2:DescribeRegions. It will then call enable_organization_admin_account() to configure GuardDuty's delegated admin.
 
@@ -38,6 +38,34 @@ optional arguments:
 
 You must specify `--actually-do-it` for the changes to be made. Otherwise the script runs in dry-run mode only.
 
+## What the delegate-guardduty script does.
+
+This script iterates through all the regions returned by ec2:DescribeRegions. It will then call enable_organization_admin_account() to configure GuardDuty's delegated admin.
+
+The script will report if the organization has delegated to another child account, or if the delegation was already configured before attempting to enable account delegation.
+
+## Usage
+
+```bash
+usage: delegate-guardduty.py [-h] [--debug] [--error] [--timestamp]
+                           [--region REGION] [--profile PROFILE]
+                           [--actually-do-it] [--delegated-admin ADMIN_ACCOUNT_ID]
+
+optional arguments:
+  -h, --help            show this help message and exit
+  --debug               print debugging info
+  --error               print error info only
+  --timestamp           Output log with timestamp and toolname
+  --region REGION       Only Process Specified Region
+  --profile PROFILE     Use this CLI profile (instead of default or env credentials)
+  --actually-do-it      Actually Perform the action
+  --delegated-admin ADMIN_ACCOUNT_ID
+                        Account that the payer will delegate access to
+```
+
+You must specify `--actually-do-it` for the changes to be made. Otherwise the script runs in dry-run mode only.
+
+
 
 ## AWS Docs
 
diff --git a/org-delegation/delegate-admin.py b/org-delegation/delegate-admin.py
@@ -9,7 +9,7 @@
 
 services = {
     "access-analyzer.amazonaws.com": "IAM Access Analyzer",
-    "guardduty.amazonaws.com": "AWS GuardDuty",
+    # "guardduty.amazonaws.com": "AWS GuardDuty",  # apparently this isn't a proper
 }
 
 
@@ -29,11 +29,11 @@ def main(args, logger):
         response = org_client.list_delegated_administrators(ServicePrincipal=service)
         if len(response['DelegatedAdministrators']) == 1:
             if response['DelegatedAdministrators'][0]['Id'] == args.accountId:
-                logger.debug(f"{args.accountId} is already the delegated admin for {description}")
+                logger.info(f"{args.accountId} is already the delegated admin for {description}")
             else:
                 logger.error(f"{response['DelegatedAdministrators'][0]['Id']} is the delegated admin for {service}. Not performing the update")
         elif len(response['DelegatedAdministrators']) > 1:
-            logger.erro(f"Multiple delegated admin accounts for {service}. Cannot safely proceed.")
+            logger.error(f"Multiple delegated admin accounts for {service}. Cannot safely proceed.")
         elif args.actually_do_it is True:
             # Safe to Proceed
             logger.info(f"Enabling {description} Delegation to {args.accountId}")
@@ -44,44 +44,6 @@ def main(args, logger):
         else:
             logger.info(f"Would enable {description} Delegation to {args.accountId}")
 
-    # For some reason GuardDuty also needs to be enabled Regionally. Gah!
-    for r in get_regions(session, args):
-        guardduty_client = session.client("guardduty", region_name=r)
-        response = guardduty_client.list_organization_admin_accounts()
-        if len(response['AdminAccounts']) > 1:
-            logger.error(f"too many admin accounts in region {r}. Cannot proceed.")
-        elif len(response['AdminAccounts']) == 1:
-            if response['AdminAccounts'][0]['AdminAccountId'] == args.accountId:
-                logger.debug(f"Account {args.accountId} is already the delegated admin for region {r} and in state {response['AdminAccounts'][0]['AdminStatus']}")
-            else:
-                logger.error(f"{response['AdminAccounts'][0]['AdminAccountId']} is already the delegated admin in {r}. Not performing update")
-        elif args.actually_do_it is True:
-            try:
-                logger.info(f"Enablng GuardDuty Delegated Admin to {args.accountId} in region {r}")
-                guardduty_client.enable_organization_admin_account(AdminAccountId=args.accountId)
-            except ClientError as e:
-                logger.critical(e)
-        else:
-            logger.info(f"Would enable GuardDuty Delegated Admin to {args.accountId} in region {r}")
-
-def get_regions(session, args):
-    '''Return a list of regions with us-east-1 first. If --region was specified, return a list wth just that'''
-
-    # If we specifed a region on the CLI, return a list of just that
-    if args.region:
-        return([args.region])
-
-    # otherwise return all the regions, us-east-1 first
-    ec2 = session.client('ec2')
-    response = ec2.describe_regions()
-    output = ['us-east-1']
-    for r in response['Regions']:
-        # return us-east-1 first, but dont return it twice
-        if r['RegionName'] == "us-east-1":
-            continue
-        output.append(r['RegionName'])
-    return(output)
-
 def do_args():
     import argparse
     parser = argparse.ArgumentParser()
@@ -103,7 +65,7 @@ def do_args():
 
