AWS Account Checklist Troubleshooting
Role and Policy Related Issues
Role and Policy Related Issues
If you are adding the AWS account manually, follow the solutions below.
| Checklist Item | Description | Solution |
|---|---|---|
| FortiCNP Role not generated. | FortiCNP role is not created successfully on the AWS account. | Check if the FortiCNP role is created following the guide in Add AWS Account Manually. |
| AWS Autofix policies are not attached to the Role. | FortiCNP policies are not attached to the FortiCNP role. | Check if the FortiCNP policies are attached to the role in Add AWS Account Manually |
|
AWS Notification policies are not attached to the Role. |
FortiCNP policies are not attached to the FortiCNP role. |
Check if the FortiCNP policies are attached to the role in Add AWS Account Manually. |
| AWS Insepctor and Guard Duty Integration policies are not attached to the Role. | Specific policy and role needs to be attached in AWS Inspector and Guard Duty to activate both services on FortiCNP | Check if the AWS Inspector and Guard Duty Integration policies are attached to the Role in Add AWS Account Manually |
If you are adding the AWS account automatically, follow the solutions below.
| Checklist Item | Description | Solution |
|---|---|---|
| CloudFormation FortiCNP Role not generated. | There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully. | Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error |
| AWS Autofix policies are not attached to the Role. | There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully. | Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error |
|
AWS Notification policies are not attached to the Role. |
There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully |
Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error |
| AWS Insepctor and Guard Duty Integration policies are not attached to the Role. | Specific policy and role needs to be attached in AWS Inspector and Guard Duty to activate both services in FortiCNP. | Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error |
External ID Issue
If you are adding the AWS account manually, follow the solutions below.
| Checklist Item | Description | Solution |
|---|---|---|
| External ID doesn't meet the complexity and security requirements. | External ID is an unique ID attached to the role for security purpose. If it was previously assigned and did not meet the complexity requirement, the external ID needed to be reassigned by FortiCNP. | Please remove the AWS account from FortiCNP, and re-authenticate the account by going thorough the manual installation, you will be asked to generate an External ID. For more details, please see Add AWS Account Manually. |
If you are adding the AWS account automatically, follow the solutions below.
| Checklist Item | Description | Solution |
|---|---|---|
| External ID doesn't meet the complexity and security requirements. | External ID is an unique ID attached to the role for security purpose. If it was previously assigned and did not meet the complexity requirement, the external ID needed to be reassigned by FortiCNP. | Please remove the AWS account from FortiCNP, and re-authenticate the account by going thorough the installation. An unique 32 bit external ID will be re-assigned to the account if you are adding the account automatically. |
AWS CloudTrail Issue
AWS CloudTrail failures only occurs when the AWS account was added manually or it was not created by AWS CloudFormation.
If you happen to receive any error below when you install AWS account automatically, please delete the CloudTrail Stack or Stack set and reauthenticate, please see Stack Already Exists Error.
For manual installation, please see solutions below:
| Checklist Item | Description | Solution |
|---|---|---|
| More than one AWS CloudTrail is created and enabled. | There should only be one cloudtrail enabled. | Check the CloudTrail name used for the AWS account on FortiCNP located in Authentication tab in the Cloud Account status. Log into AWS account and delete or disable any other CloudTrail name other than the one that is used on FortiCNP. |
| CloudTrail is not configured with read/write event permission. | AWS CloudTrail needs to be configured with read/write event permission for FortiCNP to access the CloudTrail logs. |
Check read/write event permission in Add AWS Account Manually |
| CloudTrail is not applied to all regions. | AWS CloudTrail needs to be applied to all regions in configurations in order for FortiCNP to receive CloudTrail logs from all regions. |
Check if it is applied to all regions in Add AWS Account Manually |
| FortiCNP cannot gain access to the CloudTrail S3 Bucket. | AWS CloudTrail needs to grant FortiCNP with access to S3 bucket to monitor and protect the data in the S3 bucket. |
Check if AWS has granted FortiCNP access to S3 bucket by seeing Add AWS Account Manually |
Traffic Related Issue
This solution applies to both manual and automatic installation.
| Checklist Item | Description | Solution |
|---|---|---|
| Some VPCs do not have Flow logs. FortiCNP Traffic is disabled. | All AWS VPCs Flow logs need to be enabled to activate Traffic on FortiCNP. | Review the steps in AWS Traffic log configuration to see if AWS Flow logs is enabled. Please see AWS Traffic Configuration |