Fortinet black logo

Online Help

Add AWS Account

Copy Link
Copy Doc ID f5cba41d-b79a-11ec-9fd1-fa163e15d75b:977962

Add AWS Account

Prerequisites

Make sure the AWS account user you use to perform the tasks below is an Administrator User. For instruction on creating an Administrator User for your AWS account please refer to https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up-create-iam-user.html.

Use the Administrator User to create new AWS Policy, Role, and configure the CloudTrail setting:

Policy Types

Before getting started to add AWS account, there are 4 types of permissions to be granted to FortiCWP to add the AWS account, consider adding the optional permissions or only the required ones that best fits the need of your organization.

Basic Permissions (required) - This permission list is mandatory for adding AWS accounts to FortriCWP. This includes the permissions related to S3, CloudTrail, CloudFormation, IAM User Permissions and EC2.

Integration Permissions (required) - This permission list is required for fetching data regarding the integration alerts in FortiCWP such as AWS Guard Duty, AWS Inspector service.

AutoFix Permissions (optional) - This permission list includes the minimum write permissions of the AWS resources such as EC2, S3, IAM etc

Notification Permissions (optional) - This permission is required for FortiCWP to send notifications. This consists of SQS (Simple Queue Service) and SNS (Simple Notification Service).

Copy the permission JSON file below to create AWS policies.

