---
title: "Installation on AWS"
slug: "fortanix-data-security-manager-installation-on-aws"
updated: 2026-04-01T07:22:02Z
published: 2025-09-19T07:58:57Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Installation on AWS

## 1.0 Introduction

The purpose of this article is to describe the steps required to install a Fortanix-Data-Security-Manager (DSM) Cluster in a single region in Amazon Web Service (AWS) using AWS marketplace.

## 2.0 Terminology References

- **IAM**– Identity and Access management
- **VPC –** Virtual Private Cloud
- **EC2** – Elastic Computing
- **SNS** – Simple Notification Service

## 3.0 Prerequisites

To install Fortanix DSM on AWS, the following requirements have to be met:

- Subscribe to Fortanix DSM on AWS Marketplace using the link: [*https://aws.amazon.com/marketplace/pp/B08XMT11DV*](https://aws.amazon.com/marketplace/pp/B08XMT11DV)
- Create IAM User/Role with permission to deploy/create VPC, Internet Gateway, Load balancer, Autoscaling group, Security group, EC2, and SNS Topic.
- Create a key-pair to be used for VM `ssh` authentication.

### 3.1 Recommended VM Configuration

- **VM Instance** **Type** - m5.2xlarge (or larger).
- We require a minimum of 4 cores with 32GB RAM. AWS Virtual Machines with up to 32 processors are supported.

## 4.0 AWS Infrastructure

### 4.1 Create Fortanix DSM Cluster - Launch CloudFormation Method

1. Click **Continue to Subscribe**.

![screen-1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/screen-1.png)

**Figure 1: Continue to Subscribe**
2. Click **Continue to Configuration**.

![screen-2.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/screen-2.png)

**Figure 2: Continue to Configuration**
3. Click **Continue to Launch**.

![screen-3.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/screen-3.png)

**Figure 3: Continue to Launch**
4. Select **Launch CloudFormation** and click **Launch**.

![screen-4.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/screen-4.png)

**Figure 4: Launch the Software**
5. Click **Next** and fill the following CloudFormation parameter values:

![screen-5.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/screen-5.png)

**Figure 5: CloudFormation Stack Parameter Values**
6. Click **Create Tags** on the next screen and click **Next**.
7. Click **Next** to create the stack.

![screen-6.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/screen-6.png)

**Figure 6: Create Stack Screen**
8. The following screen displays all the AWS resources created by Fortanix CloudFormation template.

![AWSResources.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/awsresources.png)

**Figure 7: AWS Resources**

### 4.2 Fortanix DSM Security Groups in VPC

The following are the inbound and outbound rules for the Fortanix DSM Security group:

**Inbound rules:**

- Ports 443, 4445 have to be exposed to clients using API/Web UI. In this case, they are expected to be exposed using the internet. Similarly, port 5696 is used for KMIP protocol interaction between clients and the KMS cluster.
- **All traffic** is for communication within the VPC for inter node communication. The source for this traffic can either be restricted by specifying the VPC CIDR or the security group itself.
- The SSH port should be open to the source IP address that is expected to perform the installation, configuration, and maintenance activities. This port can be restricted after such activities.

![AWS_Install11.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/aws_install11.png)

**Figure 8: Inbound rules**

**Outbound rule:**

![AWS_Install12.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/aws_install12.png)

**Figure 9: Outbound rule**

### 4.3 Verify Login to Each VM

Verify login to each VM using SSH with the private key used during VM creation with “**administrator**” as user.

### 4.4 Route53 Record

1. Go to **Route 53 console.**

![Route53.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/route53.png)

**Figure 10: Create Route53 Entry**
2. Select your hosted zone and create a record.
3. Enter the **Name** for the record.
4. Select **Alias to Network Load Balancer** as **Endpoint**.
5. Select the region of the load balancer.
6. Select the load balancer configured above.
7. Select the **Record type** to be “**A**”.

