Fortinet black logo

Version:

Version:

Version:

Version:


Table of Contents

Online Help

Add AWS Account - Manual

Prerequisite

Activate Security Token Service (STS)

Container Protection uses regional Security Token Service (STS) to reduce latency and provide smoother user experience.

Follow these steps to turn on Security Token Service (STS) on AWS console:

  1. From your AWS console dashboard, go to Identity and Access Management (IAM).
  2. Click Account settings from the left navigation panel, and click to expand Security Token Service (STS).
  3. Based on your location, activate EU (Ireland) if you are located in European Union, otherwise, activate US West (Oregon).

 

Add AWS account in Container Protection requires an AWS account IAM role with an external ID provided by Container Protection.

The first part, Add AWS IAM Role will be in Container Protection, and the second part, IAM Role Creation is on AWS portal. You will be asked to enter the external ID in part 1 when creating an AWS IAM role.

Part 1: Add AWS IAM Role

Part 2: IAM Role Creation

 

Part 1: Add AWS IAM Role

  1. From the Container Protection navigation menu, go to Configure > Credential Store.
  2. Click on the top right corner +ADD NEW drop down menu button and select AWS IAM Role.
  3. Enter a Credential Name, AWS Account ID, and click IAM Role Creation Method drop down menu and choose "Manually by myself".
  4. Click on External ID field and click Generate. An External ID will be generated, copy and keep the External ID generated, and click Next Step.
  5. Continue to Add AWS Account - Manualto create a new IAM role and obtain the Role ARN, and come back to proceed to next step.
  6. Enter the IAM Role ARN and click ADD IAM Role you obtained from previous step.
  7. The AWS IAM Role is successfully added to the Credential Store, and it is ready to be used to add AWS Kubernetes Cluster.

 

 

Part 2: IAM Role Creation

  1. Log into your AWS account.
  2. In the Services drop down menu, search for IAM.
  3. Click on Access management drop down menu and click on Roles.
  4. Click Create role, and select Another AWS account.
  5. Important: enter the Container Protection trusted account: 854209929931. This IAM role will be created under this account.

  6. Click Require External ID option and enter the External ID saved earlier from Add AWS Account - Manual. Then click Next:Permissions to continue to add permission policy page.
  7. Click Create Policy then Create Policy page will pop up in a new tab. Create the first policy called forticwp_container_protection_permission using the following JSON:
  8. {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Action": [

    "iam:UpdateAssumeRolePolicy",

    "iam:GetPolicyVersion",

    "ec2:DescribeInstances",

    "eks:DescribeFargateProfile",

    "ecr:ListTagsForResource",

    "iam:AttachRolePolicy",

    "iam:PutRolePolicy",

    "ecr:ListImages",

    "elasticloadbalancing:DescribeLoadBalancers",

    "eks:DescribeNodegroup",

    "ecr:DescribeRepositories",

    "iam:ListRolePolicies",

    "iam:ListPolicies",

    "iam:GetRole",

    "eks:ListNodegroups",

    "cloudformation:ListStacks",

    "iam:GetPolicy",

    "ecr:DescribeRegistry",

    "iam:ListRoles",

    "ec2:DescribeSecurityGroups",

    "ecr:PutImage",

    "cloudformation:DescribeStacks",

    "eks:ListFargateProfiles",

    "iam:ListPolicyVersions",

    "ec2:DescribeVpcs",

    "ecr:BatchGetImage",

    "ecr:DescribeImages",

    "eks:DescribeCluster",

    "iam:GetRolePolicy",

    "ecr:GetDownloadUrlForLayer",

    "ecr:GetAuthorizationToken",

    "ecr:BatchCheckLayerAvailability",

    "elasticloadbalancing:DescribeListeners",

    "autoscaling:DescribeAutoScalingGroups",

    "iam:ListAttachedRolePolicies",

    "elasticloadbalancing:DescribeTargetHealth",

    "ec2:DescribeRouteTables",

    "ec2:DescribeAddresses",

    "ec2:DescribeSubnets",

    "ec2:DescribeNetworkInterfaces",

    "ec2:DescribeRegions",

    "ec2:DescribeVpcAttribute",

    "ec2:DescribeInstanceAttribute"

    ],

    "Resource": "*",

    "Effect": "Allow"

    }

    ]

    }

  9. Click Create Policy again then Create Policy page will pop up in a another tab. Create the second policy called forticwp_aws_self_managed_autodeployment using the following JSON:
  10. {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Action": [

