Fortinet black logo

Online Help

AWS Account Checklist Troubleshooting

Copy Link
Copy Doc ID f5cba41d-b79a-11ec-9fd1-fa163e15d75b:939555

AWS Account Checklist Troubleshooting

Role and Policy Related Issues

External ID Issue

AWS CloudTrail Issue

Traffic Related Issue

Role and Policy Related Issues

If you are adding the AWS account manually, follow the solutions below.

Checklist Item Description Solution
FortiCWP Role not generated. FortiCWP role is not created successfully on the AWS account. Check if the FortiCWP role is created following the guide at Add AWS Account.
AWS Autofix policies are not attached to the Role. FortiCWP policies are not attached to the FortiCWP role. Check if the FortiCWP policies are attached to the role at Add AWS Account.

AWS Notification policies are not attached to the Role.

FortiCWP policies are not attached to the FortiCWP role.

Check if the FortiCWP policies are attached to the role at Add AWS Account.

AWS Insepctor and Guard Duty Integration policies are not attached to the Role. Specific policy and role needs to be attached in AWS Inspector and Guard Duty to activate both services on FortiCWP Check if the AWS Inspector and Guard Duty Integration policies are attached to the Role by checking with Add AWS Account.

If you are adding the AWS account automatically, follow the solutions below.

Checklist Item Description Solution
CloudFormation FortiCWP Role not generated. There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error
AWS Autofix policies are not attached to the Role. There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error

AWS Notification policies are not attached to the Role.

There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully

Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error

AWS Insepctor and Guard Duty Integration policies are not attached to the Role. Specific policy and role needs to be attached in AWS Inspector and Guard Duty to activate both services in FortiCWP. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error

External ID Issue

If you are adding the AWS account manually, follow the solutions below.

Checklist Item Description Solution
External ID doesn't meet the complexity and security requirements. External ID is an unique ID attached to the role for security purpose. If it was previously assigned and did not meet the complexity requirement, the external ID needed to be reassigned by FortiCWP. Please remove the AWS account from FortiCWP, and re-authenticate the account by going thorough the manual installation, you will be asked to generate an External ID. For more details, please see Add AWS Account.

If you are adding the AWS account automatically, follow the solutions below.

Checklist Item Description Solution
External ID doesn't meet the complexity and security requirements. External ID is an unique ID attached to the role for security purpose. If it was previously assigned and did not meet the complexity requirement, the external ID needed to be reassigned by FortiCWP. Please remove the AWS account from FortiCWP, and re-authenticate the account by going thorough the installation. An unique 32 bit external ID will be re-assigned to the account if you are adding the account automatically.

AWS CloudTrail Issue

AWS CloudTrail failures only occurs when the AWS account was added manually or it was not created by AWS CloudFormation.

If you happen to receive any error below when you install AWS account automatically, please delete the CloudTrail Stack or Stack set and reauthenticate, please see Stack Already Exists Error.

For manual installation, please see solutions below:

Checklist Item Description Solution
More than one AWS CloudTrail is created and enabled. There should only be one cloudtrail enabled. Check the CloudTrail name used for the AWS account on FortiCWP located in Authentication tab in the Cloud Account status. Log into AWS account and delete or disable any other CloudTrail name other than the one that is used on FortiCWP.
CloudTrail is not configured with read/write event permission. AWS CloudTrail needs to be configured with read/write event permission for FortiCWP to access the CloudTrail logs.

Check read/write event permission in Add AWS Account.

CloudTrail is not applied to all regions. AWS CloudTrail needs to be applied to all regions in configurations in order for FortiCWP to receive CloudTrail logs from all regions.

Check if it is applied to all regions by seeing Add AWS Account.

FortiCWP cannot gain access to the CloudTrail S3 Bucket. AWS CloudTrail needs to grant FortiCWP with access to S3 bucket to monitor and protect the data in the S3 bucket.

Check if AWS has granted FortiCWP access to S3 bucket by seeing Add AWS Account.

Traffic Related Issue

This solution applies to both manual and automatic installation.

Checklist Item Description Solution
Some VPCs do not have Flow logs. FortiCWP Traffic is disabled. All AWS VPCs Flow logs need to be enabled to activate Traffic on FortiCWP. Review the steps in AWS Traffic log configuration to see if AWS Flow logs is enabled. Please see AWS Traffic Configuration.

