Fortinet black logo

New Features

Home FortiGate / FortiOS 7.2.0 New Features

External ID support in STS for AWS SDN connector 7.2.1

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:480154
Download PDF

External ID support in STS for AWS SDN connector 7.2.1

This enhancement builds on the AWS SDN connector, which can use the AWS security token service (STS) to connect to multiple AWS accounts concurrently. To enhance security, the SDN connector now supports using an external ID, which allows the target account owner to permit the source account to assume the role only under specific circumstances.

See How to use an external ID when granting access to your AWS resources to a third party for details.

The example demonstrates a source account, the AWS account that FortiOS is connected to, accessing a target account. The target account must explicitly allow an external ID string in its role definition. The role definition has a trust policy that allows the source account on the condition that it connects with the specified external ID. You can configure these definitions on the target account in AWS.

This example uses two AWS accounts:

  • Target account: 601xxxxxx685
  • Source account: 269xxxxxx203

The example demonstrates that a FortiGate-VM in the source account can retrieve dynamic objects from the target account if it has the specified external ID.

To configure SDN connector support for AWS STS with an external ID:
  1. Log in to the AWS console using the target account.
  2. Create an IAM role on the target account:
    1. Go to IAM > Roles > Create role > AWS account.
    2. Select Another AWS account.
    3. In the Account ID field, enter the source account. In this example, the source account is 269xxxxxx203.
    4. Enable Require external ID (Best practice when a third party will assume this role).
    5. In the External ID field, enter the desired external ID. In this example, the external ID is external-id-demo-123456.

    6. Click Next.
    7. Continue with the configuration until the Review step. In the Role name field, enter the desired role name. In this example, the role name is cross-account-with-external-id-demo.
  3. Create an inline policy on the target account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box: 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
        }
    ]
}
    5. Continue to create the policy. Name the policy as desired. In this example, the policy name is CrossAccountPolicy.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  4. Log in to the AWS console using the source account.
  5. Create an IAM role on the source account:
    1. Go to IAM > Roles > Create role > AWS service > EC2..
    2. Under Permissions, configure the desired permissions. In this example, this role is configured with AmazonEC2FullAccess.
    3. Click Next.
    4. Continue with the configuration until the Review step. In the Role name field, enter the desired role name.
  6. Create an inline policy on the source account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box: 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::601xxxxxx685:role/cross-account-with-external-id-demo"
            ]
        }
    ]
}
    5. Continue to create the policy. Name the policy as desired. The resource should be the Amazon resource name (ARN) of the IAM role that you created in the target account. You can find the ARN by logging in to the AWS portal under the target account and going to the IAM web portal.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  7. Launch a FortiGate-VM under the source account.
  8. Assign the IAM role that you created in step 5 to the FortiGate-VM.
  9. Configure FortiOS:
    1. Configure the AWS SDN connector to be able to access the target account: 
      config system sdn-connector
    edit "aws1"
        config external-account-list
            edit "arn:aws:iam::601xxxxxx685:role/cross-account-with-external-id-demo"
                set external-id "external-id-demo-123456"
                set region-list "us-east-1"
            next
        end
    next
end
    2. Configure a dynamic address. This address checks whether the FortiGate-VM can retrieve the instance address in the target account:
      config firewall address
    edit "sdn1"
        set type dynamic
        set sdn "aws1"
        set filter "InstanceId=i-02c5141c75e6aed4f"
    next
end
    3. Confirm that the FortiGate-VM can retrieve the dynamic IP address from the target account:
      show firewall address sdn1
config firewall address
    edit "sdn1"
        set type dynamic
        set sdn "aws1"
        set filter "InstanceId=i-02c5141c75e6aed4f"
        set sdn-addr-type all
        config list
            edit "172.31.24.149"
            next
            edit "54.172.135.95"
            next
        end
    next
end
Previous
Next

External ID support in STS for AWS SDN connector 7.2.1

This enhancement builds on the AWS SDN connector, which can use the AWS security token service (STS) to connect to multiple AWS accounts concurrently. To enhance security, the SDN connector now supports using an external ID, which allows the target account owner to permit the source account to assume the role only under specific circumstances.

See How to use an external ID when granting access to your AWS resources to a third party for details.

The example demonstrates a source account, the AWS account that FortiOS is connected to, accessing a target account. The target account must explicitly allow an external ID string in its role definition. The role definition has a trust policy that allows the source account on the condition that it connects with the specified external ID. You can configure these definitions on the target account in AWS.

This example uses two AWS accounts:

  • Target account: 601xxxxxx685
  • Source account: 269xxxxxx203

The example demonstrates that a FortiGate-VM in the source account can retrieve dynamic objects from the target account if it has the specified external ID.

To configure SDN connector support for AWS STS with an external ID:
  1. Log in to the AWS console using the target account.
  2. Create an IAM role on the target account:
    1. Go to IAM > Roles > Create role > AWS account.
    2. Select Another AWS account.
    3. In the Account ID field, enter the source account. In this example, the source account is 269xxxxxx203.
    4. Enable Require external ID (Best practice when a third party will assume this role).
    5. In the External ID field, enter the desired external ID. In this example, the external ID is external-id-demo-123456.

    6. Click Next.
    7. Continue with the configuration until the Review step. In the Role name field, enter the desired role name. In this example, the role name is cross-account-with-external-id-demo.
  3. Create an inline policy on the target account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box: 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeRegions"
            ],
            "Resource": "*"
        }
    ]
}
    5. Continue to create the policy. Name the policy as desired. In this example, the policy name is CrossAccountPolicy.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  4. Log in to the AWS console using the source account.
  5. Create an IAM role on the source account:
    1. Go to IAM > Roles > Create role > AWS service > EC2..
    2. Under Permissions, configure the desired permissions. In this example, this role is configured with AmazonEC2FullAccess.
    3. Click Next.
    4. Continue with the configuration until the Review step. In the Role name field, enter the desired role name.
  6. Create an inline policy on the source account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box: 
      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::601xxxxxx685:role/cross-account-with-external-id-demo"
            ]
        }
    ]
}
    5. Continue to create the policy. Name the policy as desired. The resource should be the Amazon resource name (ARN) of the IAM role that you created in the target account. You can find the ARN by logging in to the AWS portal under the target account and going to the IAM web portal.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  7. Launch a FortiGate-VM under the source account.
  8. Assign the IAM role that you created in step 5 to the FortiGate-VM.
  9. Configure FortiOS:
    1. Configure the AWS SDN connector to be able to access the target account: 
      config system sdn-connector
    edit "aws1"
        config external-account-list
            edit "arn:aws:iam::601xxxxxx685:role/cross-account-with-external-id-demo"
                set external-id "external-id-demo-123456"
                set region-list "us-east-1"
            next
        end
    next
end
    2. Configure a dynamic address. This address checks whether the FortiGate-VM can retrieve the instance address in the target account:
      config firewall address
    edit "sdn1"
        set type dynamic
        set sdn "aws1"
        set filter "InstanceId=i-02c5141c75e6aed4f"
    next
end
    3. Confirm that the FortiGate-VM can retrieve the dynamic IP address from the target account:
      show firewall address sdn1
config firewall address
    edit "sdn1"
        set type dynamic
        set sdn "aws1"
        set filter "InstanceId=i-02c5141c75e6aed4f"
        set sdn-addr-type all
        config list
            edit "172.31.24.149"
            next
            edit "54.172.135.95"
            next
        end
    next
end
Previous
Next