    "cloudwatch:PutMetricData",

    "ds:CreateComputer",

    "ds:DescribeDirectories",

    "ec2:DescribeInstanceStatus",

    "logs:*",

    "ssm:DescribeAssociation",

    "ssm:GetDeployablePatchSnapshotForInstance",

    "ssm:GetDocument",

    "ssm:DescribeDocument",

    "ssm:GetManifest",

    "ssm:GetParameter",

    "ssm:GetParameters",

    "ssm:ListAssociations",

    "ssm:ListInstanceAssociations",

    "ssm:PutInventory",

    "ssm:PutComplianceItems",

    "ssm:PutConfigurePackageResult",

    "ssm:UpdateAssociationStatus",

    "ssm:UpdateInstanceAssociationStatus",

    "ssm:UpdateInstanceInformation",

    "ssmmessages:CreateControlChannel",

    "ssmmessages:CreateDataChannel",

    "ssmmessages:OpenControlChannel",

    "ssmmessages:OpenDataChannel",

    "ec2messages:AcknowledgeMessage",

    "ec2messages:DeleteMessage",

    "ec2messages:FailMessage",

    "ec2messages:GetEndpoint",

    "ec2messages:GetMessages",

    "ec2messages:SendReply",

    "ssm:SendCommand",

    "ssm:PutParameter",

    "ssm:TerminateSession",

    "ssm:CancelCommand",

    "ssm:DeleteParameter",

    "ssm:DeleteParameters",

    "ssm:GetCommandInvocation",

    "ssm:GetConnectionStatus",

    "ssm:ListCommandInvocations",

    "ssm:ListCommands"

    ],

    "Resource": "*",

    "Effect": "Allow"

    }

    ]

    }

  11. Go back to Create role page, search and select the two policies just created, then click Next:Tags.
  12. Click Next:Review to skip Add tags. In Review page, enter a Role name and Role description, and click Create Role to finish creating the IAM role.
  13. Go back to Roles page, then search and click on the role that was just created to enter Summary page.
  14. Copy the Role ARN from the Summary page and proceed to step 6 in Add AWS Account - Manual.

 

 

 

 

 

Add AWS Account - Manual

Prerequisite

Activate Security Token Service (STS)

Container Protection uses regional Security Token Service (STS) to reduce latency and provide smoother user experience.

Follow these steps to turn on Security Token Service (STS) on AWS console:

  1. From your AWS console dashboard, go to Identity and Access Management (IAM).
  2. Click Account settings from the left navigation panel, and click to expand Security Token Service (STS).
  3. Based on your location, activate EU (Ireland) if you are located in European Union, otherwise, activate US West (Oregon).

 

Add AWS account in Container Protection requires an AWS account IAM role with an external ID provided by Container Protection.

The first part, Add AWS IAM Role will be in Container Protection, and the second part, IAM Role Creation is on AWS portal. You will be asked to enter the external ID in part 1 when creating an AWS IAM role.

Part 1: Add AWS IAM Role

Part 2: IAM Role Creation

 

Part 1: Add AWS IAM Role

  1. From the Container Protection navigation menu, go to Configure > Credential Store.
  2. Click on the top right corner +ADD NEW drop down menu button and select AWS IAM Role.
  3. Enter a Credential Name, AWS Account ID, and click IAM Role Creation Method drop down menu and choose "Manually by myself".
  4. Click on External ID field and click Generate. An External ID will be generated, copy and keep the External ID generated, and click Next Step.
  5. Continue to Add AWS Account - Manualto create a new IAM role and obtain the Role ARN, and come back to proceed to next step.
  6. Enter the IAM Role ARN and click ADD IAM Role you obtained from previous step.
  7. The AWS IAM Role is successfully added to the Credential Store, and it is ready to be used to add AWS Kubernetes Cluster.

 

 

Part 2: IAM Role Creation

  1. Log into your AWS account.
  2. In the Services drop down menu, search for IAM.
  3. Click on Access management drop down menu and click on Roles.
  4. Click Create role, and select Another AWS account.
  5. Important: enter the Container Protection trusted account: 854209929931. This IAM role will be created under this account.

