Fortinet black logo

Online Help

Fixes for AWS Organization Checklist

Copy Link
Copy Doc ID cf00dcb1-0886-11ed-bb32-fa163e15d75b:140621

Fixes for AWS Organization Checklist

This checklist refers to places that needed to be fixed first in the master account in order for CloudFormation to add or update the AWS organization successfully to FortiCNP. After you have finished fixing these issues, please go back to FortiCNP and click Re-Add or Re-Update.

CloudFormation Stack is not created - Must Fix

There is a duplicate of CloudFormation Stack in the master account. Please delete the CloudFormation stack following the steps below.

  1. Log into the AWS console with the master account.
  2. Under Services, search and click "CloudFormation".
  3. Delete the stack named "FortiCNPOrganizaiton".

Role for FortiCNP is not created - Must Fix

There is a duplicate of FortiCNP role in the master account that is preventing Cloudformation to create new role. Please delete the FortiCNP role following the steps below.

  1. Log into the AWS console with the master account.
  2. Under Services, search and click "IAM".
  3. Click Roles under Access Management.
  4. Search for "role_for_forticwp_organization_master_cloudtrail_v22.1" (with AWS Cloudtrail) or "role_for_forticwp_organization_master_v22.1" (without AWS cloudtrail)
  5. Delete the "role_for_forticwp_organization_master_cloudtrail_v22.1" (with AWS cloudtrail) or "role_for_forticwp_organization_master_v22.1" (without AWS cloudtrail).

Policies for FortiCNP are not attached to Role - Must Fix

There are duplicate policies that are preventing Cloudformation to create new policies. Please follow the steps below to delete the duplicate policies.

  1. Log into the AWS console with the master account.
  2. Under Services, search and click "IAM".
  3. Click Policies under Access Management.
  4. Search for the policies below and delete them:

    forticwp_basic_permission

    forticwp_autofix_permission

    forticwp_organization_permission

    forticwp_notification_permission

    forticwp_externalid_permission

    forticwp_temporary_permission

    forticwp_assume_role_subaccount

A Temporary Policy generated and not attached to the Role -Must Fix

There are temporary duplicate policies in sub-accounts that are preventing Cloudformation to create new policies. Please log into each of the sub-account and follow the steps below to delete the duplicate temporary policies.

  1. Log into the AWS console with the master-account.
  2. Under Services, search and click "IAM".
  3. Click Policies under Access Management.
  4. Search for the policy below and delete it:

    forticwp_assume_role_subaccount

    forticwp_temporary _permission

Master Account is stuck at "Initializing" status

When the AWS master account is stuck at "Initializing" status for 30 minutes or longer. The cloud account has encountered an unexpected error. Please contact FortiCare Support to resolve the issue.

After you have finished deleting the roles and policies above, go back to FortiCNP, and click Re-Add or Re-Update to add or update the AWS organization again.

Fixes for AWS Organization Checklist

This checklist refers to places that needed to be fixed first in the master account in order for CloudFormation to add or update the AWS organization successfully to FortiCNP. After you have finished fixing these issues, please go back to FortiCNP and click Re-Add or Re-Update.

CloudFormation Stack is not created - Must Fix

There is a duplicate of CloudFormation Stack in the master account. Please delete the CloudFormation stack following the steps below.

  1. Log into the AWS console with the master account.
  2. Under Services, search and click "CloudFormation".
  3. Delete the stack named "FortiCNPOrganizaiton".

Role for FortiCNP is not created - Must Fix

There is a duplicate of FortiCNP role in the master account that is preventing Cloudformation to create new role. Please delete the FortiCNP role following the steps below.

  1. Log into the AWS console with the master account.
  2. Under Services, search and click "IAM".
  3. Click Roles under Access Management.
  4. Search for "role_for_forticwp_organization_master_cloudtrail_v22.1" (with AWS Cloudtrail) or "role_for_forticwp_organization_master_v22.1" (without AWS cloudtrail)
  5. Delete the "role_for_forticwp_organization_master_cloudtrail_v22.1" (with AWS cloudtrail) or "role_for_forticwp_organization_master_v22.1" (without AWS cloudtrail).

Policies for FortiCNP are not attached to Role - Must Fix

There are duplicate policies that are preventing Cloudformation to create new policies. Please follow the steps below to delete the duplicate policies.

  1. Log into the AWS console with the master account.
  2. Under Services, search and click "IAM".
  3. Click Policies under Access Management.
  4. Search for the policies below and delete them:

    forticwp_basic_permission

    forticwp_autofix_permission

    forticwp_organization_permission

    forticwp_notification_permission

    forticwp_externalid_permission

    forticwp_temporary_permission

    forticwp_assume_role_subaccount

A Temporary Policy generated and not attached to the Role -Must Fix

There are temporary duplicate policies in sub-accounts that are preventing Cloudformation to create new policies. Please log into each of the sub-account and follow the steps below to delete the duplicate temporary policies.

  1. Log into the AWS console with the master-account.
  2. Under Services, search and click "IAM".
  3. Click Policies under Access Management.
  4. Search for the policy below and delete it:

    forticwp_assume_role_subaccount

    forticwp_temporary _permission

Master Account is stuck at "Initializing" status

When the AWS master account is stuck at "Initializing" status for 30 minutes or longer. The cloud account has encountered an unexpected error. Please contact FortiCare Support to resolve the issue.

After you have finished deleting the roles and policies above, go back to FortiCNP, and click Re-Add or Re-Update to add or update the AWS organization again.