1.0 Introduction
The article describes the minimum access privileges required for Fortanix Key Insight to scan the Amazon Web Services (AWS) cloud account(s) or organization.
2.0 Terminology Reference
For AWS terminologies, refer to Key Insight - Concepts Guide and Key Insight – AWS Concepts Guide.
3.0 AWS Single Account - Onboarding Setup
This section describes the steps to onboard a single AWS account in Fortanix Key Insight.
3.1 Set Up an IAM User with the Necessary Permissions - AWS Account
Create an Identity and Access Management (IAM) user in the AWS account to be scanned and attach the following permissions policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "FortanixFkiScannerPermissions", "Effect": "Allow", "Action": "Account:ListRegions", "Resource": "*" } ] }NOTE
Fortanix Key Insight also uses
sts:GetCallerIdentitypermission, granted by default, and does not need to be specifically requested.Attach the permissions policies as described in Section 4.0: Access Control Permissions to Scan AWS for S3, RDS, EBS, EFS, EKS, DynamoDB, Redshift, or KMS read-only access.
3.2 Create and Save an Access Key for the IAM User - AWS Account
Create the access or secret key pair for the IAM user, as created in Section 3.1: Set Up an IAM User with the Necessary Permissions - AWS Account. This access or secret key pair will be entered into the Key Insight cloud account creation page.
Click the AWS user menu → Security Credentials to create an Access Key.
Figure 1: Create AWS Access Key
4.0 Access Control Permissions to Scan AWS
This section describes the general requirements for AWS access permissions.
The following read-only permissions are required for scanning the AWS KMS, S3, EBS, EKS, EFS, DynamoDB, Redshift, and RDS services. These permissions will be added manually for single account on-boarding setup and will be propagated automatically by the CloudFormation Template (CFT) in the AWS organization on-boarding setup.
KMS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:ListKeys", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:GetKeyRotationStatus", "kms:GetKeyPolicy", "kms:DescribeKey", "kms:ListGrants", "kms:ListResourceTags", "kms:ListKeyRotations" ], "Resource": "arn:aws:kms:*:*:key/*" } ] }RDS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" } ] }EBS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeVolumes", "Resource": "*" } ] }S3
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetEncryptionConfiguration", "s3:GetBucketLocation" ], "Resource": "*" } ] }
DynamoDB
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:ListTables", "dynamodb:DescribeTable", "dynamodb:ListStreams", "dynamodb:DescribeStream" ], "Resource": "*" } ] }
EKS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ] }
EFS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "elasticfilesystem:DescribeFileSystems", "Resource": "*" } ] }
Redshift
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "redshift:DescribeClusters" ], "Resource": "*" } ] }
5.0 AWS Organization - Onboarding Setup
This section describes the steps to configure an AWS organization for performing key scans using Fortanix Key Insight.
Before you add a new AWS cloud account and create a new AWS connection in Fortanix Key Insight for the first time, you must set up your AWS role in the AWS organization as described in the following sections:
NOTE
Fortanix Key Insight will not scan the management account of your AWS Organization even though it can be selected.
5.1 Set up an IAM User with the Necessary Permissions - AWS Organization
For steps to set up an IAM user with the necessary permissions for an AWS organization, refer to the Appendix- Section 6.1: Set Up an IAM User with the Necessary Permissions – AWS Organization.
5.2 Create and Save an Access Key for the IAM User - AWS Organization
Create the access or secret key pair for the IAM user, as created in Section 6.1: Set Up an IAM User with the Necessary Permissions - AWS Organization above. This access or secret key pair will be entered into Key Insight cloud account creation page.
Click the AWS user menu → Security Credentials to create an Access Key.
Figure 2: Create AWS Access Key
5.3 Deploy the CFT
This section outlines the steps for deploying the CFT through StackSets to create roles that the IAM user, as created in Section 6.1: Set Up an IAM User with the Necessary Permissions - AWS Organization, can assume.
To deploy the CFT for role creation from a root or user account, the account must have the following permissions policy (if there are no other attached policies covering these permissions already).
NOTE
To attach the following permission policy, the IAM user needs the corresponding IAM service read or write permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FortanixCFTPermissions",
"Effect": "Allow",
"Action": [
"cloudformation:*",
"organizations:*",
"s3:*"
],
"Resource": "*"
}
]
}
NOTE
Refer to Activate trusted access with AWS organizations - AWS CloudFormation for details.
This will create a
AWSServiceRoleForCloudFormationStackSetsOrgAdminrole in the management account and aAWSServiceRoleForCloudFormationStackSetsOrgMemberrole in member accounts. These roles allow AWS CloudFormation Stacksets to perform supported operations within the organization's accounts.
Create the JSON file for the CFT. Refer to the Appendix- Section 6.2: Create a JSON file for CFT to create the CFT.
Go to your AWS account from which the CFT will be deployed. Activate trusted access with AWS Organization as described in the beginning of this section.