  6. Click Require External ID option and enter the External ID saved earlier from Add AWS Account - Manual. Then click Next:Permissions to continue to add permission policy page.
  7. Click Create Policy then Create Policy page will pop up in a new tab. Create the first policy called forticwp_container_protection_permission using the following JSON:
  8. {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Action": [

    "iam:UpdateAssumeRolePolicy",

    "iam:GetPolicyVersion",

    "ec2:DescribeInstances",

    "eks:DescribeFargateProfile",

    "ecr:ListTagsForResource",

    "iam:AttachRolePolicy",

    "iam:PutRolePolicy",

    "ecr:ListImages",

    "elasticloadbalancing:DescribeLoadBalancers",

    "eks:DescribeNodegroup",

    "ecr:DescribeRepositories",

    "iam:ListRolePolicies",

    "iam:ListPolicies",

    "iam:GetRole",

    "eks:ListNodegroups",

    "cloudformation:ListStacks",

    "iam:GetPolicy",

    "ecr:DescribeRegistry",

    "iam:ListRoles",

    "ec2:DescribeSecurityGroups",

    "ecr:PutImage",

    "cloudformation:DescribeStacks",

    "eks:ListFargateProfiles",

    "iam:ListPolicyVersions",

    "ec2:DescribeVpcs",

    "ecr:BatchGetImage",

    "ecr:DescribeImages",

    "eks:DescribeCluster",

    "iam:GetRolePolicy",

    "ecr:GetDownloadUrlForLayer",

    "ecr:GetAuthorizationToken",

    "ecr:BatchCheckLayerAvailability",

    "elasticloadbalancing:DescribeListeners",

    "autoscaling:DescribeAutoScalingGroups",

    "iam:ListAttachedRolePolicies",

    "elasticloadbalancing:DescribeTargetHealth",

    "ec2:DescribeRouteTables",

    "ec2:DescribeAddresses",

    "ec2:DescribeSubnets",

    "ec2:DescribeNetworkInterfaces",

    "ec2:DescribeRegions",

    "ec2:DescribeVpcAttribute",

    "ec2:DescribeInstanceAttribute"

    ],

    "Resource": "*",

    "Effect": "Allow"

    }

    ]

    }

  9. Click Create Policy again then Create Policy page will pop up in a another tab. Create the second policy called forticwp_aws_self_managed_autodeployment using the following JSON:
  10. {

    "Version": "2012-10-17",

    "Statement": [

    {

    "Action": [

    "cloudwatch:PutMetricData",

    "ds:CreateComputer",

    "ds:DescribeDirectories",

    "ec2:DescribeInstanceStatus",

    "logs:*",

    "ssm:DescribeAssociation",

    "ssm:GetDeployablePatchSnapshotForInstance",

    "ssm:GetDocument",

    "ssm:DescribeDocument",

    "ssm:GetManifest",

    "ssm:GetParameter",

    "ssm:GetParameters",

    "ssm:ListAssociations",

    "ssm:ListInstanceAssociations",

    "ssm:PutInventory",

    "ssm:PutComplianceItems",

    "ssm:PutConfigurePackageResult",

    "ssm:UpdateAssociationStatus",

    "ssm:UpdateInstanceAssociationStatus",

    "ssm:UpdateInstanceInformation",

    "ssmmessages:CreateControlChannel",

    "ssmmessages:CreateDataChannel",

    "ssmmessages:OpenControlChannel",

    "ssmmessages:OpenDataChannel",

    "ec2messages:AcknowledgeMessage",

    "ec2messages:DeleteMessage",

    "ec2messages:FailMessage",

    "ec2messages:GetEndpoint",

    "ec2messages:GetMessages",

    "ec2messages:SendReply",

    "ssm:SendCommand",

    "ssm:PutParameter",

    "ssm:TerminateSession",

    "ssm:CancelCommand",

    "ssm:DeleteParameter",

    "ssm:DeleteParameters",

    "ssm:GetCommandInvocation",

    "ssm:GetConnectionStatus",

    "ssm:ListCommandInvocations",

    "ssm:ListCommands"

    ],

    "Resource": "*",

    "Effect": "Allow"

    }

    ]

    }

  11. Go back to Create role page, search and select the two policies just created, then click Next:Tags.
  12. Click Next:Review to skip Add tags. In Review page, enter a Role name and Role description, and click Create Role to finish creating the IAM role.
  13. Go back to Roles page, then search and click on the role that was just created to enter Summary page.
  14. Copy the Role ARN from the Summary page and proceed to step 6 in Add AWS Account - Manual.