AWS Account Checklist Troubleshooting

Role and Policy Related Issues

External ID Issue

AWS CloudTrail Issue

Traffic Related Issue

Role and Policy Related Issues

If you are adding the AWS account manually, follow the solutions below.

Checklist Item Description Solution
FortiCWP Role not generated. FortiCWP role is not created successfully on the AWS account. Check if the FortiCWP role is created following the guide at Add AWS Account.
AWS Autofix policies are not attached to the Role. FortiCWP policies are not attached to the FortiCWP role. Check if the FortiCWP policies are attached to the role at Add AWS Account.

AWS Notification policies are not attached to the Role.

FortiCWP policies are not attached to the FortiCWP role.

Check if the FortiCWP policies are attached to the role at Add AWS Account.

AWS Insepctor and Guard Duty Integration policies are not attached to the Role. Specific policy and role needs to be attached in AWS Inspector and Guard Duty to activate both services on FortiCWP Check if the AWS Inspector and Guard Duty Integration policies are attached to the Role by checking with Add AWS Account.

If you are adding the AWS account automatically, follow the solutions below.

Checklist Item Description Solution
CloudFormation FortiCWP Role not generated. There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error
AWS Autofix policies are not attached to the Role. There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error

AWS Notification policies are not attached to the Role.

There is a duplicate stack or stackset already in CloudFormation. The duplicate stack or stackset needs to be deleted first for the role to be generated successfully

Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error

AWS Insepctor and Guard Duty Integration policies are not attached to the Role. Specific policy and role needs to be attached in AWS Inspector and Guard Duty to activate both services in FortiCWP. Delete the stack or stackset associated with the AWS account(s) first by following Stack Already Exists Error

External ID Issue

If you are adding the AWS account manually, follow the solutions below.

Checklist Item Description Solution
External ID doesn't meet the complexity and security requirements. External ID is an unique ID attached to the role for security purpose. If it was previously assigned and did not meet the complexity requirement, the external ID needed to be reassigned by FortiCWP. Please remove the AWS account from FortiCWP, and re-authenticate the account by going thorough the manual installation, you will be asked to generate an External ID. For more details, please see Add AWS Account.

If you are adding the AWS account automatically, follow the solutions below.

Checklist Item Description Solution
External ID doesn't meet the complexity and security requirements. External ID is an unique ID attached to the role for security purpose. If it was previously assigned and did not meet the complexity requirement, the external ID needed to be reassigned by FortiCWP. Please remove the AWS account from FortiCWP, and re-authenticate the account by going thorough the installation. An unique 32 bit external ID will be re-assigned to the account if you are adding the account automatically.

AWS CloudTrail Issue

AWS CloudTrail failures only occurs when the AWS account was added manually or it was not created by AWS CloudFormation.

If you happen to receive any error below when you install AWS account automatically, please delete the CloudTrail Stack or Stack set and reauthenticate, please see Stack Already Exists Error.

For manual installation, please see solutions below:

Checklist Item Description Solution
More than one AWS CloudTrail is created and enabled. There should only be one cloudtrail enabled. Check the CloudTrail name used for the AWS account on FortiCWP located in Authentication tab in the Cloud Account status. Log into AWS account and delete or disable any other CloudTrail name other than the one that is used on FortiCWP.
CloudTrail is not configured with read/write event permission. AWS CloudTrail needs to be configured with read/write event permission for FortiCWP to access the CloudTrail logs.

Check read/write event permission in Add AWS Account.

CloudTrail is not applied to all regions. AWS CloudTrail needs to be applied to all regions in configurations in order for FortiCWP to receive CloudTrail logs from all regions.

Check if it is applied to all regions by seeing Add AWS Account.

FortiCWP cannot gain access to the CloudTrail S3 Bucket. AWS CloudTrail needs to grant FortiCWP with access to S3 bucket to monitor and protect the data in the S3 bucket.

Check if AWS has granted FortiCWP access to S3 bucket by seeing Add AWS Account.

Traffic Related Issue

This solution applies to both manual and automatic installation.

Checklist Item Description Solution
Some VPCs do not have Flow logs. FortiCWP Traffic is disabled. All AWS VPCs Flow logs need to be enabled to activate Traffic on FortiCWP. Review the steps in AWS Traffic log configuration to see if AWS Flow logs is enabled. Please see AWS Traffic Configuration.