Fortinet black logo

online help

Update AWS Account Manually

Copy Link
Copy Doc ID 317ac0d2-6ad6-11ea-9384-00505692583a:808621

Update AWS Account Manually

Please create a new Role and CloudTrail in the AWS account to update the AWS account in FortiCWP.

Policy Creation

  1. Go to your AWS console dashboard.
  2. Search and click IAM
  3. Click Policies from the menu on the left.
  4. Click Create policy.
  5. Go to the JSON tab.
  6. Replace the existing JSON code with the following:
  7. {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Sid": "VisualEditor0",

    "Effect": "Allow",

    "Action": [

    "sqs:DeleteMessage",

    "appstream:Describe*",

    "config:Get*",

    "iam:List*",

    "route53:ListTrafficPolicyVersions",

    "cloudtrail:GetTrailStatus",

    "sqs:ReceiveMessage",

    "route53:GetHealthCheck",

    "cloudfront:Get*",

    "codedeploy:List*",

    "guardduty:List*",

    "cloudwatch:Describe*",

    "route53:ListHostedZonesByName",

    "config:Describe*",

    "datapipeline:EvaluateExpression",

    "rds:Describe*",

    "iam:SimulateCustomPolicy",

    "route53domains:CheckDomainAvailability",

    "ec2:ModifySnapshotAttribute",

    "ec2:RevokeSecurityGroupEgress",

    "rds:DownloadDBLogFilePortion",

    "s3:GetBucket*",

    "logs:FilterLogEvents",

    "route53:GetHostedZoneCount",

    "inspector:Describe*",

    "config:Deliver*",

    "acm:List*",

    "cloudfront:List*",

    "sns:*",

    "elasticmapreduce:DescribeSecurityConfiguration",

    "cloudtrail:LookupEvents",

    "datapipeline:ListPipelines",

    "route53:GetHealthCheckLastFailureReason",

    "lambda:List*",

    "sqs:SendMessage",

    "route53:ListVPCAssociationAuthorizations",

    "route53:GetReusableDelegationSetLimit",

    "kms:Describe*",

    "logs:Get*",

    "s3:GetReplicationConfiguration",

    "cloudtrail:DescribeTrails",

    "ec2:RevokeSecurityGroupIngress",

    "route53:ListTagsForResources",

    "route53:GetAccountLimit",

    "s3:PutObjectVersionAcl",

    "sqs:PurgeQueue",

    "waf:List*",

    "redshift:ModifyClusterParameterGroup",

    "route53:GetGeoLocation",

    "workspaces:Describe*",

    "eks:ListClusters",

    "elasticloadbalancing:ModifyLoadBalancerAttributes",

    "glacier:ListVaults",

    "route53:GetTrafficPolicy",

    "iam:GenerateCredentialReport",

    "s3:GetLifecycleConfiguration",

    "s3:GetInventoryConfiguration",

    "tag:GetResources",

    "cloudtrail:StartLogging",

    "acm:Describe*",

    "route53domains:ListTagsForDomain",

    "dynamodb:ListTables",

    "s3:ListBucket",

    "datapipeline:ValidatePipelineDefinition",

    "route53domains:GetDomainDetail",

    "datapipeline:DescribePipelines",

    "route53:ListQueryLoggingConfigs",

    "elasticmapreduce:List*",

    "elasticmapreduce:DescribeStep",

    "iam:Get*",

    "route53:GetCheckerIpRanges",

    "route53domains:ListDomains",

    "elasticmapreduce:DescribeEditor",

    "route53:ListGeoLocations",

    "route53:GetTrafficPolicyInstance",

    "cloudfront:UpdateDistribution",

    "sqs:ChangeMessageVisibilityBatch",

    "s3:PutBucketVersioning",

    "sqs:SetQueueAttributes",

    "kms:EnableKeyRotation",

    "s3:ListBucketMultipartUploads",

    "cloudsearch:Describe*",

    "ecs:Describe*",

    "datapipeline:QueryObjects",

    "route53:ListHostedZones",

    "guardduty:Get*",

    "route53domains:GetContactReachabilityStatus",

    "elasticache:Describe*",

    "route53:ListTagsForResource",

    "sqs:TagQueue",

    "directconnect:Describe*",

    "ec2:Describe*",

