Fortinet black logo

Online Help

Home FortiCWP 21.2.1 Online Help

Add Multiple AWS Accounts via CloudFormation

21.2.1
22.2.a
22.1.0
21.3.0
21.2.1
21.2.0
21.1.0
20.3.0
20.2.0
20.1.0
4.4.0
4.2.0
Copy Link
Copy Doc ID e4328cd7-f48b-11eb-97f7-00505692583a:874846

Add Multiple AWS Accounts via CloudFormation

Prerequisites

Make sure the AWS administrator account user you use to perform the tasks below is an Administrator User. For instruction on creating an Administrator User for your AWS administrator account please refer to https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up-create-iam-user.html.

Activate Security Token Service (STS)

FortiCWP uses regional Security Token Service (STS) to reduce latency and provide smoother user experience.

Follow these steps to turn on Security Token Service (STS) on AWS console.

  1. From your AWS console dashboard, go to Identity and Access Management (IAM).
  2. Click Account settings from the left navigation panel, and click to expand Security Token Service (STS).

  3. Based on your location, activate EU (Ireland) if you are located in European Union, otherwise, activate US West (Oregon).

Setup permissions for Stack Sets Operations

In order to add multiple AWS account, the administrator account needs to have permission to create, update, and delete any stack sets in all target accounts. To setup this trust relationship, IAM roles need to be created in both the administrator and the target accounts. Amazon has simplified this process by utilizing AWS Cloud Formation template. Both steps needed to be completed to establish trust relationships between the administrator and target accounts. Please complete step 1 and 2 before proceeding with AWS Cloud Formation.

Step 1 - Create IAM role for administrator account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml, and click Next.
  5. In Stack name field, give any Stack name, then click Next.
  6. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  7. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Please note that the IAM role name for the administrator account must be AWSCloudFormationStackSetAdministrationRole.

Step 2 - Create IAM role for each target account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml, and click Next.
  5. In Stack name field, give any Stack name.
  6. In Parameters field, enter the administrator account ID which the target account wants to grant trust relationship to. Then click Next.
  7. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  8. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html

After IAM roles created for both administrator and targeted accounts, return to FortiCWP to install targeted accounts using CloudFormation. You can also create a CSV file with targeted account numbers separated by comma as delimiter. For example: 1234567,2345678,3456789, etc.

Add targeted AWS accounts via CloudFormation on FortiCWP

  1. From the FortiCWP navigation pane, go to Admin > Account, click Add New Account, and select AWS.
  2. When the selection menu pop up, select Add Multiple via CloudFormation.
  3. Enter the targeted AWS account numbers separated by comma (,) in Account Number field or upload with a CSV file. then click Extract input Accounts.

  4. In CloudTrail Option, select "Yes, create for me" if you want FortiCWP to create CloudTrail for each AWS account. If not, select "No, I'll create later".

    5. FortiCWP can integrate CloudTrail as long as the CloudTrail has its origin configured.
  5. Click Next to continue to Add Cloud Account page, then click AWS CloudFormation Guide to be re-directed to AWS Cloud Formation guide.

A pop up page will re-direct to you to Amazon Cloud Formation, please follow the steps below to create stack set. If you got re-directed to CloudFormation Stack page, not CloudFormation guide, please refer to Stack Already Exists Error.

  1. In Prerequisite - Prepare template, make sure Template is ready is selected.
  2. In Specify template section, enter the following template url for Amazon S3 URL:
    3. Guide Option Selection Template URL
    Create Role only

    https://cwp-cloudformation-template.s3.amazonaws.com/20.1/forticwp_role_multiple.json

    Create Role and CloudTrail https://cwp-cloudformation-template.s3.amazonaws.com/20.1/forticwp_role_multiple_cloudtrail.json
  3. Click Next to continue.
  4. In StackSet name field, enter "FortiCWPMultiple", then click Next.
  5. In Permissions, under IAM execution role name, make sure AWSCloudFormationStackSetExecutionRole is selected in, then click Next.
  6. In Accounts, under Deployment locations, make sure Specify an AWS S3 URL for account numbers is selected, and enter the account numbers submitted earlier along with any other target account numbers separated by comma (,) or upload a .csv file. (In the CSV file, separate account numbers using commas as delimiters, e.g., 123456, 234567, etc.)
  7. Click on drop the down menu in Specify regions to select a region, then click Next.
  8. Review all parameters entered earlier and click Submit.

