全リージョンの Amazon Detective を AWS CLI を用いて一発で無効化する

全てのリージョンで有効化している Amazon Detective を無効化したい状況があり、AWS CLI を用いて一発で無効化してみました。

AWS CLI で Amazon Detective を無効化

Amazon Detective を無効化するコマンドはdelete-graphです。

• delete-graph — AWS CLI 2.1.29 Command Reference

delete-graphコマンド実行時に ARN を指定する必要があるためlist-graphsコマンドで ARN を取得してから無効化します。

• list-graphs — AWS CLI 2.1.29 Command Reference

全リージョンを無効化するコマンドです。

aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
  echo "### Delete graph in ${region}"
  graph=$(aws detective list-graphs --region ${region} --query 'GraphList[0].Arn' --output text)
  aws detective delete-graph \
    --region ${region} \
    --graph-arn ${graph}
done

AWS CloudShell で実行した結果です。大阪リージョン（ap-northeast-3）は Amazon Detective に対応していないためエラーとなります。

$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
>   echo "### Delete graph in ${region}"
>   graph=$(aws detective list-graphs --region ${region} --query 'GraphList[0].Arn' --output text)
>   aws detective delete-graph \
>     --region ${region} \
>     --graph-arn ${graph}
> done
### Delete graph in ap-south-1
### Delete graph in eu-north-1
### Delete graph in eu-west-3
### Delete graph in eu-west-2
### Delete graph in eu-west-1
### Delete graph in ap-northeast-3

Could not connect to the endpoint URL: "https://api.detective.ap-northeast-3.amazonaws.com/graphs/list"

usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help

aws: error: argument --graph-arn: expected one argument

### Delete graph in ap-northeast-2
### Delete graph in ap-northeast-1
### Delete graph in ca-central-1
### Delete graph in sa-east-1
### Delete graph in ap-southeast-1
### Delete graph in ap-southeast-2
### Delete graph in eu-central-1
### Delete graph in us-east-1
### Delete graph in us-east-2
### Delete graph in us-west-1
### Delete graph in us-west-2

無効化を確認するために全リージョンでlist-graphsを実行するコマンドです。

aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
| while read region; do
  echo "### List graphs in ${region}"
  aws detective list-graphs --region ${region}
done

AWS CloudShell で実行した結果です。GraphListが空であること（有効化されている Amazon Detective がないこと）が分かります。無効化時と同様に大阪リージョン（ap-northeast-3）は Amazon Detective 未対応のためエラーとなります。

$ aws ec2 describe-regions --query "Regions[].[RegionName]" --output text \
> | while read region; do
>   echo "### List graphs in ${region}"
>   aws detective list-graphs --region ${region}
> done
### List graphs in ap-south-1
{
    "GraphList": []
}
### List graphs in eu-north-1
{
    "GraphList": []
}
### List graphs in eu-west-3
{
    "GraphList": []
}
### List graphs in eu-west-2
{
    "GraphList": []
}
### List graphs in eu-west-1
{
    "GraphList": []
}
### List graphs in ap-northeast-3

Could not connect to the endpoint URL: "https://api.detective.ap-northeast-3.amazonaws.com/graphs/list"
### List graphs in ap-northeast-2
{
    "GraphList": []
}
### List graphs in ap-northeast-1
{
    "GraphList": []
}
### List graphs in ca-central-1
{
    "GraphList": []
}
### List graphs in sa-east-1
{
    "GraphList": []
}
### List graphs in ap-southeast-1
{
    "GraphList": []
}
### List graphs in ap-southeast-2
{
    "GraphList": []
}
### List graphs in eu-central-1
{
    "GraphList": []
}
### List graphs in us-east-1
{
    "GraphList": []
}
### List graphs in us-east-2
{
    "GraphList": []
}
### List graphs in us-west-1
{
    "GraphList": []
}
### List graphs in us-west-2
{
    "GraphList": []
}

以上で AWS CLI を用いた Amazon Detective の無効化は終わりです。

さいごに

複雑ではありませんが、Amazon Detective を無効化したいときにすぐに実行できるようにブログ化しました。

このブログがどなたかのご参考になれば幸いです。