    "codedeploy:Get*",

    "s3:GetAccountPublicAccessBlock",

    "route53:ListHealthChecks",

    "s3:ListAllMyBuckets",

    "rds:ListTagsForResource",

    "route53domains:ListOperations",

    "s3:GetObjectVersion",

    "kms:List*",

    "glacier:GetVaultAccessPolicy",

    "s3:GetObjectVersionTagging",

    "sqs:SendMessageBatch",

    "sqs:UntagQueue",

    "logs:Describe*",

    "route53:GetHostedZone",

    "kms:Get*",

    "ses:List*",

    "s3:GetObjectAcl",

    "codedeploy:Batch*",

    "ec2:SearchTransitGatewayRoutes",

    "iam:SimulatePrincipalPolicy",

    "dynamodb:DescribeTable",

    "cloudtrail:ListTags",

    "s3:GetObjectVersionAcl",

    "route53:ListResourceRecordSets",

    "s3:PutBucketAcl",

    "rds:ModifyDBInstance",

    "elasticloadbalancing:Describe*",

    "cloudformation:ListStack*",

    "s3:HeadBucket",

    "es:Describe*",

    "route53:GetHealthCheckCount",

    "sdb:DomainMetadata",

    "ses:Get*",

    "route53:ListReusableDelegationSets",

    "sqs:GetQueueUrl",

    "elasticfilesystem:Describe*",

    "route53:ListTrafficPolicyInstancesByHostedZone",

    "ec2:GetTransitGatewayAttachmentPropagations",

    "route53domains:GetDomainSuggestions",

    "sqs:GetQueueAttributes",

    "elasticbeanstalk:Describe*",

    "route53domains:GetOperationDetail",

    "s3:ListMultipartUploadParts",

    "s3:GetObject",

    "redshift:Describe*",

    "iam:UpdateAccountPasswordPolicy",

    "cloudformation:GetTemplate",

    "ec2:GetTransitGatewayRouteTablePropagations",

    "sqs:DeleteQueue",

    "s3:GetAnalyticsConfiguration",

    "eks:DescribeCluster",

    "s3:GetObjectVersionForReplication",

    "route53:GetHostedZoneLimit",

    "autoscaling:Describe*",

    "s3:ListBucketByTags",

    "route53:ListTrafficPolicyInstances",

    "route53:GetTrafficPolicyInstanceCount",

    "route53:GetChange",

    "s3:ListBucketVersions",

    "s3:GetAccelerateConfiguration",

    "sqs:ListQueueTags",

    "elasticmapreduce:DescribeCluster",

    "tag:GetTagKeys",

    "s3:GetObjectVersionTorrent",

    "s3:GetEncryptionConfiguration",

    "sns:Get*",

    "sqs:DeleteMessageBatch",

    "elasticache:List*",

    "eks:ListUpdates",

    "route53:ListTrafficPolicies",

    "s3:GetObjectTagging",

    "s3:GetMetricsConfiguration",

    "waf:Get*",

    "ecs:List*",

    "s3:PutObjectAcl",

    "ec2:GetTransitGatewayRouteTableAssociations",

    "route53:GetQueryLoggingConfig",

    "sqs:ListQueues",

    "sqs:ChangeMessageVisibility",

    "route53:GetHealthCheckStatus",

    "cloudtrail:UpdateTrail",

    "ds:Describe*",

    "datapipeline:DescribeObjects",

    "datapipeline:GetPipelineDefinition",

    "route53:GetReusableDelegationSet",

    "inspector:List*",

    "sdb:ListDomains",

    "cloudformation:DescribeStack*",

    "s3:GetObjectTorrent",

    "route53:ListTrafficPolicyInstancesByPolicy",

    "sqs:ListDeadLetterSourceQueues",

    "eks:DescribeUpdate",

    "s3:PutBucketPolicy",

    "sqs:CreateQueue",

    "es:List*",

    "lambda:GetPolicy",

    "dax:DescribeEvents",

    "dax:ConditionCheckItem",

    "dax:Scan",

    "dax:DescribeDefaultParameters",

    "dax:GetItem",

    "dax:Query",

    "dax:DescribeSubnetGroups",

    "dax:DescribeParameterGroups",

    "dax:DescribeParameters",

    "dax:ListTags",

    "dax:DescribeClusters",

    "dax:BatchGetItem",

    "cloudtrail:GetEventSelectors"

    ],

    "Resource": "*"

    }

    ]

    }

  8. Click Review policy.
  9. Name the new policy.
  10. Click Create policy.

Your new policy will be created.

