Add Multiple AWS Accounts via CloudFormation
Prerequisites
Make sure the AWS administrator account user you use to perform the tasks below is an Administrator User. For instruction on creating an Administrator User for your AWS administrator account please refer to https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up-create-iam-user.html.
- Activate Security Token Service (STS)
- Setup permissions for Stack Sets Operations
- Add targeted AWS accounts via CloudFormation
Activate Security Token Service (STS)
FortiCWP uses regional Security Token Service (STS) to reduce latency and provide smoother user experience.
Follow these steps to turn on Security Token Service (STS) on AWS console.
- From your AWS console dashboard, go to Identity and Access Management (IAM).
- Click Account settings from the left navigation panel, and click to expand Security Token Service (STS).
- Based on your location, activate EU (Ireland) if you are located in European Union, otherwise, activate US West (Oregon).
Setup permissions for Stack Sets Operations
In order to add multiple AWS account, the administrator account needs to have permission to create, update, and delete any stack sets in all target accounts. To setup this trust relationship, IAM roles need to be created in both the administrator and the target accounts. Amazon has simplified this process by utilizing AWS Cloud Formation template. Both steps needed to be completed to establish trust relationships between the administrator and target accounts. Please complete step 1 and 2 before proceeding with AWS Cloud Formation.
Step 1 - Create IAM role for administrator account
- From AWS Services menu, search and click on CloudFormation.
- Click on Stacks in left navigation menu.
- Click on Create stack.
- In Specify template section, under Amazon S3 URL, Copy and paste the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml, and click Next.
- In Stack name field, give any Stack name, then click Next.
- In Step-3: Configure Stack options, scroll all the way down, and click Next.
- In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.
Please note that the IAM role name for the administrator account must be AWSCloudFormationStackSetAdministrationRole.
Step 2 - Create IAM role for each target account
- From AWS Services menu, search and click on CloudFormation.
- Click on Stacks in left navigation menu.
- Click on Create stack.
- In Specify template section, in Amazon S3 URL, Copy and paste the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml, and click Next.
- In Stack name field, give any Stack name.
- In Parameters field, enter the administrator account ID which the target account wants to grant trust relationship to. Then click Next.
- In Step-3: Configure Stack options, scroll all the way down, and click Next.
- In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.
Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html
After IAM roles created for both administrator and targeted accounts, return to FortiCWP to install targeted accounts using CloudFormation. You can also create a CSV file with targeted account numbers separated by comma as delimiter. For example: 1234567,2345678,3456789, etc.
Add targeted AWS accounts via CloudFormation
- On the right hand side of the FortiCWP main page, click the setting button or go to Admin > Account, and select Cloud Account tab.
- Click the + add account button in Add New Account field and select AWS.
- When the selection menu pop up, select Add Multiple via CloudFormation.
- Enter the targeted AWS account numbers separated by comma (,) in Account Number field or upload with a CSV file.
- In CloudTrail Option, select "Yes, create for me" if you want FortiCWP to create CloudTrail for each AWS account. If not, select "No, I'll create later".
- Click on Choose CSV File to upload the CSV file created earlier.
- Click AWS CloudFormation Guide. If the pop-up does not appear, please refer to No Pop-Up errors
FortiCWP can integrate CloudTrail as long as the CloudTrail has its origin configured. |
A pop up page will re-direct to you to Amazon Cloud Formation, please follow the steps below to create stack set.
- In Prerequisite - Prepare template, make sure Template is ready is selected.
- In Specify template section, enter the following template url for Amazon S3 URL:
- Click Next to continue.
- In StackSet name field, enter "FortiCWPMultiple", then click Next.
- In Permissions, under IAM execution role name, make sure AWSCloudFormationStackSetExecutionRole is selected in, then click Next.
- In Accounts, under Deployment locations, make sure Specify an AWS S3 URL for account numbers is selected, and enter the account numbers submitted earlier along with any other target account numbers separated by comma (,) or upload a .csv file. (In the CSV file, separate account numbers using commas as delimiters, e.g., 123456, 234567, etc.)
- Click on drop the down menu in Specify regions to select a region, then click Next.
- Review all parameters entered earlier and click Submit.
Guide Option Selection | Template URL |
Create Role only |
https://cwp-cloudformation-template.s3.amazonaws.com/20.1/forticwp_role_multiple.json |
Create Role and CloudTrail | https://cwp-cloudformation-template.s3.amazonaws.com/20.1/forticwp_role_multiple_cloudtrail.json |
If there is an error after completing Amazon CloudFormation, please refer to Troubleshooting > Amazon Web Service > Stack Already Exists error. |
You have finished all the preliminary steps to add your AWS account. Now go back to FortiCWP and click Add Multiple AWS Accounts. |