Add AWS Organization: CANNOT ADD Sub-Account Status
Background
In order for master account to be able to add the sub-account to FortiCWP, there needs to be a preconfigured account access role with adequate permission. The role acts as an agreement between the master and sub-account. If the sub-account was not created by the master account, it does not have the role and the permission setup to connect with the master account, the sub-account status will be shown as CANNOT ADD on FortiCWP. Please follow the steps below to configure the role and permission for the sub-account.
First check the sub-account to see if it has the access role and permission setup. If it is not setup, then the sub-account needs to add account access role.
Check Account Access Role
- Log into AWS console with the sub-account.
- Under Services, search and click IAM.
- Click Roles under Access Management,
- Search and click on "OrganizationAccountAccessRole". If it is not created, proceed to next section, Add Organization Account Access Role.
- Under Permission policies field, there should be a policy named AdministratorAccess.
- Click on Trust relationships tab, and check the field in Trusted entities.
- The master account number should be in the trusted entities. If it is not there, delete the role, and proceed to next section to re-add "OrganizationAccountAccessRole" with the master account number.
Add Organization Account Access Role
- Log into AWS console with the sub-account.
- Under Services, search and click IAM.
- Click Roles under Access Management, and click Create role.
- Under "Select type of trusted entity", select Another AWS account, and enter the master account ID. Click Next: Permissions.
- Search and select AdministratorAccess policy then click Next:Tags.
- Click Next: Review.
- In Role Name filed, enter "OrganizationAccountAccessRole".
- Click Create role to finish.
Repeat the steps above for each of the sub-account that shows CANNOT ADD status on FortiCWP, and click Re-Check.