AWS Connection Scanning Configuration

1.0 Introduction

This article describes the minimum access privileges required for Fortanix Key Insight to scan the Amazon Web Services (AWS) cloud account(s) or organization.

2.0 Terminology Reference

For AWS terminologies and concepts, refer to All Connections Concepts and AWS Connection Concepts.

3.0 AWS Single Account - Onboarding Setup

This section describes the steps to onboard a single AWS account in Fortanix Key Insight.

For a comprehensive list of AWS permissions required to onboard an AWS connection, refer to the AWS Connection Permissions.

3.1 Set Up an IAM User with the Necessary Permissions - AWS Account

Create an Identity and Access Management (IAM) user in the AWS account to be scanned. For more information, refer to Create an IAM User in your AWS Account.

Attach the following policy during the user creation.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FortanixFkiScannerPermissions",
            "Effect": "Allow",
            "Action": "account:ListRegions",
            "Resource": "*"
        }
    ]
}

NOTE
Fortanix Key Insight also uses sts:GetCallerIdentity permission. This is allowed by default and does not need to be explicitly granted in the IAM policy.

Attach the additional read-only permissions required to scan AWS services using the following steps:
1. On the Users page, select the user you created in Step 1. For example, FortanixKeyInsightScanner.
  b. Go to the Permissions tab.
  c. Click Add permissions → Attach policies directly.
  d. Select Create policy.
  e. Switch to the JSON tab and paste the required JSON as described in Section 4.0: Access Control Permissions.
  f. Click Add permissions.
You can attach these policies as a single custom policy or as multiple separate policies, depending on your internal security and governance standards.

3.2 Create and Save an Access Key for the IAM User - AWS Account

Create an access key (Access key ID and Secret access key) for the IAM user created in Section 3.1: Set Up an IAM User with the Necessary Permissions - AWS Account.

This access key pair will be used when creating the AWS cloud account connection in Fortanix Key Insight.

Perform the following steps:

Log in to the AWS Management Console with your credentials.
Open the Identity and Access Management (IAM) console.
On the Access management section, select Users.
On the Users page, select your IAM user from the list.
On the user details page, click the Security credentials tab.
On the Access keys section, select Create access key to create an access key.
After creating the access key, copy the access key ID and secret access key values to use them when onboarding an AWS connection.

4.0 Access Control Permissions

This section describes the general requirements for AWS access permissions.

For single-account onboarding, the policies are attached directly to the IAM user in that account.
For AWS Organization onboarding, these permissions are provisioned automatically using the CloudFormation Template (CFT) deployed using AWS CloudFormation StackSets, as explained in Section 5.3: Deploy the CFT.

4.1 Scan AWS Services

The following read-only permissions are required for scanning the AWS KMS, S3, EBS, EKS, EFS, DynamoDB, Redshift, and RDS services:

KMS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListKeys",
        "tag:GetResources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:GetKeyRotationStatus",
        "kms:GetKeyPolicy",
        "kms:DescribeKey",
        "kms:ListGrants",
        "kms:ListResourceTags",
        "kms:ListKeyRotations"
      ],
      "Resource": "arn:aws:kms:*:*:key/*"
    }
  ]
}

Additionally, to list AWS KMS aliases, the IAM policy must include the kms:ListAliases action with the Resource set to "*".

Fortanix Key Insight recommends creating a separate policy for this permission, as shown below, to meet AWS requirements and prevent permission errors:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListAliases"
      ],
      "Resource": "*"
    }
  ]
}

RDS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds:DescribeDBInstances",
      "Resource": "*"
    }
  ]
}

EBS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeVolumes",
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetEncryptionConfiguration",
        "s3:GetBucketLocation"
      ],
      "Resource": "*"
    }
  ]
}

DynamoDB

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:ListTables",
        "dynamodb:DescribeTable",
        "dynamodb:ListStreams",
        "dynamodb:DescribeStream"
      ],
      "Resource": "*"
    }
  ]
}

EKS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eks:DescribeCluster",
        "eks:ListClusters"
      ],
      "Resource": "*"
    }
  ]
}

EFS

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "elasticfilesystem:DescribeFileSystems",
      "Resource": "*"
    }
  ]
}

Redshift

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
         "redshift:DescribeClusters"
       ],
      "Resource": "*"
    }
  ]
}

4.2 Scan AWS Certificates

The following read-only permissions are required for scanning the AWS certificates:

{
	"Version": "2012-10-17",
	"Statement": [
	    {
		"Effect": "Allow",
		"Action": [
		    "acm:ListCertificates",
			"acm:DescribeCertificate"
		],
		"Resource": "*"
	   }
    ]
}

5.0 AWS Organization - Onboarding Setup

This section describes the steps to configure an AWS organization for performing key scans using Fortanix Key Insight.