You have finished all the preliminary steps to add your AWS account. Now go back to FortiCWP and click Add Multiple AWS Accounts.

If there is an error after completing Amazon CloudFormation, please refer to Troubleshooting > Amazon Web Service > Stack Already Exists Error.

Previous
Next

Add Multiple AWS Accounts via CloudFormation

Prerequisites

Make sure the AWS administrator account user you use to perform the tasks below is an Administrator User. For instruction on creating an Administrator User for your AWS administrator account please refer to https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up-create-iam-user.html.

Activate Security Token Service (STS)

FortiCWP uses regional Security Token Service (STS) to reduce latency and provide smoother user experience.

Follow these steps to turn on Security Token Service (STS) on AWS console.

  1. From your AWS console dashboard, go to Identity and Access Management (IAM).
  2. Click Account settings from the left navigation panel, and click to expand Security Token Service (STS).

  3. Based on your location, activate EU (Ireland) if you are located in European Union, otherwise, activate US West (Oregon).

Setup permissions for Stack Sets Operations

In order to add multiple AWS account, the administrator account needs to have permission to create, update, and delete any stack sets in all target accounts. To setup this trust relationship, IAM roles need to be created in both the administrator and the target accounts. Amazon has simplified this process by utilizing AWS Cloud Formation template. Both steps needed to be completed to establish trust relationships between the administrator and target accounts. Please complete step 1 and 2 before proceeding with AWS Cloud Formation.

Step 1 - Create IAM role for administrator account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml, and click Next.
  5. In Stack name field, give any Stack name, then click Next.
  6. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  7. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Please note that the IAM role name for the administrator account must be AWSCloudFormationStackSetAdministrationRole.

Step 2 - Create IAM role for each target account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml, and click Next.
  5. In Stack name field, give any Stack name.
  6. In Parameters field, enter the administrator account ID which the target account wants to grant trust relationship to. Then click Next.
  7. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  8. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html

After IAM roles created for both administrator and targeted accounts, return to FortiCWP to install targeted accounts using CloudFormation. You can also create a CSV file with targeted account numbers separated by comma as delimiter. For example: 1234567,2345678,3456789, etc.

Add targeted AWS accounts via CloudFormation on FortiCWP

  1. From the FortiCWP navigation pane, go to Admin > Account, click Add New Account, and select AWS.
  2. When the selection menu pop up, select Add Multiple via CloudFormation.
  3. Enter the targeted AWS account numbers separated by comma (,) in Account Number field or upload with a CSV file. then click Extract input Accounts.

  4. In CloudTrail Option, select "Yes, create for me" if you want FortiCWP to create CloudTrail for each AWS account. If not, select "No, I'll create later".

    5. FortiCWP can integrate CloudTrail as long as the CloudTrail has its origin configured.
  5. Click Next to continue to Add Cloud Account page, then click AWS CloudFormation Guide to be re-directed to AWS Cloud Formation guide.

A pop up page will re-direct to you to Amazon Cloud Formation, please follow the steps below to create stack set. If you got re-directed to CloudFormation Stack page, not CloudFormation guide, please refer to Stack Already Exists Error.

  1. In Prerequisite - Prepare template, make sure Template is ready is selected.
  2. In Specify template section, enter the following template url for Amazon S3 URL:
    3. Guide Option Selection Template URL
    Create Role only

    https://cwp-cloudformation-template.s3.amazonaws.com/20.1/forticwp_role_multiple.json

    Create Role and CloudTrail https://cwp-cloudformation-template.s3.amazonaws.com/20.1/forticwp_role_multiple_cloudtrail.json
  3. Click Next to continue.
  4. In StackSet name field, enter "FortiCWPMultiple", then click Next.
  5. In Permissions, under IAM execution role name, make sure AWSCloudFormationStackSetExecutionRole is selected in, then click Next.
  6. In Accounts, under Deployment locations, make sure Specify an AWS S3 URL for account numbers is selected, and enter the account numbers submitted earlier along with any other target account numbers separated by comma (,) or upload a .csv file. (In the CSV file, separate account numbers using commas as delimiters, e.g., 123456, 234567, etc.)
  7. Click on drop the down menu in Specify regions to select a region, then click Next.
  8. Review all parameters entered earlier and click Submit.

You have finished all the preliminary steps to add your AWS account. Now go back to FortiCWP and click Add Multiple AWS Accounts.

If there is an error after completing Amazon CloudFormation, please refer to Troubleshooting > Amazon Web Service > Stack Already Exists Error.

Previous
Next