Fortinet black logo

AWS Administration Guide

Home FortiGate Public Cloud 7.4.0 AWS Administration Guide

SDN connector support for AWS STS

7.4.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 94c869ba-eb59-11ed-8e6d-fa163e15d75b:374400
Download PDF

SDN connector support for AWS STS

This enhancement enables the AWS SDN connector to use the AWS security token service (STS) API to connect to multiple AWS accounts concurrently. This allows a single AWS SDN connector to retrieve dynamic objects from multiple accounts, instead of needing to create an SDN connector for each account. This is especially useful for large organizations who may have hundreds of AWS accounts and require seamless integration.

For FortiOS 7.2.1 and later versions, the SDN connector supports using external ID, which allows the target account owner to permit the source account to assume the role only under specific circumstances. This enhances security. See How to use an external ID when granting access to your AWS resources to a third party for more details.

The example demonstrates a source account, the AWS account that FortiOS is connected to, accessing a target account. The target account must explicitly allow an external ID string in its role definition. The role definition has a trust policy that allows the source account on the condition that it connects with the specified external ID. You can configure these definitions on the target account in AWS.

This example uses two AWS accounts:

  • Target account: 601xxxxxx685
  • Source account: 269xxxxxx203
To configure SDN connector support for AWS STS:
  1. Log in to the AWS console using the target account.
  2. Create an Identity > Access Management (IAM) role on the target account:
    1. Go to IAM > Roles > Create role > Another AWS account.
    2. In the Account ID field, enter the source account. In this example, the source account is 269xxxxxx203.
    3. Enable Require external ID (Best practice when a third party will assume this role).
    4. In the External ID field, enter the desired external ID. In this example, the external ID is external-id-demo-123456.
    5. Click Next.
    6. Continue with the configuration until the Review step. In the Role name field, enter the desired role name. In this example, the role name is CrossAccountSTS.
  3. Create an inline policy on the target account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box: 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeRegions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcEndpoints"
            ],
            "Resource": "*"
        }
    ]
}

    5. Continue to create the policy. Name the policy as desired. In this example, the policy name is CrossAccountPolicy.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  4. Log in to the AWS console using the source account.
  5. Create an IAM role on the source account:
    1. Go to IAM > Roles > Create role > AWS service > EC2..
    2. Under Permissions, configure the desired permissions. In this example, this role is configured with AmazonEC2FullAccess.
    3. Click Next.
    4. Continue with the configuration until the Review step. In the Role name field, enter the desired role name.
  6. Create an inline policy on the source account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box: 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::601xxxxxx685:role/CrossAccountSTS"
            ]
        }
    ]
}
    5. Continue to create the policy. Name the policy as desired. The resource should be the Amazon resource name (ARN) of the IAM role that you created in the target account. You can find the ARN by logging in to the AWS portal under the target account and going to the IAM web portal.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  7. Launch a FortiGate-VM under the source account.
  8. Assign the IAM role that you created in step 5 to the FortiGate-VM.
  9. Configure FortiOS:
    1. Configure the AWS SDN connector to be able to access the target account: 
      config system sdn-connector
    edit "aws1"
        config external-account-list
            edit "arn:aws:iam::601xxxxxx685:role/cross-account-with-external-id-demo"
                set external-id "external-id-demo-123456"
                set region-list "us-east-1"
            next
        end
    next
end
      Note

      The use-metadata-iam,access-key, and secret-key properties are only for STS credential setup when external-account-list is enabled.

      To retrieve an IP address in the source AWS account, you must also add the source account to the external-account-list property.

    2. Configure a dynamic address. This address checks whether the FortiGate-VM can retrieve the instance address in the target account:
      config firewall address
    edit "sdn1"
        set type dynamic
        set sdn "aws1"
        set filter "InstanceId=i-02c5141c75e6aed4f"
    next
end
    3. Confirm that the FortiGate-VM can retrieve the dynamic IP address from the target account:
      show firewall address sdn1
config firewall address
    edit "sdn1"
        set type dynamic
        set sdn "aws1"
        set filter "InstanceId=i-02c5141c75e6aed4f"
        set sdn-addr-type all
        config list
            edit "172.31.24.149"
            next
            edit "54.172.135.95"
            next
        end
    next
end
Previous
Next

SDN connector support for AWS STS

This enhancement enables the AWS SDN connector to use the AWS security token service (STS) API to connect to multiple AWS accounts concurrently. This allows a single AWS SDN connector to retrieve dynamic objects from multiple accounts, instead of needing to create an SDN connector for each account. This is especially useful for large organizations who may have hundreds of AWS accounts and require seamless integration.

