Fortinet black logo

Online Help

Home FortiCWP 22.2.a Online Help

Add Multiple AWS Accounts

22.2.a
22.2.a
22.1.0
21.3.0
21.2.1
21.2.0
21.1.0
20.3.0
20.2.0
20.1.0
4.4.0
4.2.0
Copy Link
Copy Doc ID f5cba41d-b79a-11ec-9fd1-fa163e15d75b:874846

Add Multiple AWS Accounts

Prerequisites

Make sure the AWS administrator account user you use to perform the tasks below is an Administrator User. For instruction on creating an Administrator User for your AWS administrator account please refer to https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up-create-iam-user.html.

Activate Security Token Service (STS)

FortiCWP uses regional Security Token Service (STS) to reduce latency and provide smoother user experience.

Follow these steps to turn on Security Token Service (STS) on AWS console.

  1. From your AWS console dashboard, go to Identity and Access Management (IAM).
  2. Click Account settings from the left navigation panel, and click to expand Security Token Service (STS).

  3. Based on your location, activate EU (Ireland) if you are located in European Union, otherwise, activate US West (Oregon).

Setup permissions for Stack Sets Operations

In order to add multiple AWS account, the administrator account needs to have permission to create, update, and delete any stack sets in all target accounts. To setup this trust relationship, IAM roles need to be created in both the administrator and the target accounts. Amazon has simplified this process by utilizing AWS Cloud Formation template. Both steps needed to be completed to establish trust relationships between the administrator and target accounts. Please complete step 1 and 2 before proceeding with AWS Cloud Formation.

Step 1 - Create IAM role for administrator account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml, and click Next.

  5. In Stack name field, give any Stack name, then click Next.
  6. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  7. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Please note that the IAM role name for the administrator account must be AWSCloudFormationStackSetAdministrationRole.

Step 2 - Create IAM role for each target account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml, and click Next.
  5. In Stack name field, give any Stack name.
  6. In Parameters field, enter the administrator account ID which the target account wants to grant trust relationship to. Then click Next.
  7. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  8. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html

After IAM roles created for both administrator and targeted accounts, return to FortiCWP to install targeted accounts using CloudFormation. You can also create a CSV file with targeted account numbers separated by comma as delimiter. For example: 1234567,2345678,3456789, etc.

Add targeted AWS accounts via CloudFormation on FortiCWP

Before adding the AWS accounts, there are 4 types of permissions to be granted to FortiCWP to add the AWS account, consider adding the optional permissions or only the required ones that best fits the need of your organization. For more details, see AWS Permission and Resource Requirements

  1. From the FortiCWP navigation pane, go to Admin > Account, click +Add New, and select AWS. When the selection menu pop up, select Add Multiple via CloudFormation, then click Add New Cloud Account.
  2. Enter the targeted AWS account numbers separated by comma (,) in Account Number field or upload with a CSV file. then click Extract input Accounts.

  3. In Select Permissions section, select the optional permissions to be granted to FortiCWP.
  4. Select "Yes" for FortiCWP to create CloudTrail for each AWS account or select "No, I'll create later".

    5. FortiCWP can integrate CloudTrail as long as the CloudTrail has its origin configured.
  5. Click Next to continue to Add Cloud Account page, then click AWS CloudFormation Guide to be re-directed to AWS Cloud Formation guide.

A pop up page will re-direct to you to Amazon Cloud Formation, please follow the steps below to create stack set. If you got re-directed to CloudFormation Stack page, not CloudFormation guide, please refer to Stack Already Exists Error.

AWS Cloudformation Configuration

  1. In Prerequisite - Prepare template, make sure Template is ready is selected.
  2. In Specify template section, enter the following template url for Amazon S3 URL, then click Next to continue.
    3. Guide Option Selection Template URL
    Create Role only

    https://cwp-cloudformation-template.s3.amazonaws.com/22.1/forticwp_role_multiple_basic_autofix_integration_cloudtrail.json

    Create Role and CloudTrail https://cwp-cloudformation-template.s3.amazonaws.com/22.1/forticwp_role_multiple_basic_autofix_integration.json

  3. In StackSet name field, enter "FortiCWPMultiple", then click Next.

  4. In Permissions, under IAM execution role name, make sure AWSCloudFormationStackSetExecutionRole is selected in, then click Next.

  5. In Accounts, under Deployment locations, make sure Specify an AWS S3 URL for account numbers is selected, and enter the account numbers submitted earlier along with any other target account numbers separated by comma (,) or upload a .csv file. (In the CSV file, separate account numbers using commas as delimiters, e.g., 123456, 234567, etc.)
  6. Click on drop the down menu in Specify regions to select a region, then click Next.
  7. Review all parameters entered earlier and click Submit.
  8. Go back to FortiCWP add account page and click Add Multiple AWS Accounts.

If there is an error after completing Amazon CloudFormation, please refer to Troubleshooting > Amazon Web Service > Stack Already Exists Error.

