Update AWS Account Manually
When updating the AWS account on FortiCWP, a new AWS Role and CloudTrail are required before updating the account on FortiCWP.
Please follow each section below to create AWS Role and CloudTrail before going back to FortiCWP to update the AWS account.
Policy Creation
- Go to your AWS console dashboard, search and click IAM.
- Click Policies from the left navigation menu.
- Click Create policy, and go to the JSON tab.
- Replace the existing JSON code with the following:
- Click Next: Tags, then click Next: Review.
- Name the new policy, then click Create policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"appstream:Describe*",
"config:Get*",
"iam:List*",
"route53:ListTrafficPolicyVersions",
"cloudtrail:GetTrailStatus",
"sqs:ReceiveMessage",
"route53:GetHealthCheck",
"cloudfront:Get*",
"codedeploy:List*",
"guardduty:List*",
"cloudwatch:Describe*",
"route53:ListHostedZonesByName",
"config:Describe*",
"datapipeline:EvaluateExpression",
"rds:Describe*",
"iam:SimulateCustomPolicy",
"route53domains:CheckDomainAvailability",
"ec2:ModifySnapshotAttribute",
"ec2:RevokeSecurityGroupEgress",
"rds:DownloadDBLogFilePortion",
"s3:GetBucket*",
"logs:FilterLogEvents",
"route53:GetHostedZoneCount",
"inspector:Describe*",
"config:Deliver*",
"acm:List*",
"cloudfront:List*",
"sns:*",
"elasticmapreduce:DescribeSecurityConfiguration",
"cloudtrail:LookupEvents",
"datapipeline:ListPipelines",
"route53:GetHealthCheckLastFailureReason",
"lambda:List*",
"sqs:SendMessage",
"route53:ListVPCAssociationAuthorizations",
"route53:GetReusableDelegationSetLimit",
"kms:Describe*",
"logs:Get*",
"s3:GetReplicationConfiguration",
"cloudtrail:DescribeTrails",
"ec2:RevokeSecurityGroupIngress",
"route53:ListTagsForResources",
"route53:GetAccountLimit",
"s3:PutObjectVersionAcl",
"sqs:PurgeQueue",
"waf:List*",
"redshift:ModifyClusterParameterGroup",
"route53:GetGeoLocation",
"workspaces:Describe*",
"eks:ListClusters",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"glacier:ListVaults",
"route53:GetTrafficPolicy",
"iam:GenerateCredentialReport",
"s3:GetLifecycleConfiguration",
"s3:GetInventoryConfiguration",
"tag:GetResources",
"cloudtrail:StartLogging",
"acm:Describe*",
"route53domains:ListTagsForDomain",
"dynamodb:ListTables",
"s3:ListBucket",
"datapipeline:ValidatePipelineDefinition",
"route53domains:GetDomainDetail",
"datapipeline:DescribePipelines",
"route53:ListQueryLoggingConfigs",
"elasticmapreduce:List*",
"elasticmapreduce:DescribeStep",
"iam:Get*",
"route53:GetCheckerIpRanges",
"route53domains:ListDomains",
"elasticmapreduce:DescribeEditor",
"route53:ListGeoLocations",
"route53:GetTrafficPolicyInstance",
"cloudfront:UpdateDistribution",
"sqs:ChangeMessageVisibilityBatch",
"s3:PutBucketVersioning",
"sqs:SetQueueAttributes",
"kms:EnableKeyRotation",
"s3:ListBucketMultipartUploads",
"cloudsearch:Describe*",
"ecs:Describe*",
"datapipeline:QueryObjects",
"route53:ListHostedZones",
"guardduty:Get*",
"route53domains:GetContactReachabilityStatus",
"elasticache:Describe*",
"route53:ListTagsForResource",
"sqs:TagQueue",
"directconnect:Describe*",
"ec2:Describe*",
"codedeploy:Get*",
"s3:GetAccountPublicAccessBlock",
"route53:ListHealthChecks",
"s3:ListAllMyBuckets",
"rds:ListTagsForResource",
"route53domains:ListOperations",
"s3:GetObjectVersion",
"kms:List*",
"glacier:GetVaultAccessPolicy",
"s3:GetObjectVersionTagging",
"sqs:SendMessageBatch",
"sqs:UntagQueue",
"logs:Describe*",
"route53:GetHostedZone",
"kms:Get*",
"ses:List*",
"s3:GetObjectAcl",
"codedeploy:Batch*",
"ec2:SearchTransitGatewayRoutes",
"iam:SimulatePrincipalPolicy",
"dynamodb:DescribeTable",
"cloudtrail:ListTags",
"s3:GetObjectVersionAcl",
"route53:ListResourceRecordSets",
"s3:PutBucketAcl",
"rds:ModifyDBInstance",
"elasticloadbalancing:Describe*",
"cloudformation:ListStack*",
"s3:HeadBucket",
"es:Describe*",
"route53:GetHealthCheckCount",
"sdb:DomainMetadata",
"ses:Get*",
"route53:ListReusableDelegationSets",
"sqs:GetQueueUrl",
"elasticfilesystem:Describe*",