For FortiOS 7.2.1 and later versions, the SDN connector supports using external ID, which allows the target account owner to permit the source account to assume the role only under specific circumstances. This enhances security. See How to use an external ID when granting access to your AWS resources to a third party for more details.

The example demonstrates a source account, the AWS account that FortiOS is connected to, accessing a target account. The target account must explicitly allow an external ID string in its role definition. The role definition has a trust policy that allows the source account on the condition that it connects with the specified external ID. You can configure these definitions on the target account in AWS.

This example uses two AWS accounts:

  • Target account: 601xxxxxx685
  • Source account: 269xxxxxx203
To configure SDN connector support for AWS STS:
  1. Log in to the AWS console using the target account.
  2. Create an Identity > Access Management (IAM) role on the target account:
    1. Go to IAM > Roles > Create role > Another AWS account.
    2. In the Account ID field, enter the source account. In this example, the source account is 269xxxxxx203.
    3. Enable Require external ID (Best practice when a third party will assume this role).
    4. In the External ID field, enter the desired external ID. In this example, the external ID is external-id-demo-123456.
    5. Click Next.
    6. Continue with the configuration until the Review step. In the Role name field, enter the desired role name. In this example, the role name is CrossAccountSTS.
  3. Create an inline policy on the target account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box: 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeRegions",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeVpcEndpoints"
            ],
            "Resource": "*"
        }
    ]
}

    5. Continue to create the policy. Name the policy as desired. In this example, the policy name is CrossAccountPolicy.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  4. Log in to the AWS console using the source account.
  5. Create an IAM role on the source account:
    1. Go to IAM > Roles > Create role > AWS service > EC2..
    2. Under Permissions, configure the desired permissions. In this example, this role is configured with AmazonEC2FullAccess.
    3. Click Next.
    4. Continue with the configuration until the Review step. In the Role name field, enter the desired role name.
  6. Create an inline policy on the source account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box: 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::601xxxxxx685:role/CrossAccountSTS"
            ]
        }
    ]
}
    5. Continue to create the policy. Name the policy as desired. The resource should be the Amazon resource name (ARN) of the IAM role that you created in the target account. You can find the ARN by logging in to the AWS portal under the target account and going to the IAM web portal.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  7. Launch a FortiGate-VM under the source account.
  8. Assign the IAM role that you created in step 5 to the FortiGate-VM.
  9. Configure FortiOS:
    1. Configure the AWS SDN connector to be able to access the target account: 
      config system sdn-connector
    edit "aws1"
        config external-account-list
            edit "arn:aws:iam::601xxxxxx685:role/cross-account-with-external-id-demo"
                set external-id "external-id-demo-123456"
                set region-list "us-east-1"
            next
        end
    next
end
      Note

      The use-metadata-iam,access-key, and secret-key properties are only for STS credential setup when external-account-list is enabled.

      To retrieve an IP address in the source AWS account, you must also add the source account to the external-account-list property.

    2. Configure a dynamic address. This address checks whether the FortiGate-VM can retrieve the instance address in the target account:
      config firewall address
    edit "sdn1"
        set type dynamic
        set sdn "aws1"
        set filter "InstanceId=i-02c5141c75e6aed4f"
    next
end
    3. Confirm that the FortiGate-VM can retrieve the dynamic IP address from the target account:
      show firewall address sdn1
config firewall address
    edit "sdn1"
        set type dynamic
        set sdn "aws1"
        set filter "InstanceId=i-02c5141c75e6aed4f"
        set sdn-addr-type all
        config list
            edit "172.31.24.149"
            next
            edit "54.172.135.95"
            next
        end
    next
end
Previous
Next