Technical Tip: Create a S3 Bucket to upload FortiData Image to AWS (including permissions)

Firstly, install the AWS CLI. See Installing or updating to the latest version of the AWS CLI.

Once it has been installed, follow these instructions:

From the command line (cmd), trigger the following AWS command

asw login

It will open a browser session to log in to the AWS account. The information provided here will be saved in the following folder:

C:\Users\<user>\.aws\login\cache

Here, <user> is the user used in the Windows session. The file credentials will save the login information.

Create an S3 bucket in the correct AWS region in the console.

Use the defaults and add a bucket name.

Now, start with the AWS command. Open the CMD with the AWS command. Install the AWS CLI: Installing or updating to the latest version of the AWS CLI.

When using only AWS commands, a series of steps needs to be accomplished to set up a bucket with the correct permissions. First, create a JSON file with the following data and save it as role-policy.json

{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Principal": { "Service": "vmie.amazonaws.com" },      "Action": "sts:AssumeRole",      "Condition": {        "StringEquals": { "sts:Externalid": "vmimport" }      }    }  ] }

Execute the following AWS command to add the vmimport role:

aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file://role-policy.json

Next, create a trust policy. Add a second JSON file with the following information. In the resource ARN, change both lines with the name of the S3 bucket in use. In the example, an S3 storage called 'fortidata-n-ami' is the S3 target. Save the file as trust-policy.json.

{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": ["s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket"],      "Resource": [        "arn:aws:s3:::fortidata-n-ami",        "arn:aws:s3:::fortidata-n-ami/*"      ]    },    {      "Effect": "Allow",      "Action": ["ec2:ModifySnapshotAttribute", "ec2:CopySnapshot", "ec2:RegisterImage", "ec2:Describe*"],      "Resource": "*"    }  ] }

Now, execute the following AWS command:

aws iam create-role --role-name vmimport --assume-role-policy-document file://trust-policy.json

If commands are successful, the S3 bucket is ready to go.

Optional steps for automation:

The attached Python scripts do the same jobs. Python scripts use the AWS CLI configuration.

To check what region the AWS CLI is using, use the command line:

aws configure get region

If the region is not the same, set it up:

aws configure set region us-east-2

Now, install Python and install the libraries with pip:

pip install json  pip install boto  pip install botocore[crt]

Once they have been installed, proceed to execute the Roles_and_Bucket_creation.py script.

Now, the S3 bucket will be ready to upload the AWS FortiData image.