tomofuminijo · February 14, 2020 23:38
diff --git a/guardduty-enabled-all-region.sh b/guardduty-enabled-all-region.sh
 #!/bin/bash
 OPERATION_REGION=us-east-1
 ROLE_NAME=OrganizationAccountAccessRole
 #Change your master account id
 MASTAR_ACCOUNT_ID=<YOUR_MASTER_ACCOUNT_ID> 

 regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --region $OPERATION_REGION --output text)

 function switch_role () {
    account_id=$1
    profile=$2

    credentials=$(aws sts assume-role --role-session-name devdemo --role-arn arn:aws:iam::$account_id:role/$ROLE_NAME \
        --query "Credentials.[AccessKeyId, SecretAccessKey,SessionToken]" \
        --output text)

    access_key_id=$(echo $credentials | cut -d ' ' -f 1)
    secret_access_key=$(echo $credentials | cut -d ' ' -f 2)
    session_token=$(echo $credentials | cut -d ' ' -f 3)
    aws configure set profile.$profile.aws_access_key_id "$access_key_id"
    aws configure set profile.$profile.aws_secret_access_key "$secret_access_key"
    aws configure set profile.$profile.aws_session_token "$session_token"
 }

 # Create detector and Create/Invite member for all regions at Master Account
 for region in ${regions[@]}; do
    echo "Create Detector for master accounnt : region: " $region

    detector_id=$(aws guardduty create-detector --enable --query "DetectorId" --region $region --output text)

    # Create and Invite Members
    while read account; do
        if [ -z ${account} ]; then 
            continue 
        fi

        account_id=`echo ${account} | cut -d ',' -f 1`
        email=`echo ${account} | cut -d ',' -f 2`
        aws guardduty create-members --detector-id $detector_id --account-details AccountId=$account_id,Email=$email --region $region
        aws guardduty invite-members --detector-id $detector_id --account-ids $account_id --disable-email-notification --region $region

    done < accounts.csv

 done


 # Create detector and Accept the invitation for all regions at Member Account
 while read account; do
    if [ -z ${account} ]; then 
        continue 
    fi

    account_id=`echo ${account} | cut -d ',' -f 1`
    profile="tmp"

    # Swith Role to the member account
    echo "Switch Role to the account " $account_id
    switch_role $account_id $profile

    for region in ${regions[@]}; do
        echo "Create detector for  account: " $account_id " region: " $region
        detector_id=$(aws guardduty create-detector --enable --query "DetectorId" --region $region --output text --profile $profile)
        if [ $? -gt 0 ]; then
            detector_id=$(aws guardduty list-detectors --region us-east-1 --query "DetectorIds[0]" --output text --region $region $profile_arg)
        fi
        # Get Invitation Id
        invitation_id=$(aws guardduty list-invitations --query "Invitations[0].InvitationId" --region $region --output text --profile $profile)
        aws guardduty accept-invitation --detector-id $detector_id --master-id $MASTAR_ACCOUNT_ID --invitation-id $invitation_id  --region $region --profile $profile
    done
 done < accounts.csv
	#!/bin/bash
	OPERATION_REGION=us-east-1
	ROLE_NAME=OrganizationAccountAccessRole
	#Change your master account id
	MASTAR_ACCOUNT_ID=<YOUR_MASTER_ACCOUNT_ID>

	regions=$(aws ec2 describe-regions --query "Regions[].RegionName" --region $OPERATION_REGION --output text)

	function switch_role () {
	account_id=$1
	profile=$2

	credentials=$(aws sts assume-role --role-session-name devdemo --role-arn arn:aws:iam::$account_id:role/$ROLE_NAME \
	--query "Credentials.[AccessKeyId, SecretAccessKey,SessionToken]" \
	--output text)

	access_key_id=$(echo $credentials \| cut -d ' ' -f 1)
	secret_access_key=$(echo $credentials \| cut -d ' ' -f 2)
	session_token=$(echo $credentials \| cut -d ' ' -f 3)
	aws configure set profile.$profile.aws_access_key_id "$access_key_id"
	aws configure set profile.$profile.aws_secret_access_key "$secret_access_key"
	aws configure set profile.$profile.aws_session_token "$session_token"
	}

	# Create detector and Create/Invite member for all regions at Master Account
	for region in ${regions[@]}; do
	echo "Create Detector for master accounnt : region: " $region

	detector_id=$(aws guardduty create-detector --enable --query "DetectorId" --region $region --output text)

	# Create and Invite Members
	while read account; do
	if [ -z ${account} ]; then
	continue
	fi

	account_id=`echo ${account} \| cut -d ',' -f 1`
	email=`echo ${account} \| cut -d ',' -f 2`
	aws guardduty create-members --detector-id $detector_id --account-details AccountId=$account_id,Email=$email --region $region
	aws guardduty invite-members --detector-id $detector_id --account-ids $account_id --disable-email-notification --region $region

	done < accounts.csv

	done


	# Create detector and Accept the invitation for all regions at Member Account
	while read account; do
	if [ -z ${account} ]; then
	continue
	fi

	account_id=`echo ${account} \| cut -d ',' -f 1`
	profile="tmp"

	# Swith Role to the member account
	echo "Switch Role to the account " $account_id
	switch_role $account_id $profile

	for region in ${regions[@]}; do
	echo "Create detector for account: " $account_id " region: " $region
	detector_id=$(aws guardduty create-detector --enable --query "DetectorId" --region $region --output text --profile $profile)
	if [ $? -gt 0 ]; then
	detector_id=$(aws guardduty list-detectors --region us-east-1 --query "DetectorIds[0]" --output text --region $region $profile_arg)
	fi
	# Get Invitation Id
	invitation_id=$(aws guardduty list-invitations --query "Invitations[0].InvitationId" --region $region --output text --profile $profile)
	aws guardduty accept-invitation --detector-id $detector_id --master-id $MASTAR_ACCOUNT_ID --invitation-id $invitation_id --region $region --profile $profile
	done
	done < accounts.csv