Basic Permissions

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"acm:Describe*",

"acm:List*",

"appstream:Describe*",

"autoscaling:Describe*",

"cloudformation:DescribeStack*",

"cloudformation:GetTemplate",

"cloudformation:ListStack*",

"cloudfront:Get*",

"cloudfront:List*",

"cloudsearch:Describe*",

"cloudtrail:DescribeTrails",

"cloudtrail:GetEventSelectors",

"cloudtrail:GetTrailStatus",

"cloudtrail:ListTags",

"cloudtrail:LookupEvents",

"cloudwatch:Describe*",

"codedeploy:Batch*",

"codedeploy:Get*",

"codedeploy:List*",

"config:Deliver*",

"config:Describe*",

"config:Get*",

"datapipeline:DescribeObjects",

"datapipeline:DescribePipelines",

"datapipeline:EvaluateExpression",

"datapipeline:GetPipelineDefinition",

"datapipeline:ListPipelines",

"datapipeline:QueryObjects",

"datapipeline:ValidatePipelineDefinition",

"dax:BatchGetItem",

"dax:ConditionCheckItem",

"dax:DescribeClusters",

"dax:DescribeDefaultParameters",

"dax:DescribeEvents",

"dax:DescribeParameterGroups",

"dax:DescribeParameters",

"dax:DescribeSubnetGroups",

"dax:GetItem",

"dax:ListTags",

"dax:Query",

"dax:Scan",

"directconnect:Describe*",

"ds:Describe*",

"dynamodb:DescribeTable",

"dynamodb:ListTables",

"ec2:Describe*",

"ec2:GetTransitGatewayAttachmentPropagations",

"ec2:GetTransitGatewayRouteTableAssociations",

"ec2:GetTransitGatewayRouteTablePropagations",

"ec2:SearchTransitGatewayRoutes",

"ecs:Describe*",

"ecs:List*",

"eks:DescribeCluster",

"eks:DescribeUpdate",

"eks:ListClusters",

"eks:ListUpdates",

"elasticache:Describe*",

"elasticache:List*",

"elasticbeanstalk:Describe*",

"elasticfilesystem:Describe*",

"elasticloadbalancing:Describe*",

"elasticmapreduce:DescribeCluster",

"elasticmapreduce:DescribeEditor",

"elasticmapreduce:DescribeSecurityConfiguration",

"elasticmapreduce:DescribeStep",

"elasticmapreduce:List*",

"es:Describe*",

"es:List*",

"glacier:GetVaultAccessPolicy",

"glacier:ListVaults",

"iam:GenerateCredentialReport",

"iam:Get*",

"iam:List*",

"iam:SimulateCustomPolicy",

"iam:SimulatePrincipalPolicy",

"kms:Describe*",

"kms:Get*",

"kms:List*",

"lambda:GetPolicy",

"lambda:List*",

"logs:Describe*",

"logs:FilterLogEvents",

"logs:Get*",

"rds:Describe*",

"rds:DownloadDBLogFilePortion",

"rds:ListTagsForResource",

"redshift:Describe*",

"route53:GetAccountLimit",

"route53:GetChange",

"route53:GetCheckerIpRanges",

"route53:GetGeoLocation",

"route53:GetHealthCheck",

"route53:GetHealthCheckCount",

"route53:GetHealthCheckLastFailureReason",

"route53:GetHealthCheckStatus",

"route53:GetHostedZone",

"route53:GetHostedZoneCount",

"route53:GetHostedZoneLimit",

"route53:GetQueryLoggingConfig",

"route53:GetReusableDelegationSet",

"route53:GetReusableDelegationSetLimit",

"route53:GetTrafficPolicy",

"route53:GetTrafficPolicyInstance",

"route53:GetTrafficPolicyInstanceCount",

"route53:ListGeoLocations",

"route53:ListHealthChecks",

"route53:ListHostedZones",

"route53:ListHostedZonesByName",

"route53:ListQueryLoggingConfigs",

"route53:ListResourceRecordSets",

"route53:ListReusableDelegationSets",

"route53:ListTagsForResource",

"route53:ListTagsForResources",

"route53:ListTrafficPolicies",

"route53:ListTrafficPolicyInstances",

"route53:ListTrafficPolicyInstancesByHostedZone",

"route53:ListTrafficPolicyInstancesByPolicy",

"route53:ListTrafficPolicyVersions",

"route53:ListVPCAssociationAuthorizations",

"route53domains:CheckDomainAvailability",

"route53domains:GetContactReachabilityStatus",

"route53domains:GetDomainDetail",

"route53domains:GetDomainSuggestions",

"route53domains:GetOperationDetail",

"route53domains:ListDomains",

"route53domains:ListOperations",

"route53domains:ListTagsForDomain",

"s3:GetAccelerateConfiguration",

"s3:GetAccountPublicAccessBlock",

"s3:GetAnalyticsConfiguration",

"s3:GetBucket*",

"s3:GetEncryptionConfiguration",

"s3:GetInventoryConfiguration",

"s3:GetLifecycleConfiguration",

"s3:GetMetricsConfiguration",

"s3:GetObject",

"s3:GetObjectAcl",

"s3:GetObjectTagging",

"s3:GetObjectTorrent",

"s3:GetObjectVersion",

"s3:GetObjectVersionAcl",

"s3:GetObjectVersionForReplication",

"s3:GetObjectVersionTagging",

"s3:GetObjectVersionTorrent",

"s3:GetReplicationConfiguration",

"s3:ListAllMyBuckets",

"s3:ListBucket",

"s3:ListBucketMultipartUploads",

"s3:ListBucketVersions",

"s3:ListMultipartUploadParts",

"sdb:DomainMetadata",

"sdb:ListDomains",

"ses:Get*",

"ses:List*",

"tag:GetResources",

"tag:GetTagKeys",

"waf:Get*",

"waf:List*",

"workspaces:Describe*"

],

"Resource": "*",

"Effect": "Allow"

}

]

}

AutoFix Permissions

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"cloudfront:UpdateDistribution",

"cloudtrail:StartLogging",

"cloudtrail:UpdateTrail",

"ec2:ModifySnapshotAttribute",

"ec2:RevokeSecurityGroupEgress",

"ec2:RevokeSecurityGroupIngress",

"elasticloadbalancing:ModifyLoadBalancerAttributes",

"iam:UpdateAccountPasswordPolicy",

"kms:CancelKeyDeletion",

"kms:EnableKeyRotation",

"rds:ModifyDBInstance",

"redshift:ModifyCluster",

"redshift:ModifyClusterParameterGroup",

"s3:PutBucketAcl",

"s3:PutBucketPolicy",

"s3:PutBucketVersioning",

"s3:PutObjectAcl",

"s3:PutObjectVersionAcl"

],

"Resource": "*",

"Effect": "Allow"

}

]

}

Integration Permissions

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"guardduty:DescribeOrganizationConfiguration",

