fix(core): Fix GuardDuty issue related to member account enable (#721)

naveenkoppula · web-flow · commit 7ba81f85684f · 2021-04-27T18:03:52.000-04:00
* Performing createMembers on every execution if account is not there in memberAccounts

* Adding permissions to GuardDutyAdminSetup role

* Fixing GD
diff --git a/src/deployments/cdk/src/deployments/iam/guardduty-roles.ts b/src/deployments/cdk/src/deployments/iam/guardduty-roles.ts
@@ -76,6 +76,7 @@ export async function createAdminSetupRole(stack: AccountStack) {
         'guardduty:UpdateMemberDetectors',
         'guardduty:DeleteMembers',
         'guardduty:UpdateDetector',
+        'guardduty:ListMembers',
       ],
       resources: ['*'],
     }),
diff --git a/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/src/index.ts b/src/lib/custom-resources/cdk-guardduty-admin-setup/runtime/src/index.ts
@@ -60,20 +60,20 @@ async function onCreateOrUpdate(
   await updateS3Protection(detectorId, s3Protection);
 
   const isAutoEnabled = await isConfigurationAutoEnabled(detectorId, s3Protection);
-  if (isAutoEnabled) {
+  if (!isAutoEnabled) {
+    // Update Config to handle new Account created under Organization
+    await updateConfig(detectorId, s3Protection);
+  } else {
     console.log(`GuardDuty is already enabled ORG Level`);
-    return {
-      physicalResourceId,
-      data: {},
-    };
   }
 
-  // Update Config to handle new Account created under Organization
-  await updateConfig(detectorId, s3Protection);
-
-  if (memberAccounts.length > 0) {
-    await createMembers(memberAccounts, detectorId);
-    await updateMemberDataSource(memberAccounts, detectorId, s3Protection);
+  const existingMembers = await listMembers(detectorId);
+  const requiredMemberAccounts = memberAccounts.filter(
+    ma => !existingMembers.find(em => em.AccountId === ma.AccountId && em.RelationshipStatus === 'Enabled'),
+  );
+  if (requiredMemberAccounts.length > 0) {
+    await createMembers(requiredMemberAccounts, detectorId);
+    await updateMemberDataSource(requiredMemberAccounts, detectorId, s3Protection);
   }
 
   return {
@@ -239,6 +239,23 @@ async function deleteMembers(memberAccounts: AccountDetail[], detectorId: string
   }
 }
 
+async function listMembers(detectorId: string): Promise<AWS.GuardDuty.Member[]> {
+  const members: AWS.GuardDuty.Member[] = [];
+  let token: string | undefined;
+  do {
+    const response = await throttlingBackOff(() =>
+      guardduty
+        .listMembers({
+          DetectorId: detectorId,
+        })
+        .promise(),
+    );
+    token = response.NextToken;
+    members.push(...response.Members!);
+  } while (token);
+  return members;
+}
+
 function getPropertiesFromEvent(event: CloudFormationCustomResourceEvent) {
   const properties = (event.ResourceProperties as unknown) as HandlerProperties;
   if (typeof properties.s3Protection === 'string') {
