Fortinet black logo

online help

Add AWS Organization: CANNOT ADD Sub-Account Status

Copy Link
Copy Doc ID 58cdf477-b7d4-11ea-8b7d-00505692583a:348361

Add AWS Organization: CANNOT ADD Sub-Account Status

Background

In order for master account to be able to add the sub-account to FortiCWP, there needs to be a preconfigured account access role with adequate permission. The role acts as an agreement between the master and sub-account. If the sub-account was not created by the master account, it does not have the role and the permission setup to connect with the master account, the sub-account status will be shown as CANNOT ADD on FortiCWP. Please follow the steps below to configure the role and permission for the sub-account.

First check the sub-account to see if it has the access role and permission setup. If it is not setup, then the sub-account needs to add account access role.

Check Account Access Role

  1. Log into AWS console with the sub-account.
  2. Under Services, search and click IAM.
  3. Click Roles under Access Management,
  4. Search and click on "OrganizationAccountAccessRole". If it is not created, proceed to next section, Add Organization Account Access Role.

  5. Under Permission policies field, there should be a policy named AdministratorAccess.

  6. Click on Trust relationships tab, and check the field in Trusted entities.

  7. The master account number should be in the trusted entities. If it is not there, delete the role, and proceed to next section to re-add "OrganizationAccountAccessRole" with the master account number.

Add Organization Account Access Role

  1. Log into AWS console with the sub-account.
  2. Under Services, search and click IAM.
  3. Click Roles under Access Management, and click Create role.
  4. Under "Select type of trusted entity", select Another AWS account, and enter the master account ID. Click Next: Permissions.
  5. Search and select AdministratorAccess policy then click Next:Tags.

  6. Click Next: Review.
  7. In Role Name filed, enter "OrganizationAccountAccessRole".
  8. Click Create role to finish.

Repeat the steps above for each of the sub-account that shows CANNOT ADD status on FortiCWP, and click Re-Check.

Add AWS Organization: CANNOT ADD Sub-Account Status

Background

In order for master account to be able to add the sub-account to FortiCWP, there needs to be a preconfigured account access role with adequate permission. The role acts as an agreement between the master and sub-account. If the sub-account was not created by the master account, it does not have the role and the permission setup to connect with the master account, the sub-account status will be shown as CANNOT ADD on FortiCWP. Please follow the steps below to configure the role and permission for the sub-account.

First check the sub-account to see if it has the access role and permission setup. If it is not setup, then the sub-account needs to add account access role.

Check Account Access Role

  1. Log into AWS console with the sub-account.
  2. Under Services, search and click IAM.
  3. Click Roles under Access Management,
  4. Search and click on "OrganizationAccountAccessRole". If it is not created, proceed to next section, Add Organization Account Access Role.

  5. Under Permission policies field, there should be a policy named AdministratorAccess.

  6. Click on Trust relationships tab, and check the field in Trusted entities.

  7. The master account number should be in the trusted entities. If it is not there, delete the role, and proceed to next section to re-add "OrganizationAccountAccessRole" with the master account number.

Add Organization Account Access Role

  1. Log into AWS console with the sub-account.
  2. Under Services, search and click IAM.
  3. Click Roles under Access Management, and click Create role.
  4. Under "Select type of trusted entity", select Another AWS account, and enter the master account ID. Click Next: Permissions.
  5. Search and select AdministratorAccess policy then click Next:Tags.

  6. Click Next: Review.
  7. In Role Name filed, enter "OrganizationAccountAccessRole".
  8. Click Create role to finish.

Repeat the steps above for each of the sub-account that shows CANNOT ADD status on FortiCWP, and click Re-Check.