"guardduty:DescribePublishingDestination",

"guardduty:GetDetector",

"guardduty:GetFilter",

"guardduty:GetFindings",

"guardduty:GetFindingsStatistics",

"guardduty:GetInvitationsCount",

"guardduty:GetIPSet",

"guardduty:GetMasterAccount",

"guardduty:GetMemberDetectors",

"guardduty:GetMembers",

"guardduty:GetThreatIntelSet",

"guardduty:GetUsageStatistics",

"guardduty:ListDetectors",

"guardduty:ListFilters",

"guardduty:ListFindings",

"guardduty:ListInvitations",

"guardduty:ListIPSets",

"guardduty:ListMembers",

"guardduty:ListOrganizationAdminAccounts",

"guardduty:ListPublishingDestinations",

"guardduty:ListTagsForResource",

"guardduty:ListThreatIntelSets",

"inspector:DescribeAssessmentRuns",

"inspector:DescribeAssessmentTargets",

"inspector:DescribeAssessmentTemplates",

"inspector:DescribeCrossAccountAccessRole",

"inspector:DescribeExclusions",

"inspector:DescribeFindings",

"inspector:DescribeResourceGroups",

"inspector:DescribeRulesPackages",

"inspector:GetAssessmentReport",

"inspector:GetExclusionsPreview",

"inspector:GetTelemetryMetadata",

"inspector:ListAssessmentRunAgents",

"inspector:ListAssessmentRuns",

"inspector:ListAssessmentTargets",

"inspector:ListAssessmentTemplates",

"inspector:ListEventSubscriptions",

"inspector:ListExclusions",

"inspector:ListFindings",

"inspector:ListRulesPackages",

"inspector:ListTagsForResource",

"inspector:PreviewAgents"

],

"Resource": "*",

"Effect": "Allow"

}

]

}

Notification Permission

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"sns:CheckIfPhoneNumberIsOptedOut",

"sns:GetEndpointAttributes",

"sns:GetPlatformApplicationAttributes",

"sns:GetSMSAttributes",

"sns:GetSMSSandboxAccountStatus",

"sns:GetSubscriptionAttributes",

"sns:GetTopicAttributes",

"sns:ListEndpointsByPlatformApplication",

"sns:ListOriginationNumbers",

"sns:ListPhoneNumbersOptedOut",

"sns:ListPlatformApplications",

"sns:ListSMSSandboxPhoneNumbers",

"sns:ListSubscriptions",

"sns:ListSubscriptionsByTopic",

"sns:ListTagsForResource",

"sns:ListTopics",

"sqs:ChangeMessageVisibility",

"sqs:ChangeMessageVisibilityBatch",

"sqs:CreateQueue",

"sqs:DeleteMessage",

"sqs:DeleteMessageBatch",

"sqs:DeleteQueue",

"sqs:GetQueueAttributes",

"sqs:GetQueueUrl",

"sqs:ListDeadLetterSourceQueues",

"sqs:ListQueues",

"sqs:ListQueueTags",

"sqs:ReceiveMessage",

"sqs:SendMessage",

"sqs:SendMessageBatch",

"sqs:SetQueueAttributes"

],

"Resource": "*",

"Effect": "Allow"

}

]

}

Policy Creation

Policy creation is the first step in creating IAM role. Create AWS policies using the permission JSON files above. The basic and integration permissions are required to add the AWS account to FortiCWP, other permissions are optional.

  1. Go to your AWS console dashboard, search and click IAM.
  2. Click Policies from the left navigation menu.
  3. Click Create policy, go to the JSON tab.
  4. Replace the existing JSON code with one of the permission JSON code above.
  5. Click Next: Tags, then click Next: Review.
  6. Name the policy as "forticwp_basic_permission" or a name of your choice, scroll down and click Create policy.
  7. Repeat the instruction above for each type of permission.

Please keep the policy names later for role creation.
For the purpose behind the AWS services being used to create the custom policy, please refer to Appendix A - Workload Protection Amazon Policy Usage

Role Creation

Before creating an AWS Role, you will need to create an External ID from FortiCWP. The External ID is an unique 32-bit token that meets AWS security requirement to protect the AWS Role. Go back to the Add Cloud Account page on FortiCWP to generate an External ID.

Enter your AWS account ID and click Validate. If the AWS account ID is valid, it will prompt you to generate the External ID.

When the External ID Generate box pop-up, click Generate to generate the External ID. Click copy to save it later for creating AWS Role.

Note: If you already generated an External ID a few hours earlier, after you click Validate, the external ID will be retrieved automatically without clicking Generate.