Please keep your policy name later for role creation.
For the purpose behind the AWS services being used to create the custom policy, please refer to Appendix A: Amazon Policy Usage

Role creation

  1. Click Roles from the menu on the left.
  2. Click Create role.
  3. Click Another AWS account.
  4. Enter the following Account ID: 854209929931.
  5. Note: This is the Amazon AWS account that FortiCWP uses to monitor the new role that is being created.

  6. Select the box Require external ID and enter in an external ID of your preference.
  7. Please keep the external ID later for AWS authentication during installation.
  8. Make sure the box Require MFA is not selected.
  9. Click Next: Permissions.
  10. Click Filter, then select Customer managed.
  11. Select the box for the policy you created earlier.
  12. Click Next: Tag, and then click Next: Review.
  13. Enter a name of your preference for the role name.
  14. Click Create role.
  15. Click the role name, and copy the AWS Role ARN.
  16. Example of AWS Role ARN: arn:aws:iam::123456123456:role/FortiCWPTester

Please keep the AWS Role ARN later for AWS authentication during installation.

Configure CloudTrail Setting

  1. Go to your AWS console dashboard.
  2. Click on services drop down menu and search for "Cloud Trail".
  3. Once you are in Cloud Trail, click on Trails in the left panel.
  4. Click Create trail.
  5. Enter a trail name based on your preference.
  6. Select Yes to Apply trail to all regions.
  7. Select All for Read/Write events.
  8. Under Data event > S3, check on Select all S3 buckets in your account, Read, and Write.
  9. Scroll down and click advanced to show hidden menu.
  10. Name the S3 bucket based on your preference, the bucket name is used for CloudTrail S3 bucket for AWS authentication.
  11. Leave the Log file prefix blank.
You have finished all the preliminary steps to update your AWS account. Now go back to FortiCWP and click Next.

Update AWS Account Manually

Please create a new Role and CloudTrail in the AWS account to update the AWS account in FortiCWP.

Policy Creation

  1. Go to your AWS console dashboard.
  2. Search and click IAM
  3. Click Policies from the menu on the left.
  4. Click Create policy.
  5. Go to the JSON tab.
  6. Replace the existing JSON code with the following:
  7. {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Sid": "VisualEditor0",