Previous
Next

Add Multiple AWS Accounts

Prerequisites

Make sure the AWS administrator account user you use to perform the tasks below is an Administrator User. For instruction on creating an Administrator User for your AWS administrator account please refer to https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up-create-iam-user.html.

Activate Security Token Service (STS)

FortiCWP uses regional Security Token Service (STS) to reduce latency and provide smoother user experience.

Follow these steps to turn on Security Token Service (STS) on AWS console.

  1. From your AWS console dashboard, go to Identity and Access Management (IAM).
  2. Click Account settings from the left navigation panel, and click to expand Security Token Service (STS).

  3. Based on your location, activate EU (Ireland) if you are located in European Union, otherwise, activate US West (Oregon).

Setup permissions for Stack Sets Operations

In order to add multiple AWS account, the administrator account needs to have permission to create, update, and delete any stack sets in all target accounts. To setup this trust relationship, IAM roles need to be created in both the administrator and the target accounts. Amazon has simplified this process by utilizing AWS Cloud Formation template. Both steps needed to be completed to establish trust relationships between the administrator and target accounts. Please complete step 1 and 2 before proceeding with AWS Cloud Formation.

Step 1 - Create IAM role for administrator account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetAdministrationRole.yml, and click Next.

  5. In Stack name field, give any Stack name, then click Next.
  6. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  7. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Please note that the IAM role name for the administrator account must be AWSCloudFormationStackSetAdministrationRole.

Step 2 - Create IAM role for each target account

  1. From AWS Services menu, search and click on CloudFormation.
  2. Click on Stacks in left navigation menu.
  3. Click on Create stack, and select With new resources(standard).
  4. In Specify template section, select Amazon S3 URL, and fill in the following URL: https://s3.amazonaws.com/cloudformation-stackset-sample-templates-us-east-1/AWSCloudFormationStackSetExecutionRole.yml, and click Next.
  5. In Stack name field, give any Stack name.
  6. In Parameters field, enter the administrator account ID which the target account wants to grant trust relationship to. Then click Next.
  7. In Step-3: Configure Stack options, scroll all the way down, and click Next.
  8. In Step-4: Review, scroll all the way down, click on check to acknowledge AWS CloudFormation to create IAM resources, then click Create stack to complete the process.

Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-prereqs.html

After IAM roles created for both administrator and targeted accounts, return to FortiCWP to install targeted accounts using CloudFormation. You can also create a CSV file with targeted account numbers separated by comma as delimiter. For example: 1234567,2345678,3456789, etc.

Add targeted AWS accounts via CloudFormation on FortiCWP

Before adding the AWS accounts, there are 4 types of permissions to be granted to FortiCWP to add the AWS account, consider adding the optional permissions or only the required ones that best fits the need of your organization. For more details, see AWS Permission and Resource Requirements

  1. From the FortiCWP navigation pane, go to Admin > Account, click +Add New, and select AWS. When the selection menu pop up, select Add Multiple via CloudFormation, then click Add New Cloud Account.
  2. Enter the targeted AWS account numbers separated by comma (,) in Account Number field or upload with a CSV file. then click Extract input Accounts.

  3. In Select Permissions section, select the optional permissions to be granted to FortiCWP.
  4. Select "Yes" for FortiCWP to create CloudTrail for each AWS account or select "No, I'll create later".

    5. FortiCWP can integrate CloudTrail as long as the CloudTrail has its origin configured.
  5. Click Next to continue to Add Cloud Account page, then click AWS CloudFormation Guide to be re-directed to AWS Cloud Formation guide.

A pop up page will re-direct to you to Amazon Cloud Formation, please follow the steps below to create stack set. If you got re-directed to CloudFormation Stack page, not CloudFormation guide, please refer to Stack Already Exists Error.

AWS Cloudformation Configuration

  1. In Prerequisite - Prepare template, make sure Template is ready is selected.
  2. In Specify template section, enter the following template url for Amazon S3 URL, then click Next to continue.
    3. Guide Option Selection Template URL
    Create Role only

    https://cwp-cloudformation-template.s3.amazonaws.com/22.1/forticwp_role_multiple_basic_autofix_integration_cloudtrail.json

    Create Role and CloudTrail https://cwp-cloudformation-template.s3.amazonaws.com/22.1/forticwp_role_multiple_basic_autofix_integration.json

  3. In StackSet name field, enter "FortiCWPMultiple", then click Next.

  4. In Permissions, under IAM execution role name, make sure AWSCloudFormationStackSetExecutionRole is selected in, then click Next.

  5. In Accounts, under Deployment locations, make sure Specify an AWS S3 URL for account numbers is selected, and enter the account numbers submitted earlier along with any other target account numbers separated by comma (,) or upload a .csv file. (In the CSV file, separate account numbers using commas as delimiters, e.g., 123456, 234567, etc.)
  6. Click on drop the down menu in Specify regions to select a region, then click Next.
  7. Review all parameters entered earlier and click Submit.
  8. Go back to FortiCWP add account page and click Add Multiple AWS Accounts.

If there is an error after completing Amazon CloudFormation, please refer to Troubleshooting > Amazon Web Service > Stack Already Exists Error.

Previous
Next