If you already have an AWS Role associated with FortiCWP, and only need to update the External ID. Please refer to Update AWS Role External ID
Follow the steps below to create AWS Role.
  1. Go to your AWS console dashboard. Click Roles from the menu on the left.
  2. Click Create role.
  3. In Trusted entity type, select AWS account.
  4. In An AWS account, select Another AWS Account, and enter the following Account ID: 854209929931.
  5. Note: This is the Amazon AWS account that FortiCWP uses to monitor the new role that is being created.

  6. Select the box Require external ID and enter in the External ID generated earlier.
  7. The External ID must be the one generated earlier through FortiCWP using the same AWS account. If the External ID is not generated from FortiCWP, the AWS account cannot be added to FortiCWP.
  8. Make sure the box Require MFA is not selected, then click Next.
  9. In Add permissions, click search bar to select Type > Customer managed to filter.
  10. Select all the permission policies you created earlier, and click Next.
  11. In Role details, enter a Role name, review the rest of the role details, and click Create role.
  12. Go back to list of Roles, click on the new role created to enter the role summary, and copy the AWS Role ARN.
  13. Example of AWS Role ARN: arn:aws:iam::123456123456:role/aws_role_test

Please keep the AWS Role ARN later for AWS authentication during installation.

Activate Security Token Service (STS)

FortiCWP uses regional Security Token Service (STS) to reduce latency and provide smoother user experience.

Follow these steps to turn on Security Token Service (STS) on AWS console.

  1. From your AWS console dashboard, go to Identity and Access Management (IAM).
  2. Click Account settings from the left navigation panel, and click to expand Security Token Service (STS).
  3. Based on your location, activate EU (Ireland) if you are located in European Union, otherwise, activate US West (Oregon).

Configure CloudTrail Setting

  1. From AWS console dashboard, search and go to "CloudTrail"
  2. Click on Trails in the left navigation pane, and click Create trail.
  3. In General details page, enter a Trail name based on your preference, keep the default selection to Create a new S3 bucket.
  4. Uncheck the options to enable Log file SSE-LMS encryption and Log file validation.
  5. Scroll down and click Next to continue to Choose log events page.
  6. In Events > Event type, select Mangement events and Data events types.
  7. In Manage events > API activity: keep Read and Write options selected, then click Next.
  8. Review the trail settings, make sure it is configured as multi-region trail, scroll down and click Create Trail.
You have finished all the preliminary steps to add your AWS account. Now go back to FortiCWP and click Next.

Add AWS Account

Prerequisites

Make sure the AWS account user you use to perform the tasks below is an Administrator User. For instruction on creating an Administrator User for your AWS account please refer to https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up-create-iam-user.html.

Use the Administrator User to create new AWS Policy, Role, and configure the CloudTrail setting:

Policy Types

Before getting started to add AWS account, there are 4 types of permissions to be granted to FortiCWP to add the AWS account, consider adding the optional permissions or only the required ones that best fits the need of your organization.

Basic Permissions (required) - This permission list is mandatory for adding AWS accounts to FortriCWP. This includes the permissions related to S3, CloudTrail, CloudFormation, IAM User Permissions and EC2.

Integration Permissions (required) - This permission list is required for fetching data regarding the integration alerts in FortiCWP such as AWS Guard Duty, AWS Inspector service.

AutoFix Permissions (optional) - This permission list includes the minimum write permissions of the AWS resources such as EC2, S3, IAM etc

Notification Permissions (optional) - This permission is required for FortiCWP to send notifications. This consists of SQS (Simple Queue Service) and SNS (Simple Notification Service).

Copy the permission JSON file below to create AWS policies.

