Fortinet black logo

New Features

AWS STS in AWS SDN connector 7.0.4

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:374400
Download PDF

AWS STS in AWS SDN connector 7.0.4

This enhancement enables the AWS SDN connector to use the AWS security token service (STS) API to connect to multiple AWS accounts concurrently. This allows a single AWS SDN connector to retrieve dynamic objects from multiple accounts, instead of needing to create an SDN connector for each account. This is especially useful for large organizations who may have hundreds of AWS accounts and require seamless integration.

This example uses two AWS accounts:

  • Target account: 926xxxxxx167
  • Source account: 269xxxxxx203

The example demonstrates that a FortiGate-VM in the source account can retrieve dynamic objects from the target account.

To configure SDN connector support for AWS STS:
  1. Log in to the AWS console using the target account.
  2. Create an IAM role on the target account:
    1. Go to IAM > Roles > Create role > Another AWS account.
    2. In the Account ID field, enter the source account. In this example, the source account is 269xxxxxx203.
    3. Click Next.
    4. Continue with the configuration until the Review step. In the Role name field, enter the desired role name. In this example, the role name is CrossAccountSTS.
  3. Create an inline policy on the target account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeRegions" ], "Resource": "*" } ] }

    5. Continue to create the policy. Name the policy as desired. In this example, the policy name is CrossAccountPolicy.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  4. Log in to the AWS console using the source account.
  5. Create an IAM role on the source account:
    1. Go to IAM > Roles > Create role > AWS service > EC2..
    2. Under Permissions, configure the desired permissions. In this example, this role is configured with AmazonEC2FullAccess.
    3. Click Next.
    4. Continue with the configuration until the Review step. In the Role name field, enter the desired role name.
  6. Create an inline policy on the source account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::926xxxxxx167:role/CrossAccountSTS" ] } ] }

    5. Continue to create the policy. Name the policy as desired. The resource should be the Amazon resource name (ARN) of the IAM role that you created in the target account. You can find the ARN by logging in to the AWS portal under the target account and going to the IAM web portal.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  7. Launch a FortiGate-VM under the source account.
  8. Assign the IAM role that you created in step 5 to the FortiGate-VM.
  9. Configure FortiOS:
    1. Configure an AWS SDN connector:

      config system sdn-connector edit "aws1" config external-account-list edit "arn:aws:iam::926xxxxxx167:role/CrossAccountSTS" set region-list "us-west-1" "us-west-2" next end next end

      Note

      The use-metadata-iam,access-key, and secret-key properties are only for STS credential setup when external-account-list is enabled.

      To retrieve an IP address in the source AWS account, you must also add the source account to the external-account-list property.

    2. Configure a dynamic address. This address checks whether the FortiGate-VM can retrieve the instance address in the target account:

      config firewall address edit "sdnaddr1" set type dynamic set sdn "aws1" set filter "InstanceId=*" next end

    3. Confirm that the FortiGate-VM can retrieve the dynamic IP address from the target account:

      show firewall address sdnaddr1 config firewall address edit "sdnaddr1" set uuid 40894c0a-4999-51ec-ddf5-a0e59c4cae20 set type dynamic set sdn "aws1" set filter "InstanceId=*" config list edit "172.31.11.68" next edit "172.31.14.205" next end next end

AWS STS in AWS SDN connector 7.0.4

This enhancement enables the AWS SDN connector to use the AWS security token service (STS) API to connect to multiple AWS accounts concurrently. This allows a single AWS SDN connector to retrieve dynamic objects from multiple accounts, instead of needing to create an SDN connector for each account. This is especially useful for large organizations who may have hundreds of AWS accounts and require seamless integration.

This example uses two AWS accounts:

  • Target account: 926xxxxxx167
  • Source account: 269xxxxxx203

The example demonstrates that a FortiGate-VM in the source account can retrieve dynamic objects from the target account.

To configure SDN connector support for AWS STS:
  1. Log in to the AWS console using the target account.
  2. Create an IAM role on the target account:
    1. Go to IAM > Roles > Create role > Another AWS account.
    2. In the Account ID field, enter the source account. In this example, the source account is 269xxxxxx203.
    3. Click Next.
    4. Continue with the configuration until the Review step. In the Role name field, enter the desired role name. In this example, the role name is CrossAccountSTS.
  3. Create an inline policy on the target account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeRegions" ], "Resource": "*" } ] }

    5. Continue to create the policy. Name the policy as desired. In this example, the policy name is CrossAccountPolicy.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  4. Log in to the AWS console using the source account.
  5. Create an IAM role on the source account:
    1. Go to IAM > Roles > Create role > AWS service > EC2..
    2. Under Permissions, configure the desired permissions. In this example, this role is configured with AmazonEC2FullAccess.
    3. Click Next.
    4. Continue with the configuration until the Review step. In the Role name field, enter the desired role name.
  6. Create an inline policy on the source account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::926xxxxxx167:role/CrossAccountSTS" ] } ] }

    5. Continue to create the policy. Name the policy as desired. The resource should be the Amazon resource name (ARN) of the IAM role that you created in the target account. You can find the ARN by logging in to the AWS portal under the target account and going to the IAM web portal.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  7. Launch a FortiGate-VM under the source account.
  8. Assign the IAM role that you created in step 5 to the FortiGate-VM.
  9. Configure FortiOS:
    1. Configure an AWS SDN connector:

      config system sdn-connector edit "aws1" config external-account-list edit "arn:aws:iam::926xxxxxx167:role/CrossAccountSTS" set region-list "us-west-1" "us-west-2" next end next end

      Note

      The use-metadata-iam,access-key, and secret-key properties are only for STS credential setup when external-account-list is enabled.

      To retrieve an IP address in the source AWS account, you must also add the source account to the external-account-list property.

    2. Configure a dynamic address. This address checks whether the FortiGate-VM can retrieve the instance address in the target account:

      config firewall address edit "sdnaddr1" set type dynamic set sdn "aws1" set filter "InstanceId=*" next end

    3. Confirm that the FortiGate-VM can retrieve the dynamic IP address from the target account:

      show firewall address sdnaddr1 config firewall address edit "sdnaddr1" set uuid 40894c0a-4999-51ec-ddf5-a0e59c4cae20 set type dynamic set sdn "aws1" set filter "InstanceId=*" config list edit "172.31.11.68" next edit "172.31.14.205" next end next end