Before you add a new AWS cloud account and create a new AWS connection in Fortanix Key Insight for the first time, you must set up your AWS role in the AWS organization as described in the following sections:

NOTE
Fortanix Key Insight will not scan the management account of your AWS Organization even if it appears as a selectable account.

5.1 Set up an IAM User with the Necessary Permissions - AWS Organization

For steps to set up an IAM user with the necessary permissions for an AWS organization, refer to Section 6.1: Set Up an IAM User with the Necessary Permissions – AWS Organization.

5.2 Create and Save an Access Key for the IAM User - AWS Organization

For detailed steps on how to create and save an access key for the IAM user in AWS organization, refer to Section 3.2: Create and Save an Access Key for the IAM User – AWS Account.

This access key pair will be used when creating the AWS cloud account connection in Fortanix Key Insight.

5.3 Deploy the CFT

This section outlines the steps for deploying the CFT through StackSets to create roles that the IAM user (created in Section 6.1: Set Up an IAM User with the Necessary Permissions - AWS Organization) can assume in member accounts.

To deploy the CFT for role creation from a root or user account, the account must have the following permissions policy (if no other attached policies already cover these permissions).

NOTE
To attach the following permission policy, the IAM user needs the corresponding IAM service read or write permissions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FortanixCFTPermissions",
            "Effect": "Allow",
            "Action": [
                "cloudformation:*",
                "organizations:*",
                "s3:*"
            ],
            "Resource": "*"
        }
    ]
}

NOTE
Refer to Activate trusted access with AWS organizations - AWS CloudFormation for more information about enabling trusted access for StackSets.
Enabling trusted access creates the following service-linked roles:
AWSServiceRoleForCloudFormationStackSetsOrgAdmin (management account)
AWSServiceRoleForCloudFormationStackSetsOrgMember (member accounts)
These roles allow AWS CloudFormation StackSets to perform supported operations within accounts in your AWS Organization.

Perform the following steps:

Create the JSON file for the CFT. For example, fortanix-key-insight-AWS-CFT-template.json.
Refer to Section 6.2: Download the JSON file for CFT to create the CFT.
Go to your AWS account from which the CFT will be deployed. Activate trusted access with AWS Organization as described above, if it is not already enabled.
In the AWS Management Console, navigate to CloudFormation → StackSets page.
Figure 2: CloudFormation StackSets page
Click Create StackSets.
On the Choose a template page, select Upload a template file and upload the JSON file that you created in Step 1.
Figure 3: Choose the CTF template
Figure 4: JSON file uploaded
After you upload the CFT template, you will see the JSON file uploaded in the template field.
On the Specify StackSet details page,
1. Enter the StackSet name.
2. Enter StackSet description (optional).
3. Enter the AWSAccountID and AWSUserName of the user who initiates the scan.
4. Click Next.
NOTE
The AWSAccountID and AWSUserName must be created in advance as described in Section 6.1: Set Up an IAM User With the Necessary Permissions - AWS Organization.
Figure 5: StackSet details
On the Set deployment options page, specify the required deployment targets and regions.
Click Next.
On the Review section, review the details and create a StackSet.

6.0 Appendix

6.1 Set up an IAM User with the Necessary Permissions - AWS Organization

Create an IAM user in AWS and attach the following permissions policy to allow it to list organization accounts and assume the Fortanix role created by the CFT:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FortanixFkiScannerPermissions",
            "Effect": "Allow",
            "Action": [
                "organizations:DescribeOrganization",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListChildren",
                "organizations:ListOrganizationalUnitsForParent"
            ],
            "Resource": "*"
        },
        {
            "Sid": "FortanixFkiScannerPermissionsRole",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::*:role/FortanixOrganizationAccessRoleForCredentials"
        }
    ]
}

NOTE
The above IAM user must be created using one of the two options:
From the AWS Organizations management account.
From an AWS member account, where the IAM user is then assigned as a delegated administrator for AWS organizations. Refer to Delegated Administrator for AWS Organizations for more information.

For example, if you create the IAM user with the name FortanixKeyInsightScanner, you should attach the following JSON to the settings of the AWS Organizations service:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{REPLACE_WITH_ACCOUNT_NUMBER_OF_CREATED_IAM_USER}:user/FortanixKeyInsightScanner"
      },
      "Action": [
        "organizations:DescribeOrganization",
        "organizations:ListAccounts",
        "organizations:ListAccountsForParent",
        "organizations:ListChildren",
        "organizations:ListOrganizationalUnitsForParent"
      ],
      "Resource": "*"
    }
  ]
}

6.2 Download the JSON File for CFT

Download to the following CFT JSON file (fortanix-key-insight-AWS-CFT-template.json), which should be deployed using StackSets across the entire AWS Organization.

Enter the Account ID and IAM username created in Section 6.1: Set Up an IAM User with the Necessary Permissions - AWS Organization in the AwsAccountId and AwsUserName fields, respectively.

fortanix-key-insight-AWS-CFT-template

9.47 KB