Basic Permissions

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"acm:Describe*",

"acm:List*",

"appstream:Describe*",

"autoscaling:Describe*",

"cloudformation:DescribeStack*",

"cloudformation:GetTemplate",

"cloudformation:ListStack*",

"cloudfront:Get*",

"cloudfront:List*",

"cloudsearch:Describe*",

"cloudtrail:DescribeTrails",

"cloudtrail:GetEventSelectors",

"cloudtrail:GetTrailStatus",

"cloudtrail:ListTags",

"cloudtrail:LookupEvents",

"cloudwatch:Describe*",

"codedeploy:Batch*",

"codedeploy:Get*",

"codedeploy:List*",

"config:Deliver*",

"config:Describe*",

"config:Get*",

"datapipeline:DescribeObjects",

"datapipeline:DescribePipelines",

"datapipeline:EvaluateExpression",

"datapipeline:GetPipelineDefinition",

"datapipeline:ListPipelines",

"datapipeline:QueryObjects",

"datapipeline:ValidatePipelineDefinition",

"dax:BatchGetItem",

"dax:ConditionCheckItem",

"dax:DescribeClusters",

"dax:DescribeDefaultParameters",

"dax:DescribeEvents",

"dax:DescribeParameterGroups",

"dax:DescribeParameters",

"dax:DescribeSubnetGroups",

"dax:GetItem",

"dax:ListTags",

"dax:Query",

"dax:Scan",

"directconnect:Describe*",

"ds:Describe*",

"dynamodb:DescribeTable",

"dynamodb:ListTables",

"ec2:Describe*",

"ec2:GetTransitGatewayAttachmentPropagations",

"ec2:GetTransitGatewayRouteTableAssociations",

"ec2:GetTransitGatewayRouteTablePropagations",

"ec2:SearchTransitGatewayRoutes",

"ecs:Describe*",

"ecs:List*",

"eks:DescribeCluster",

"eks:DescribeUpdate",

"eks:ListClusters",

"eks:ListUpdates",

"elasticache:Describe*",

"elasticache:List*",

"elasticbeanstalk:Describe*",

"elasticfilesystem:Describe*",

"elasticloadbalancing:Describe*",

"elasticmapreduce:DescribeCluster",

"elasticmapreduce:DescribeEditor",

"elasticmapreduce:DescribeSecurityConfiguration",

"elasticmapreduce:DescribeStep",

"elasticmapreduce:List*",

"es:Describe*",

"es:List*",

"glacier:GetVaultAccessPolicy",

"glacier:ListVaults",

"iam:GenerateCredentialReport",

"iam:Get*",

"iam:List*",

"iam:SimulateCustomPolicy",

"iam:SimulatePrincipalPolicy",

"kms:Describe*",

"kms:Get*",

"kms:List*",

"lambda:GetPolicy",

"lambda:List*",

"logs:Describe*",

"logs:FilterLogEvents",

"logs:Get*",

"rds:Describe*",

"rds:DownloadDBLogFilePortion",

"rds:ListTagsForResource",

"redshift:Describe*",

"route53:GetAccountLimit",

"route53:GetChange",

"route53:GetCheckerIpRanges",

"route53:GetGeoLocation",

"route53:GetHealthCheck",

"route53:GetHealthCheckCount",

"route53:GetHealthCheckLastFailureReason",

"route53:GetHealthCheckStatus",

"route53:GetHostedZone",

"route53:GetHostedZoneCount",

"route53:GetHostedZoneLimit",

"route53:GetQueryLoggingConfig",

"route53:GetReusableDelegationSet",

"route53:GetReusableDelegationSetLimit",

"route53:GetTrafficPolicy",

"route53:GetTrafficPolicyInstance",

"route53:GetTrafficPolicyInstanceCount",

"route53:ListGeoLocations",

"route53:ListHealthChecks",

"route53:ListHostedZones",

"route53:ListHostedZonesByName",

"route53:ListQueryLoggingConfigs",

"route53:ListResourceRecordSets",

"route53:ListReusableDelegationSets",

"route53:ListTagsForResource",

"route53:ListTagsForResources",

"route53:ListTrafficPolicies",

"route53:ListTrafficPolicyInstances",

"route53:ListTrafficPolicyInstancesByHostedZone",

"route53:ListTrafficPolicyInstancesByPolicy",

"route53:ListTrafficPolicyVersions",

"route53:ListVPCAssociationAuthorizations",

"route53domains:CheckDomainAvailability",

"route53domains:GetContactReachabilityStatus",

"route53domains:GetDomainDetail",

"route53domains:GetDomainSuggestions",

"route53domains:GetOperationDetail",

"route53domains:ListDomains",

"route53domains:ListOperations",

"route53domains:ListTagsForDomain",

"s3:GetAccelerateConfiguration",

"s3:GetAccountPublicAccessBlock",

"s3:GetAnalyticsConfiguration",

"s3:GetBucket*",

"s3:GetEncryptionConfiguration",

"s3:GetInventoryConfiguration",

"s3:GetLifecycleConfiguration",

"s3:GetMetricsConfiguration",

"s3:GetObject",

"s3:GetObjectAcl",

"s3:GetObjectTagging",

"s3:GetObjectTorrent",

"s3:GetObjectVersion",

"s3:GetObjectVersionAcl",

"s3:GetObjectVersionForReplication",

"s3:GetObjectVersionTagging",

"s3:GetObjectVersionTorrent",

"s3:GetReplicationConfiguration",

"s3:ListAllMyBuckets",

"s3:ListBucket",

"s3:ListBucketMultipartUploads",

"s3:ListBucketVersions",

"s3:ListMultipartUploadParts",

"sdb:DomainMetadata",

"sdb:ListDomains",

"ses:Get*",

"ses:List*",

"tag:GetResources",

"tag:GetTagKeys",

"waf:Get*",

"waf:List*",

"workspaces:Describe*"

