Fortinet black logo

Online Help

AWS Account Checklist Troubleshooting

Copy Link
Copy Doc ID 66c81096-fdee-11ea-96b9-00505692583a:939555

AWS Account Checklist Troubleshooting

Role and Policy Related Issues

If you are adding the AWS account manually, follow the solutions below.

Checklist Item Description Solution
FortiCWP Role generated successfully FortiCWP role is not created successfully on the AWS account. Check if the FortiCWP role is created following the guide at Role Creation.
FortiCWP Policies attached to the Role. FortiCWP policies are not attached to the FortiCWP role. Check if the FortiCWP policies are attached to the role at Role Creation.
AWS Insepctor and Guard Duty Integration policies attached to the Role. Specific policy and role needs to be attached in AWS Inspector and Guard Duty to activate both services on FortiCWP Check if the AWS Inspector and Guard Duty Integration policies are attached to the Role by checking with Role Creation.

If you are adding the AWS account automatically, follow the solutions below.

Checklist Item Description Solution
FortiCWP Role generated successfully There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists error.
FortiCWP Policies attached to the Role. There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists error.
AWS Insepctor and Guard Duty Integration policies attached to the Role. Specific policy and role needs to be attached in AWS Inspector and Guard Duty to activate both services in FortiCWP. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists error.

External ID Issue

If you are adding the AWS account manually, follow the solutions below.

Checklist Item Description Solution
External ID meets the complexity and security requirements. External ID is an unique ID attached to the role for security purpose. If it was previously assigned and did not meet the complexity requirement, the external ID needed to be reassigned by FortiCWP. Please remove the AWS account from FortiCWP, and re-authenticate the account by going thorough the manual installation, you will be asked to generate an External ID. For more details, please see Add AWS Account Manually .

If you are adding the AWS account automatically, follow the solutions below.

Checklist Item Description Solution
External ID meets the complexity and security requirements. External ID is an unique ID attached to the role for security purpose. If it was previously assigned and did not meet the complexity requirement, the external ID needed to be reassigned by FortiCWP. Please remove the AWS account from FortiCWP, and re-authenticate the account by going thorough the installation. An unique 32 bit external ID will be re-assigned to the account if you are adding the account automatically.

AWS CloudTrail Issue

AWS CloudTrail failures only occurs when the AWS account was added manually or it was not created by AWS CloudFormation.

If you happen to receive any error below when you install AWS account automatically, please delete the CloudTrail Stack or Stack set and reauthenticate, please see Stack Already Exists error.

For manual installation, please see solutions below:

Checklist Item Description Solution
Only one AWS CloudTrail is created and enabled. There should only be one cloudtrail enabled. Check the CloudTrail name used for the AWS account on FortiCWP located in Authentication tab in the Cloud Account status. Log into AWS account and delete or disable any other CloudTrail name other than the one that is used on FortiCWP.
CloudTrail is configured with read/write event permission. AWS CloudTrail needs to be configured with read/write event permission for FortiCWP to access the CloudTrail logs.

Check read/write event permission in Configure CloudTrail Setting.

CloudTrail is applied to all regions. AWS CloudTrail needs to be applied to all regions in configurations in order for FortiCWP to receive CloudTrail logs from all regions.

Check if it is applied to all regions by seeing Configure CloudTrail Setting.

FortiCWP gained access to the CloudTrail S3 Bucket. AWS CloudTrail needs to grant FortiCWP with access to S3 bucket to monitor and protect the data in the S3 bucket.

Check if AWS has granted FortiCWP access to S3 bucket by seeing Configure CloudTrail Setting.

Traffic Related Issue

This solution applies to both manual and automatic installation.

Checklist Item Description Solution
All AWS VPCs have Flow logs. FortiCWP Traffic is enabled. All AWS VPCs Flow logs need to be enabled to activate Traffic on FortiCWP. Review the steps in AWS Traffic log configuration to see if AWS Flow logs is enabled. Please see Enable flow log in VPC

AWS Account Checklist Troubleshooting

Role and Policy Related Issues

If you are adding the AWS account manually, follow the solutions below.

Checklist Item Description Solution
FortiCWP Role generated successfully FortiCWP role is not created successfully on the AWS account. Check if the FortiCWP role is created following the guide at Role Creation.
FortiCWP Policies attached to the Role. FortiCWP policies are not attached to the FortiCWP role. Check if the FortiCWP policies are attached to the role at Role Creation.
AWS Insepctor and Guard Duty Integration policies attached to the Role. Specific policy and role needs to be attached in AWS Inspector and Guard Duty to activate both services on FortiCWP Check if the AWS Inspector and Guard Duty Integration policies are attached to the Role by checking with Role Creation.

If you are adding the AWS account automatically, follow the solutions below.

Checklist Item Description Solution
FortiCWP Role generated successfully There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists error.
FortiCWP Policies attached to the Role. There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists error.
AWS Insepctor and Guard Duty Integration policies attached to the Role. Specific policy and role needs to be attached in AWS Inspector and Guard Duty to activate both services in FortiCWP. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists error.

External ID Issue

If you are adding the AWS account manually, follow the solutions below.

Checklist Item Description Solution
External ID meets the complexity and security requirements. External ID is an unique ID attached to the role for security purpose. If it was previously assigned and did not meet the complexity requirement, the external ID needed to be reassigned by FortiCWP. Please remove the AWS account from FortiCWP, and re-authenticate the account by going thorough the manual installation, you will be asked to generate an External ID. For more details, please see Add AWS Account Manually .

If you are adding the AWS account automatically, follow the solutions below.

Checklist Item Description Solution
External ID meets the complexity and security requirements. External ID is an unique ID attached to the role for security purpose. If it was previously assigned and did not meet the complexity requirement, the external ID needed to be reassigned by FortiCWP. Please remove the AWS account from FortiCWP, and re-authenticate the account by going thorough the installation. An unique 32 bit external ID will be re-assigned to the account if you are adding the account automatically.

AWS CloudTrail Issue

AWS CloudTrail failures only occurs when the AWS account was added manually or it was not created by AWS CloudFormation.

If you happen to receive any error below when you install AWS account automatically, please delete the CloudTrail Stack or Stack set and reauthenticate, please see Stack Already Exists error.

For manual installation, please see solutions below:

Checklist Item Description Solution
Only one AWS CloudTrail is created and enabled. There should only be one cloudtrail enabled. Check the CloudTrail name used for the AWS account on FortiCWP located in Authentication tab in the Cloud Account status. Log into AWS account and delete or disable any other CloudTrail name other than the one that is used on FortiCWP.
CloudTrail is configured with read/write event permission. AWS CloudTrail needs to be configured with read/write event permission for FortiCWP to access the CloudTrail logs.

Check read/write event permission in Configure CloudTrail Setting.

CloudTrail is applied to all regions. AWS CloudTrail needs to be applied to all regions in configurations in order for FortiCWP to receive CloudTrail logs from all regions.

Check if it is applied to all regions by seeing Configure CloudTrail Setting.

FortiCWP gained access to the CloudTrail S3 Bucket. AWS CloudTrail needs to grant FortiCWP with access to S3 bucket to monitor and protect the data in the S3 bucket.

Check if AWS has granted FortiCWP access to S3 bucket by seeing Configure CloudTrail Setting.

Traffic Related Issue

This solution applies to both manual and automatic installation.

Checklist Item Description Solution
All AWS VPCs have Flow logs. FortiCWP Traffic is enabled. All AWS VPCs Flow logs need to be enabled to activate Traffic on FortiCWP. Review the steps in AWS Traffic log configuration to see if AWS Flow logs is enabled. Please see Enable flow log in VPC