"route53:ListTrafficPolicyInstancesByHostedZone",
"ec2:GetTransitGatewayAttachmentPropagations",
"route53domains:GetDomainSuggestions",
"sqs:GetQueueAttributes",
"elasticbeanstalk:Describe*",
"route53domains:GetOperationDetail",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"redshift:Describe*",
"iam:UpdateAccountPasswordPolicy",
"cloudformation:GetTemplate",
"ec2:GetTransitGatewayRouteTablePropagations",
"sqs:DeleteQueue",
"s3:GetAnalyticsConfiguration",
"eks:DescribeCluster",
"s3:GetObjectVersionForReplication",
"route53:GetHostedZoneLimit",
"autoscaling:Describe*",
"s3:ListBucketByTags",
"route53:ListTrafficPolicyInstances",
"route53:GetTrafficPolicyInstanceCount",
"route53:GetChange",
"s3:ListBucketVersions",
"s3:GetAccelerateConfiguration",
"sqs:ListQueueTags",
"elasticmapreduce:DescribeCluster",
"tag:GetTagKeys",
"s3:GetObjectVersionTorrent",
"s3:GetEncryptionConfiguration",
"sns:Get*",
"sqs:DeleteMessageBatch",
"elasticache:List*",
"eks:ListUpdates",
"route53:ListTrafficPolicies",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"waf:Get*",
"ecs:List*",
"s3:PutObjectAcl",
"ec2:GetTransitGatewayRouteTableAssociations",
"route53:GetQueryLoggingConfig",
"sqs:ListQueues",
"sqs:ChangeMessageVisibility",
"route53:GetHealthCheckStatus",
"cloudtrail:UpdateTrail",
"ds:Describe*",
"datapipeline:DescribeObjects",
"datapipeline:GetPipelineDefinition",
"route53:GetReusableDelegationSet",
"inspector:List*",
"sdb:ListDomains",
"cloudformation:DescribeStack*",
"s3:GetObjectTorrent",
"route53:ListTrafficPolicyInstancesByPolicy",
"sqs:ListDeadLetterSourceQueues",
"eks:DescribeUpdate",
"s3:PutBucketPolicy",
"sqs:CreateQueue",
"es:List*",
"lambda:GetPolicy",
"dax:DescribeEvents",
"dax:ConditionCheckItem",
"dax:Scan",
"dax:DescribeDefaultParameters",
"dax:GetItem",
"dax:Query",
"dax:DescribeSubnetGroups",
"dax:DescribeParameterGroups",
"dax:DescribeParameters",
"dax:ListTags",
"dax:DescribeClusters",
"dax:BatchGetItem",
"cloudtrail:GetEventSelectors"
],
"Resource": "*"
}
]
}
Your new policy will be created.
Please keep your policy name later for role creation. |
For the purpose behind the AWS services being used to create the custom policy, please refer to Appendix A - Workload Protection Amazon Policy Usage |
Role creation
- Click Roles from the menu on the left.
- Click Create role.
- Click Another AWS account.
- Enter the following Account ID: 854209929931.
- Select the box Require external ID and enter in an external ID of your preference.
- Make sure the box Require MFA is not selected.
- Click Next: Permissions.
- Click Filter, then select Customer managed, then select the policy you created earlier.
- Click Next: Tag, and then click Next: Review.
- Enter a name of your preference for the role name, then click Create role.
- Click the role name, and copy the AWS Role ARN.
Note: This is the Amazon AWS account that FortiCWP uses to monitor the new role that is being created.
Please keep the external ID later for AWS authentication during installation. |
Example of AWS Role ARN: arn:aws:iam::123456123456:role/FortiCWPTester
Please keep the AWS Role ARN later for AWS authentication during installation. |
Configure CloudTrail Setting
- From AWS console dashboard, search and go to "CloudTrail"
- Click on Trails in the left navigation pane, and click Create trail.
- In General details page, enter a Trail name based on your preference, keep the default selection to Create a new S3 bucket.
- Uncheck the options to enable Log file SSE-LMS encryption and Log file validation.
- Scroll down and click Next to continue to Choose log events page.
- In Events > Event type, select Mangement events and Data events types.
- In Manage events > API activity: keep Read and Write options selected, then click Next.
- Review the trail settings, make sure it is configured as multi-region trail, scroll down and click Create Trail.
You have finished all the preliminary steps to update your AWS account. Now go back to FortiCWP and click Next. |