],

"Resource": "*",

"Effect": "Allow"

}

]

}

AutoFix Permissions

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"cloudfront:UpdateDistribution",

"cloudtrail:StartLogging",

"cloudtrail:UpdateTrail",

"ec2:ModifySnapshotAttribute",

"ec2:RevokeSecurityGroupEgress",

"ec2:RevokeSecurityGroupIngress",

"elasticloadbalancing:ModifyLoadBalancerAttributes",

"iam:UpdateAccountPasswordPolicy",

"kms:CancelKeyDeletion",

"kms:EnableKeyRotation",

"rds:ModifyDBInstance",

"redshift:ModifyCluster",

"redshift:ModifyClusterParameterGroup",

"s3:PutBucketAcl",

"s3:PutBucketPolicy",

"s3:PutBucketVersioning",

"s3:PutObjectAcl",

"s3:PutObjectVersionAcl"

],

"Resource": "*",

"Effect": "Allow"

}

]

}

Integration Permissions

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"guardduty:DescribeOrganizationConfiguration",

"guardduty:DescribePublishingDestination",

"guardduty:GetDetector",

"guardduty:GetFilter",

"guardduty:GetFindings",

"guardduty:GetFindingsStatistics",

"guardduty:GetInvitationsCount",

"guardduty:GetIPSet",

"guardduty:GetMasterAccount",

"guardduty:GetMemberDetectors",

"guardduty:GetMembers",

"guardduty:GetThreatIntelSet",

"guardduty:GetUsageStatistics",

"guardduty:ListDetectors",

"guardduty:ListFilters",

"guardduty:ListFindings",

"guardduty:ListInvitations",

"guardduty:ListIPSets",

"guardduty:ListMembers",

"guardduty:ListOrganizationAdminAccounts",

"guardduty:ListPublishingDestinations",

"guardduty:ListTagsForResource",

"guardduty:ListThreatIntelSets",

"inspector:DescribeAssessmentRuns",

"inspector:DescribeAssessmentTargets",

"inspector:DescribeAssessmentTemplates",

"inspector:DescribeCrossAccountAccessRole",

"inspector:DescribeExclusions",

"inspector:DescribeFindings",

"inspector:DescribeResourceGroups",

"inspector:DescribeRulesPackages",

"inspector:GetAssessmentReport",

"inspector:GetExclusionsPreview",

"inspector:GetTelemetryMetadata",

"inspector:ListAssessmentRunAgents",

"inspector:ListAssessmentRuns",

"inspector:ListAssessmentTargets",

"inspector:ListAssessmentTemplates",

"inspector:ListEventSubscriptions",

"inspector:ListExclusions",

"inspector:ListFindings",

"inspector:ListRulesPackages",

"inspector:ListTagsForResource",

"inspector:PreviewAgents"

],

"Resource": "*",

"Effect": "Allow"

}

]

}

Notification Permission

{

"Version": "2012-10-17",

"Statement": [

{

"Action": [

"sns:CheckIfPhoneNumberIsOptedOut",

"sns:GetEndpointAttributes",

"sns:GetPlatformApplicationAttributes",

"sns:GetSMSAttributes",

"sns:GetSMSSandboxAccountStatus",

"sns:GetSubscriptionAttributes",

"sns:GetTopicAttributes",

"sns:ListEndpointsByPlatformApplication",

"sns:ListOriginationNumbers",

"sns:ListPhoneNumbersOptedOut",

"sns:ListPlatformApplications",

"sns:ListSMSSandboxPhoneNumbers",

"sns:ListSubscriptions",

"sns:ListSubscriptionsByTopic",

"sns:ListTagsForResource",

"sns:ListTopics",

"sqs:ChangeMessageVisibility",

"sqs:ChangeMessageVisibilityBatch",

"sqs:CreateQueue",

"sqs:DeleteMessage",

"sqs:DeleteMessageBatch",

"sqs:DeleteQueue",

"sqs:GetQueueAttributes",

"sqs:GetQueueUrl",

"sqs:ListDeadLetterSourceQueues",

"sqs:ListQueues",

"sqs:ListQueueTags",

"sqs:ReceiveMessage",

"sqs:SendMessage",

"sqs:SendMessageBatch",

"sqs:SetQueueAttributes"