    "Effect": "Allow",

    "Action": [

    "sqs:DeleteMessage",

    "appstream:Describe*",

    "config:Get*",

    "iam:List*",

    "route53:ListTrafficPolicyVersions",

    "cloudtrail:GetTrailStatus",

    "sqs:ReceiveMessage",

    "route53:GetHealthCheck",

    "cloudfront:Get*",

    "codedeploy:List*",

    "guardduty:List*",

    "cloudwatch:Describe*",

    "route53:ListHostedZonesByName",

    "config:Describe*",

    "datapipeline:EvaluateExpression",

    "rds:Describe*",

    "iam:SimulateCustomPolicy",

    "route53domains:CheckDomainAvailability",

    "ec2:ModifySnapshotAttribute",

    "ec2:RevokeSecurityGroupEgress",

    "rds:DownloadDBLogFilePortion",

    "s3:GetBucket*",

    "logs:FilterLogEvents",

    "route53:GetHostedZoneCount",

    "inspector:Describe*",

    "config:Deliver*",

    "acm:List*",

    "cloudfront:List*",

    "sns:*",

    "elasticmapreduce:DescribeSecurityConfiguration",

    "cloudtrail:LookupEvents",

    "datapipeline:ListPipelines",

    "route53:GetHealthCheckLastFailureReason",

    "lambda:List*",

    "sqs:SendMessage",

    "route53:ListVPCAssociationAuthorizations",

    "route53:GetReusableDelegationSetLimit",

    "kms:Describe*",

    "logs:Get*",

    "s3:GetReplicationConfiguration",

    "cloudtrail:DescribeTrails",

    "ec2:RevokeSecurityGroupIngress",

    "route53:ListTagsForResources",

    "route53:GetAccountLimit",

    "s3:PutObjectVersionAcl",

    "sqs:PurgeQueue",

    "waf:List*",

    "redshift:ModifyClusterParameterGroup",

    "route53:GetGeoLocation",

    "workspaces:Describe*",

    "eks:ListClusters",

    "elasticloadbalancing:ModifyLoadBalancerAttributes",

    "glacier:ListVaults",

    "route53:GetTrafficPolicy",

    "iam:GenerateCredentialReport",

    "s3:GetLifecycleConfiguration",

    "s3:GetInventoryConfiguration",

    "tag:GetResources",

    "cloudtrail:StartLogging",

    "acm:Describe*",

    "route53domains:ListTagsForDomain",

    "dynamodb:ListTables",

    "s3:ListBucket",

    "datapipeline:ValidatePipelineDefinition",

    "route53domains:GetDomainDetail",

    "datapipeline:DescribePipelines",

    "route53:ListQueryLoggingConfigs",

    "elasticmapreduce:List*",

    "elasticmapreduce:DescribeStep",

    "iam:Get*",

    "route53:GetCheckerIpRanges",

    "route53domains:ListDomains",

    "elasticmapreduce:DescribeEditor",

    "route53:ListGeoLocations",

    "route53:GetTrafficPolicyInstance",

    "cloudfront:UpdateDistribution",

    "sqs:ChangeMessageVisibilityBatch",

    "s3:PutBucketVersioning",

    "sqs:SetQueueAttributes",

    "kms:EnableKeyRotation",

    "s3:ListBucketMultipartUploads",

    "cloudsearch:Describe*",

    "ecs:Describe*",

    "datapipeline:QueryObjects",

    "route53:ListHostedZones",

    "guardduty:Get*",

    "route53domains:GetContactReachabilityStatus",

    "elasticache:Describe*",

    "route53:ListTagsForResource",

    "sqs:TagQueue",

    "directconnect:Describe*",

    "ec2:Describe*",

    "codedeploy:Get*",

    "s3:GetAccountPublicAccessBlock",

    "route53:ListHealthChecks",

    "s3:ListAllMyBuckets",

    "rds:ListTagsForResource",

    "route53domains:ListOperations",

    "s3:GetObjectVersion",

    "kms:List*",

    "glacier:GetVaultAccessPolicy",

    "s3:GetObjectVersionTagging",

    "sqs:SendMessageBatch",

    "sqs:UntagQueue",

    "logs:Describe*",

    "route53:GetHostedZone",

    "kms:Get*",

    "ses:List*",

    "s3:GetObjectAcl",

    "codedeploy:Batch*",

    "ec2:SearchTransitGatewayRoutes",

    "iam:SimulatePrincipalPolicy",

    "dynamodb:DescribeTable",

    "cloudtrail:ListTags",

    "s3:GetObjectVersionAcl",

    "route53:ListResourceRecordSets",

    "s3:PutBucketAcl",

    "rds:ModifyDBInstance",

    "elasticloadbalancing:Describe*",

    "cloudformation:ListStack*",

    "s3:HeadBucket",

    "es:Describe*",

    "route53:GetHealthCheckCount",

    "sdb:DomainMetadata",

    "ses:Get*",

    "route53:ListReusableDelegationSets",

    "sqs:GetQueueUrl",

    "elasticfilesystem:Describe*",

    "route53:ListTrafficPolicyInstancesByHostedZone",

    "ec2:GetTransitGatewayAttachmentPropagations",

    "route53domains:GetDomainSuggestions",

    "sqs:GetQueueAttributes",

    "elasticbeanstalk:Describe*",

