Add AWS Account Manually

Prerequisites

Make sure the AWS account user you use to perform the tasks below is an Administrator User. For instruction on creating an Administrator User for your AWS account please refer to https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up-create-iam-user.html.

Use the Administrator User to create new AWS Policy, Role, and configure the CloudTrail setting:

• Policy Creation
• Role Creation
• Configure CloudTrail Setting

After all 3 steps are completed, go back to FortiCWP to finish adding the AWS account.

Policy Creation

1. Go to your AWS console dashboard.
2. Search and click IAM



3. Click Policies from the menu on the left.
4. Click Create policy.
5. Go to the JSON tab.
6. Replace the existing JSON code with the following:

{

"Version": "2012-10-17",

"Statement": [

{

"Sid": "VisualEditor0",

"Effect": "Allow",

"Action": [

"sqs:DeleteMessage",

"appstream:Describe*",

"config:Get*",

"iam:List*",

"route53:ListTrafficPolicyVersions",

"cloudtrail:GetTrailStatus",

"sqs:ReceiveMessage",

"route53:GetHealthCheck",

"cloudfront:Get*",

"codedeploy:List*",

"guardduty:List*",

"cloudwatch:Describe*",

"route53:ListHostedZonesByName",

"config:Describe*",

"datapipeline:EvaluateExpression",

"rds:Describe*",

"iam:SimulateCustomPolicy",

"route53domains:CheckDomainAvailability",

"ec2:ModifySnapshotAttribute",

"ec2:RevokeSecurityGroupEgress",

"rds:DownloadDBLogFilePortion",

"s3:GetBucket*",

"logs:FilterLogEvents",

"route53:GetHostedZoneCount",

"inspector:Describe*",

"config:Deliver*",

"acm:List*",

"cloudfront:List*",

"sns:*",

"elasticmapreduce:DescribeSecurityConfiguration",

"cloudtrail:LookupEvents",

"datapipeline:ListPipelines",

"route53:GetHealthCheckLastFailureReason",

"lambda:List*",

"sqs:SendMessage",

"route53:ListVPCAssociationAuthorizations",

"route53:GetReusableDelegationSetLimit",

"kms:Describe*",

"logs:Get*",

"s3:GetReplicationConfiguration",

"cloudtrail:DescribeTrails",

"ec2:RevokeSecurityGroupIngress",

"route53:ListTagsForResources",

"route53:GetAccountLimit",

"s3:PutObjectVersionAcl",

"sqs:PurgeQueue",

"waf:List*",

"redshift:ModifyClusterParameterGroup",

"route53:GetGeoLocation",

"workspaces:Describe*",

"eks:ListClusters",

"elasticloadbalancing:ModifyLoadBalancerAttributes",

"glacier:ListVaults",

"route53:GetTrafficPolicy",

"iam:GenerateCredentialReport",

"s3:GetLifecycleConfiguration",

"s3:GetInventoryConfiguration",

"tag:GetResources",

"cloudtrail:StartLogging",

"acm:Describe*",

"route53domains:ListTagsForDomain",

"dynamodb:ListTables",

"s3:ListBucket",

"datapipeline:ValidatePipelineDefinition",

"route53domains:GetDomainDetail",

"datapipeline:DescribePipelines",

"route53:ListQueryLoggingConfigs",

"elasticmapreduce:List*",

"elasticmapreduce:DescribeStep",

"iam:Get*",

"route53:GetCheckerIpRanges",

"route53domains:ListDomains",

"elasticmapreduce:DescribeEditor",

"route53:ListGeoLocations",

"route53:GetTrafficPolicyInstance",

"cloudfront:UpdateDistribution",

"sqs:ChangeMessageVisibilityBatch",

"s3:PutBucketVersioning",

"sqs:SetQueueAttributes",

"kms:EnableKeyRotation",

"s3:ListBucketMultipartUploads",

"cloudsearch:Describe*",

"ecs:Describe*",

"datapipeline:QueryObjects",

"route53:ListHostedZones",

"guardduty:Get*",

"route53domains:GetContactReachabilityStatus",

"elasticache:Describe*",

"route53:ListTagsForResource",

"sqs:TagQueue",

"directconnect:Describe*",

"ec2:Describe*",

"codedeploy:Get*",

"s3:GetAccountPublicAccessBlock",

"route53:ListHealthChecks",

"s3:ListAllMyBuckets",

"rds:ListTagsForResource",

"route53domains:ListOperations",

"s3:GetObjectVersion",

"kms:List*",

"glacier:GetVaultAccessPolicy",

"s3:GetObjectVersionTagging",

"sqs:SendMessageBatch",

"sqs:UntagQueue",

"logs:Describe*",

"route53:GetHostedZone",

"kms:Get*",

"ses:List*",

"s3:GetObjectAcl",

"codedeploy:Batch*",

"ec2:SearchTransitGatewayRoutes",

"iam:SimulatePrincipalPolicy",

"dynamodb:DescribeTable",

"cloudtrail:ListTags",

"s3:GetObjectVersionAcl",

"route53:ListResourceRecordSets",

"s3:PutBucketAcl",

"rds:ModifyDBInstance",

"elasticloadbalancing:Describe*",

"cloudformation:ListStack*",

"s3:HeadBucket",

"es:Describe*",

"route53:GetHealthCheckCount",

"sdb:DomainMetadata",

"ses:Get*",

"route53:ListReusableDelegationSets",

"sqs:GetQueueUrl",

"elasticfilesystem:Describe*",

"route53:ListTrafficPolicyInstancesByHostedZone",

"ec2:GetTransitGatewayAttachmentPropagations",

"route53domains:GetDomainSuggestions",

"sqs:GetQueueAttributes",

"elasticbeanstalk:Describe*",

"route53domains:GetOperationDetail",

"s3:ListMultipartUploadParts",

"s3:GetObject",

"redshift:Describe*",

"iam:UpdateAccountPasswordPolicy",