## 5.0 Fortanix DSM Installation

*Follow the installation instructions on the three EC2 instances starting with “Section 4.0: System Installation and Configuration” in the*[*Fortanix Data Security Manager Installation Guide*](https://support.fortanix.com/v1/docs/fortanix-data-security-manager-installation-guide-on-prem#40-system-installation-and-configuration)*.*

> [!NOTE]
> NOTE
> 
> - Hostnames of the EC2 instances can be configured for better readability.
> - Use the Fortanix DSM installer provided with this guide to install on EC2 instances.
> - When generating certificate requests, use the Route 53 record name (DNS).

### 5.1 Adding a Node to an Existing Cluster

The following is the procedure to add a node to an existing Fortanix DSM cluster on AWS:

1. Run the following command to get join token from any node in the cluster:

```bash
sudo kubeadm token list
```
2. Ensure that the new node has the same version of sdkms-cluster installed.
3. Run node join on the new node using the token from *Step 1*:

```bash
sudo sdkms-cluster join --peer=MASTER_NODE_IP --token=e79965.421d7f78a8546e37 --self=NODE_IP
```

In this step, you can consider any existing node in the cluster as a master node.
4. Run the following command to verify that the new node has joined the cluster successfully:

```bash
kubectl get nodes -owide
```

### 5.2 Removing a Node from an Existing Cluster

Run the following command from any existing node to remove a node from an existing Fortanix DSM cluster on AWS:

```bash
sudo sdkms-cluster remove --node NODE_NAME
```

## 6.0 Backup and Restore on AWS

The backup and restore process remains exactly the same as other Fortanix DSM hardware-based deployments. But when deployed on AWS, on VMs without SGX capability, a deployment key is created in software. This deployment-key is not backed-up to the backup location along with the backup data due to security reasons.

> [!NOTE]
> NOTE
> 
> Deployment-key is required to restore the backup in case the cluster is being reset/re-created. Hence the deployment key must be backed-up in a safe location. Backup cannot be restored (will be rendered unusable) without this deployment key during the restoration process.

1. Run the following command to locate the deployment key:

```bash
$ kubectl get secrets sdkms-deployment-key-store
```
2. Run the following command to save the deployment key:

```bash
$ kubectl get secrets sdkms-deployment-key-store -o yaml > sdkms-deployment-key-store.yaml
```

Save the file `sdkms-deployment-key-store.yaml` in a secure location (do not save it along with the backup).
3. Restore the deployment key after the cluster reset. When a new cluster is created, a new random deployment-key gets auto-created. But as we are restoring the cluster from the backup, we need to delete the deployment key and restore the saved deployment key.
  1. Run the following command to delete any existing deployment key (which was created after a fresh cluster):

```bash
$ kubectl delete secrets sdkms-deployment-key-store
```
  2. Run the following command to create a deployment key from a safe location:

```bash
$ kubectl create -f sdkms-deployment-key-store.yaml
```

After the above step, the restore process can be started as mentioned in the [*Fortanix Data Security Manager Backup and Restore Guid*e](/v1/docs/backup-and-restore-manual).

## 7.0 Cluster Deployment Key Protection for Non-SGX Platform

For instructions on how to protect the Cluster Master Key (CMK) using another key, the Cluster Deployment Key (CDK) which is stored in an external HSM when Fortanix DSM is deployed on non-SGX platforms such as AWS, *refer to*[*Cluster Deployment Key Protection - Non-SGX*](/v1/docs/cluster-deployment-key-protection-non-sgx)*.*

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

## Related

- [Fortanix Support Sign Up Process](/fortanix-support-sign-up-process.md)
- [What is the lifecycle of a Fortanix DSM SaaS Trial Account?](/what-is-the-lifecycle-of-a-fortanix-dsm-saas-trial-account.md)
- [Fortanix DSM - Quickstart](/fortanix-data-security-manager-quickstart.md)
- [Logging](/fortanix-ccm-users-guide-logging.md)
- [Sign Up for Fortanix DSM SaaS](/sign-up-for-fortanix-data-security-manager-saas.md)