Fortinet black logo

Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

External ID support in STS for AWS SDN connector 7.2.1

This enhancement builds on the AWS SDN connector, which can use the AWS security token service (STS) to connect to multiple AWS accounts concurrently. To enhance security, the SDN connector now supports using external ID, which allows the target account owner to permit the source account to assume the role only under specific circumstances.

See How to use an external ID when granting access to your AWS resources to a third party for details.

The example demonstrates a source account, the AWS account that FortiOS is connected to, accessing a target account. The target account must explicitly allow an external ID string in its role definition. The role definition has a trust policy that allows the source account on the condition that it connects with the specified external ID. You can configure these definitions on the target account in AWS.

This example uses two AWS accounts:

  • Target account: 601xxxxxx685
  • Source account: 269xxxxxx203

The example demonstrates that a FortiGate-VM in the source account can retrieve dynamic objects from the target account if it has the specified external ID.

To configure SDN connector support for AWS STS with an external ID:
  1. Log in to the AWS console using the target account.
  2. Create an IAM role on the target account:
    1. Go to IAM > Roles > Create role > AWS account.
    2. Select Another AWS account.
    3. In the Account ID field, enter the source account. In this example, the source account is 269xxxxxx203.
    4. Enable Require external ID (Best practice when a third party will assume this role).
    5. In the External ID field, enter the desired external ID. In this example, the external ID is external-id-demo-123456.

    6. Click Next.
    7. Continue with the configuration until the Review step. In the Role name field, enter the desired role name. In this example, the role name is cross-account-with-external-id-demo.
  3. Create an inline policy on the target account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeRegions" ], "Resource": "*" } ] }

    5. Continue to create the policy. Name the policy as desired. In this example, the policy name is CrossAccountPolicy.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  4. Log in to the AWS console using the source account.
  5. Create an IAM role on the source account:
    1. Go to IAM > Roles > Create role > AWS service > EC2..
    2. Under Permissions, configure the desired permissions. In this example, this role is configured with AmazonEC2FullAccess.
    3. Click Next.
    4. Continue with the configuration until the Review step. In the Role name field, enter the desired role name.
  6. Create an inline policy on the source account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::601xxxxxx685:role/cross-account-with-external-id-demo" ] } ] }

    5. Continue to create the policy. Name the policy as desired. The resource should be the Amazon resource name (ARN) of the IAM role that you created in the target account. You can find the ARN by logging in to the AWS portal under the target account and going to the IAM web portal.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  7. Launch a FortiGate-VM under the source account.
  8. Assign the IAM role that you created in step 5 to the FortiGate-VM.
  9. Configure FortiOS:
    1. Configure the AWS SDN connector to be able to access the target account:

      config system sdn-connector edit "aws1" config external-account-list edit "arn:aws:iam::601xxxxxx685:role/cross-account-with-external-id-demo" set external-id "external-id-demo-123456" set region-list "us-east-1" next end next end

    2. Configure a dynamic address. This address checks whether the FortiGate-VM can retrieve the instance address in the target account:

      config firewall address edit "sdn1" set type dynamic set sdn "aws1" set filter "InstanceId=i-02c5141c75e6aed4f" next end

    3. Confirm that the FortiGate-VM can retrieve the dynamic IP address from the target account:

      show firewall address sdn1 config firewall address edit "sdn1" set type dynamic set sdn "aws1" set filter "InstanceId=i-02c5141c75e6aed4f" set sdn-addr-type all config list edit "172.31.24.149" next edit "54.172.135.95" next end next end

External ID support in STS for AWS SDN connector 7.2.1

This enhancement builds on the AWS SDN connector, which can use the AWS security token service (STS) to connect to multiple AWS accounts concurrently. To enhance security, the SDN connector now supports using external ID, which allows the target account owner to permit the source account to assume the role only under specific circumstances.

See How to use an external ID when granting access to your AWS resources to a third party for details.

The example demonstrates a source account, the AWS account that FortiOS is connected to, accessing a target account. The target account must explicitly allow an external ID string in its role definition. The role definition has a trust policy that allows the source account on the condition that it connects with the specified external ID. You can configure these definitions on the target account in AWS.

This example uses two AWS accounts:

  • Target account: 601xxxxxx685
  • Source account: 269xxxxxx203

The example demonstrates that a FortiGate-VM in the source account can retrieve dynamic objects from the target account if it has the specified external ID.

To configure SDN connector support for AWS STS with an external ID:
  1. Log in to the AWS console using the target account.
  2. Create an IAM role on the target account:
    1. Go to IAM > Roles > Create role > AWS account.
    2. Select Another AWS account.
    3. In the Account ID field, enter the source account. In this example, the source account is 269xxxxxx203.
    4. Enable Require external ID (Best practice when a third party will assume this role).
    5. In the External ID field, enter the desired external ID. In this example, the external ID is external-id-demo-123456.

    6. Click Next.
    7. Continue with the configuration until the Review step. In the Role name field, enter the desired role name. In this example, the role name is cross-account-with-external-id-demo.
  3. Create an inline policy on the target account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeRegions" ], "Resource": "*" } ] }

    5. Continue to create the policy. Name the policy as desired. In this example, the policy name is CrossAccountPolicy.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  4. Log in to the AWS console using the source account.
  5. Create an IAM role on the source account:
    1. Go to IAM > Roles > Create role > AWS service > EC2..
    2. Under Permissions, configure the desired permissions. In this example, this role is configured with AmazonEC2FullAccess.
    3. Click Next.
    4. Continue with the configuration until the Review step. In the Role name field, enter the desired role name.
  6. Create an inline policy on the source account:
    1. Go to IAM > Roles.
    2. Select the role that you created.
    3. Click Add inline policy > JSON.
    4. Paste the following in to the text box:

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::601xxxxxx685:role/cross-account-with-external-id-demo" ] } ] }

    5. Continue to create the policy. Name the policy as desired. The resource should be the Amazon resource name (ARN) of the IAM role that you created in the target account. You can find the ARN by logging in to the AWS portal under the target account and going to the IAM web portal.
      Note

      You can also create a standalone policy in IAM > Policies, and attach the policy to the IAM role, instead of adding an inline policy as this procedure describes.

  7. Launch a FortiGate-VM under the source account.
  8. Assign the IAM role that you created in step 5 to the FortiGate-VM.
  9. Configure FortiOS:
    1. Configure the AWS SDN connector to be able to access the target account:

      config system sdn-connector edit "aws1" config external-account-list edit "arn:aws:iam::601xxxxxx685:role/cross-account-with-external-id-demo" set external-id "external-id-demo-123456" set region-list "us-east-1" next end next end

    2. Configure a dynamic address. This address checks whether the FortiGate-VM can retrieve the instance address in the target account:

      config firewall address edit "sdn1" set type dynamic set sdn "aws1" set filter "InstanceId=i-02c5141c75e6aed4f" next end

    3. Confirm that the FortiGate-VM can retrieve the dynamic IP address from the target account:

      show firewall address sdn1 config firewall address edit "sdn1" set type dynamic set sdn "aws1" set filter "InstanceId=i-02c5141c75e6aed4f" set sdn-addr-type all config list edit "172.31.24.149" next edit "54.172.135.95" next end next end