     # Logging idea stolen from: https://docs.python.org/3/howto/logging.html#configuring-logging
     # create console handler and set level to debug
-    logger = logging.getLogger('enable-guardduty')
+    logger = logging.getLogger('delegated-admin')
     ch = logging.StreamHandler()
     if args.debug:
         logger.setLevel(logging.DEBUG)
diff --git a/org-delegation/delegate-guardduty.py b/org-delegation/delegate-guardduty.py
@@ -0,0 +1,107 @@
+#!/usr/bin/env python3
+
+import boto3
+from botocore.exceptions import ClientError
+# from botocore.errorfactory import BadRequestException
+import os
+import logging
+# logger = logging.getLogger()
+
+
+
+def main(args, logger):
+    '''Executes the Primary Logic of the Fast Fix'''
+
+    # If they specify a profile use it. Otherwise do the normal thing
+    if args.profile:
+        session = boto3.Session(profile_name=args.profile)
+    else:
+        session = boto3.Session()
+
+    # GuardDuty needs to be enabled Regionally. Gah!
+    for r in get_regions(session, args):
+        guardduty_client = session.client("guardduty", region_name=r)
+        response = guardduty_client.list_organization_admin_accounts()
+        if len(response['AdminAccounts']) > 1:
+            logger.error(f"too many admin accounts in region {r}. Cannot proceed.")
+        elif len(response['AdminAccounts']) == 1:
+            if response['AdminAccounts'][0]['AdminAccountId'] == args.accountId:
+                logger.debug(f"Account {args.accountId} is already the delegated admin for region {r} and in state {response['AdminAccounts'][0]['AdminStatus']}")
+            else:
+                logger.error(f"{response['AdminAccounts'][0]['AdminAccountId']} is already the delegated admin in {r}. Not performing update")
+        elif args.actually_do_it is True:
+            try:
+                logger.info(f"Enablng GuardDuty Delegated Admin to {args.accountId} in region {r}")
+                guardduty_client.enable_organization_admin_account(AdminAccountId=args.accountId)
+            except ClientError as e:
+                logger.critical(e)
+        else:
+            logger.info(f"Would enable GuardDuty Delegated Admin to {args.accountId} in region {r}")
+
+def get_regions(session, args):
+    '''Return a list of regions with us-east-1 first. If --region was specified, return a list wth just that'''
+
+    # If we specifed a region on the CLI, return a list of just that
+    if args.region:
+        return([args.region])
+
+    # otherwise return all the regions, us-east-1 first
+    ec2 = session.client('ec2')
+    response = ec2.describe_regions()
+    output = ['us-east-1']
+    for r in response['Regions']:
+        # return us-east-1 first, but dont return it twice
+        if r['RegionName'] == "us-east-1":
+            continue
+        output.append(r['RegionName'])
+    return(output)
+
+def do_args():
+    import argparse
+    parser = argparse.ArgumentParser()
+    parser.add_argument("--debug", help="print debugging info", action='store_true')
+    parser.add_argument("--error", help="print error info only", action='store_true')
+    parser.add_argument("--timestamp", help="Output log with timestamp and toolname", action='store_true')
+    parser.add_argument("--region", help="Only Process Specified Region")
+    parser.add_argument("--profile", help="Use this CLI profile (instead of default or env credentials)")
+    parser.add_argument("--actually-do-it", help="Actually Perform the action", action='store_true')
+    parser.add_argument("--delegated-admin", dest='accountId', help="Delegate access to this account id", required=True)
+
+    args = parser.parse_args()
+
+    return(args)
+
+if __name__ == '__main__':
+
+    args = do_args()
+
+    # Logging idea stolen from: https://docs.python.org/3/howto/logging.html#configuring-logging
+    # create console handler and set level to debug
+    logger = logging.getLogger('enable-guardduty')
+    ch = logging.StreamHandler()
+    if args.debug:
+        logger.setLevel(logging.DEBUG)
+    elif args.error:
+        logger.setLevel(logging.ERROR)
+    else:
+        logger.setLevel(logging.INFO)
+
+    # Silence Boto3 & Friends
+    logging.getLogger('botocore').setLevel(logging.WARNING)
+    logging.getLogger('boto3').setLevel(logging.WARNING)
+    logging.getLogger('urllib3').setLevel(logging.WARNING)
+
+    # create formatter
+    if args.timestamp:
+        formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
+    else:
+        formatter = logging.Formatter('%(levelname)s - %(message)s')
+    # add formatter to ch
+    ch.setFormatter(formatter)
+    # add ch to logger
+    logger.addHandler(ch)
+
+    try:
+        main(args, logger)
+    except KeyboardInterrupt:
+        exit(1)