    "route53domains:GetOperationDetail",

    "s3:ListMultipartUploadParts",

    "s3:GetObject",

    "redshift:Describe*",

    "iam:UpdateAccountPasswordPolicy",

    "cloudformation:GetTemplate",

    "ec2:GetTransitGatewayRouteTablePropagations",

    "sqs:DeleteQueue",

    "s3:GetAnalyticsConfiguration",

    "eks:DescribeCluster",

    "s3:GetObjectVersionForReplication",

    "route53:GetHostedZoneLimit",

    "autoscaling:Describe*",

    "s3:ListBucketByTags",

    "route53:ListTrafficPolicyInstances",

    "route53:GetTrafficPolicyInstanceCount",

    "route53:GetChange",

    "s3:ListBucketVersions",

    "s3:GetAccelerateConfiguration",

    "sqs:ListQueueTags",

    "elasticmapreduce:DescribeCluster",

    "tag:GetTagKeys",

    "s3:GetObjectVersionTorrent",

    "s3:GetEncryptionConfiguration",

    "sns:Get*",

    "sqs:DeleteMessageBatch",

    "elasticache:List*",

    "eks:ListUpdates",

    "route53:ListTrafficPolicies",

    "s3:GetObjectTagging",

    "s3:GetMetricsConfiguration",

    "waf:Get*",

    "ecs:List*",

    "s3:PutObjectAcl",

    "ec2:GetTransitGatewayRouteTableAssociations",

    "route53:GetQueryLoggingConfig",

    "sqs:ListQueues",

    "sqs:ChangeMessageVisibility",

    "route53:GetHealthCheckStatus",

    "cloudtrail:UpdateTrail",

    "ds:Describe*",

    "datapipeline:DescribeObjects",

    "datapipeline:GetPipelineDefinition",

    "route53:GetReusableDelegationSet",

    "inspector:List*",

    "sdb:ListDomains",

    "cloudformation:DescribeStack*",

    "s3:GetObjectTorrent",

    "route53:ListTrafficPolicyInstancesByPolicy",

    "sqs:ListDeadLetterSourceQueues",

    "eks:DescribeUpdate",

    "s3:PutBucketPolicy",

    "sqs:CreateQueue",

    "es:List*",

    "lambda:GetPolicy",

    "dax:DescribeEvents",

    "dax:ConditionCheckItem",

    "dax:Scan",

    "dax:DescribeDefaultParameters",

    "dax:GetItem",

    "dax:Query",

    "dax:DescribeSubnetGroups",

    "dax:DescribeParameterGroups",

    "dax:DescribeParameters",

    "dax:ListTags",

    "dax:DescribeClusters",

    "dax:BatchGetItem",

    "cloudtrail:GetEventSelectors"

    ],

    "Resource": "*"

    }

    ]

    }

  8. Click Review policy.
  9. Name the new policy.
  10. Click Create policy.

Your new policy will be created.

Please keep your policy name later for role creation.
For the purpose behind the AWS services being used to create the custom policy, please refer to Appendix A: Amazon Policy Usage

Role creation

  1. Click Roles from the menu on the left.
  2. Click Create role.
  3. Click Another AWS account.
  4. Enter the following Account ID: 854209929931.
  5. Note: This is the Amazon AWS account that FortiCWP uses to monitor the new role that is being created.

  6. Select the box Require external ID and enter in an external ID of your preference.
  7. Please keep the external ID later for AWS authentication during installation.
  8. Make sure the box Require MFA is not selected.
  9. Click Next: Permissions.
  10. Click Filter, then select Customer managed.
  11. Select the box for the policy you created earlier.
  12. Click Next: Tag, and then click Next: Review.
  13. Enter a name of your preference for the role name.
  14. Click Create role.
  15. Click the role name, and copy the AWS Role ARN.
  16. Example of AWS Role ARN: arn:aws:iam::123456123456:role/FortiCWPTester

Please keep the AWS Role ARN later for AWS authentication during installation.

Configure CloudTrail Setting

  1. Go to your AWS console dashboard.
  2. Click on services drop down menu and search for "Cloud Trail".
  3. Once you are in Cloud Trail, click on Trails in the left panel.
  4. Click Create trail.
  5. Enter a trail name based on your preference.
  6. Select Yes to Apply trail to all regions.
  7. Select All for Read/Write events.
  8. Under Data event > S3, check on Select all S3 buckets in your account, Read, and Write.
  9. Scroll down and click advanced to show hidden menu.
  10. Name the S3 bucket based on your preference, the bucket name is used for CloudTrail S3 bucket for AWS authentication.
  11. Leave the Log file prefix blank.
You have finished all the preliminary steps to update your AWS account. Now go back to FortiCWP and click Next.