],

"Resource": "*",

"Effect": "Allow"

}

]

}

Policy Creation

Policy creation is the first step in creating IAM role. Create AWS policies using the permission JSON files above. The basic and integration permissions are required to add the AWS account to FortiCWP, other permissions are optional.

  1. Go to your AWS console dashboard, search and click IAM.
  2. Click Policies from the left navigation menu.
  3. Click Create policy, go to the JSON tab.
  4. Replace the existing JSON code with one of the permission JSON code above.
  5. Click Next: Tags, then click Next: Review.
  6. Name the policy as "forticwp_basic_permission" or a name of your choice, scroll down and click Create policy.
  7. Repeat the instruction above for each type of permission.

Please keep the policy names later for role creation.
For the purpose behind the AWS services being used to create the custom policy, please refer to Appendix A - Workload Protection Amazon Policy Usage

Role Creation

Before creating an AWS Role, you will need to create an External ID from FortiCWP. The External ID is an unique 32-bit token that meets AWS security requirement to protect the AWS Role. Go back to the Add Cloud Account page on FortiCWP to generate an External ID.

Enter your AWS account ID and click Validate. If the AWS account ID is valid, it will prompt you to generate the External ID.

When the External ID Generate box pop-up, click Generate to generate the External ID. Click copy to save it later for creating AWS Role.

Note: If you already generated an External ID a few hours earlier, after you click Validate, the external ID will be retrieved automatically without clicking Generate.

If you already have an AWS Role associated with FortiCWP, and only need to update the External ID. Please refer to Update AWS Role External ID
Follow the steps below to create AWS Role.
  1. Go to your AWS console dashboard. Click Roles from the menu on the left.
  2. Click Create role.
  3. In Trusted entity type, select AWS account.
  4. In An AWS account, select Another AWS Account, and enter the following Account ID: 854209929931.
  5. Note: This is the Amazon AWS account that FortiCWP uses to monitor the new role that is being created.

  6. Select the box Require external ID and enter in the External ID generated earlier.
  7. The External ID must be the one generated earlier through FortiCWP using the same AWS account. If the External ID is not generated from FortiCWP, the AWS account cannot be added to FortiCWP.
  8. Make sure the box Require MFA is not selected, then click Next.
  9. In Add permissions, click search bar to select Type > Customer managed to filter.
  10. Select all the permission policies you created earlier, and click Next.
  11. In Role details, enter a Role name, review the rest of the role details, and click Create role.
  12. Go back to list of Roles, click on the new role created to enter the role summary, and copy the AWS Role ARN.
  13. Example of AWS Role ARN: arn:aws:iam::123456123456:role/aws_role_test

Please keep the AWS Role ARN later for AWS authentication during installation.

Activate Security Token Service (STS)

FortiCWP uses regional Security Token Service (STS) to reduce latency and provide smoother user experience.

Follow these steps to turn on Security Token Service (STS) on AWS console.

  1. From your AWS console dashboard, go to Identity and Access Management (IAM).
  2. Click Account settings from the left navigation panel, and click to expand Security Token Service (STS).
  3. Based on your location, activate EU (Ireland) if you are located in European Union, otherwise, activate US West (Oregon).

Configure CloudTrail Setting

  1. From AWS console dashboard, search and go to "CloudTrail"
  2. Click on Trails in the left navigation pane, and click Create trail.
  3. In General details page, enter a Trail name based on your preference, keep the default selection to Create a new S3 bucket.
  4. Uncheck the options to enable Log file SSE-LMS encryption and Log file validation.
  5. Scroll down and click Next to continue to Choose log events page.
  6. In Events > Event type, select Mangement events and Data events types.
  7. In Manage events > API activity: keep Read and Write options selected, then click Next.
  8. Review the trail settings, make sure it is configured as multi-region trail, scroll down and click Create Trail.
You have finished all the preliminary steps to add your AWS account. Now go back to FortiCWP and click Next.