Re: Site to Site SSL
SSL VPN as a client is described this way in documentation, so it is not correct to call it "site2site" but client-to-site. And in such case it is normal and expected for Fortigate to hide internal LAN , being the client.
So, if you are doing it in production - abandon this ssl-client thing (at least until FortiOS 7.0.4) and use regular IPSec that works perfectly well with AWS. If, on the other hand, you are playing with it for the adventure of it and to be a pioneer - great, when you find the answers be sure to update us, we'll be thankful :).