"cloudformation:GetTemplate",

"ec2:GetTransitGatewayRouteTablePropagations",

"sqs:DeleteQueue",

"s3:GetAnalyticsConfiguration",

"eks:DescribeCluster",

"s3:GetObjectVersionForReplication",

"route53:GetHostedZoneLimit",

"autoscaling:Describe*",

"s3:ListBucketByTags",

"route53:ListTrafficPolicyInstances",

"route53:GetTrafficPolicyInstanceCount",

"route53:GetChange",

"s3:ListBucketVersions",

"s3:GetAccelerateConfiguration",

"sqs:ListQueueTags",

"elasticmapreduce:DescribeCluster",

"tag:GetTagKeys",

"s3:GetObjectVersionTorrent",

"s3:GetEncryptionConfiguration",

"sns:Get*",

"sqs:DeleteMessageBatch",

"elasticache:List*",

"eks:ListUpdates",

"route53:ListTrafficPolicies",

"s3:GetObjectTagging",

"s3:GetMetricsConfiguration",

"waf:Get*",

"ecs:List*",

"s3:PutObjectAcl",

"ec2:GetTransitGatewayRouteTableAssociations",

"route53:GetQueryLoggingConfig",

"sqs:ListQueues",

"sqs:ChangeMessageVisibility",

"route53:GetHealthCheckStatus",

"cloudtrail:UpdateTrail",

"ds:Describe*",

"datapipeline:DescribeObjects",

"datapipeline:GetPipelineDefinition",

"route53:GetReusableDelegationSet",

"inspector:List*",

"sdb:ListDomains",

"cloudformation:DescribeStack*",

"s3:GetObjectTorrent",

"route53:ListTrafficPolicyInstancesByPolicy",

"sqs:ListDeadLetterSourceQueues",

"eks:DescribeUpdate",

"s3:PutBucketPolicy",

"sqs:CreateQueue",

"es:List*",

"lambda:GetPolicy",

"dax:DescribeEvents",

"dax:ConditionCheckItem",

"dax:Scan",

"dax:DescribeDefaultParameters",

"dax:GetItem",

"dax:Query",

"dax:DescribeSubnetGroups",

"dax:DescribeParameterGroups",

"dax:DescribeParameters",

"dax:ListTags",

"dax:DescribeClusters",

"dax:BatchGetItem",

"cloudtrail:GetEventSelectors"

],

"Resource": "*"

}

]

}

7. Click Review policy.
8. Name the new policy.
9. Click Create policy.

Your new policy will be created.

Please keep your policy name later for role creation.

For the purpose behind the AWS services being used to create the custom policy, please refer to Appendix A: Amazon Policy Usage

Role Creation

Before creating an AWS Role, you will need to create an External ID from FortiCWP. The External ID is an unique 32-bit token that meets AWS security requirement that protects the AWS Role. Go back to the Add Cloud Account page on FortiCWP to generate an External ID.

Enter your AWS account ID and click Validate. If the AWS account ID is valid, it will prompt you to generate the External ID.

When the External ID Generate box pop-up, click Generate to generate the External ID. Click copy to save it later for creating AWS Role.

Note: If you already generated an External ID a few hours earlier, after you click Validate, the external ID will be retrieved automatically without clicking Generate.

If you already have an AWS Role associated with FortiCWP, and only need to update the External ID. Please refer to Update AWS Role External ID

Follow the steps below to create AWS Role.

1. Click Roles from the menu on the left.
2. Click Create role.
3. Click Another AWS account.



4. Enter the following Account ID: 854209929931.

Note: This is the Amazon AWS account that FortiCWP uses to monitor the new role that is being created.

5. Select the box Require external ID and enter in an External ID generated earlier.

The External ID must be the one generated earlier through FortiCWP using the same AWS account. If the External ID is not generated from FortiCWP, the AWS account cannot be added to FortiCWP.

6. Make sure the box Require MFA is not selected.
7. Click Next: Permissions.
8. Click Filter, then select Customer managed.



9. Select the box for the policy you created earlier.
10. Click Next: Tag, and then click Next: Review.
11. Enter a name of your preference for the role name.
12. Click Create role.
13. Click the role name, and copy the AWS Role ARN.

Example of AWS Role ARN: arn:aws:iam::123456123456:role/FortiCWPTester

Please keep the AWS Role ARN later for AWS authentication during installation.

Configure CloudTrail Setting

1. Go to your AWS console dashboard.
2. Click on services drop down menu and search for "Cloud Trail".
3. Once you are in Cloud Trail, click on Trails in the left panel.



4. Click Create trail.
5. Enter a trail name based on your preference.
6. Select Yes to Apply trail to all regions.
7. Select All for Read/Write events.
8. Under Data event > S3, check on Select all S3 buckets in your account, Read, and Write.



9. Scroll down and click advanced to show hidden menu.
10. Name the S3 bucket based on your preference, the bucket name is used for CloudTrail S3 bucket for AWS authentication.



11. Leave the Log file prefix blank.

You have finished all the preliminary steps to add your AWS account. Now go back to FortiCWP and click Next.