Go to your AWS console CloudFormation → StackSets page.
.png?sv=2022-11-02&spr=https&st=2025-04-04T19%3A54%3A31Z&se=2025-04-04T20%3A20%3A31Z&sr=c&sp=r&sig=nLm63rGhTeO1oSJo%2Fc%2FrLAcSGVNuIkxDNyOHoTZOtC8%3D)
Figure 3: CloudFormation StackSets Page
Create StackSets and upload the CFT template JSON file that you created in Step 1 above.
Figure 4: Choose the CTF Template
After you uploaded the CFT template, you will see the JSON file uploaded in the template field.
Figure 5: JSON File Uploaded
Enter the StackSet name (and optionally the StackSet description). Enter AWSAccountID and AWSUserName of the user that initializes the scan.
NOTE
The AWSAccountID and AWSUserName must be created in advance as described in Section 6.1: Set Up an IAM User With the Necessary Permissions - AWS Organization.
Figure 6: StackSet Details
6.0 Appendix
6.1 Set up an IAM User with the Necessary Permissions - AWS Organization
Create an IAM user in AWS and attach the following permissions policy to list accounts and assume roles.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FortanixFkiScannerPermissions",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent"
],
"Resource": "*"
},
{
"Sid": "FortanixFkiScannerPermissionsRole",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/FortanixOrganizationAccessRoleForCredentials"
}
]
}
NOTE
The above IAM user must be created using one of the two options:
From the AWS management account.
From an AWS member account, where the IAM user is then assigned as a delegated administrator for AWS organizations. Refer to Delegated Administrator for AWS Organizations for details.
For example, if you create the IAM user with the name
FortanixKeyInsightScanner, you should attach the following JSON in the settings of AWS Organizations service:{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{REPLACE_WITH_ACCOUNT_NUMBER_OF_CREATED_IAM_USER}:user/FortanixKeyInsightScanner" }, "Action": [ "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListChildren", "organizations:ListOrganizationalUnitsForParent", ] "Resource": "*" } ] }
6.2 Create a JSON File for CFT
The CFT to be deployed in the StackSets for the whole AWS organization is attached as follows. The account ID and the IAM username created in Section 6.1: Set Up an IAM User with the Necessary Permissions - AWS Organization needs to be entered.
{
"Description": "Create IAM roles and policies to grant read-only access to Fortanix Key Insight. Version 1.0",
"Parameters": {
"AwsAccountId": {
"Type": "Number",
"Description": "Enter the AWS account ID from which the data security scan will be performed. The access key and secret key associated with the user of this account are used by Fortanix data security assessment for scanning."
},
"AwsUserName": {
"Type": "String",
"Description": "Enter the AWS user name associated with the AwsAccountId. The access key and secret key associated with this user of the account are used by Fortanix data security assessment for scanning."
}
},
"Resources": {
"FortanixOrganizationAccessRoleForCredentials": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "FortanixOrganizationAccessRoleForCredentials",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AwsAccountId}:user/${AwsUserName}"
}
},
"Action": "sts:AssumeRole"
}
]
}
}
},
"FortanixKmsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixKmsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"tag:GetResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:GetKeyRotationStatus",
"kms:GetKeyPolicy",
"kms:DescribeKey",
"kms:ListGrants",
"kms:ListResourceTags",
"kms:ListKeyRotations"
],
"Resource": "arn:aws:kms:*:*:key/*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixS3ReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixS3ReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixRdsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixRdsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:DescribeDBInstances",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixEbsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixEbsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeVolumes",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixEfsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixEfsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "elasticfilesystem:DescribeFileSystems",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixRedshiftReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixRedshiftReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixDynamodbReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixDynamodbReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListStreams",
"dynamodb:DescribeStream"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixEksReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixEksReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixListRegionsPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixListRegionsPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "account:ListRegions",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
}
},
"Outputs": {
"RoleId": {
"Description": "The ID of the IAM role",
"Value": {
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
},
"RoleArn": {
"Description": "The ARN of the IAM role",
"Value": {
"Fn::GetAtt": [
"FortanixOrganizationAccessRoleForCredentials",
"Arn"
]
}
},
"KmsPolicyId": {
"Description": "The ID of the IAM policy for AWS KMS ReadOnly permission",
"Value": {
"Ref": "FortanixKmsReadOnlyPolicy"
}
},
"S3PolicyId": {
"Description": "The ID of the IAM policy for AWS S3 ReadOnly permission",
"Value": {
"Ref": "FortanixS3ReadOnlyPolicy"
}
},
"RdsPolicyId": {
"Description": "The ID of the IAM policy for AWS RDS ReadOnly permission",
"Value": {
"Ref": "FortanixRdsReadOnlyPolicy"
}
},
"EbsPolicyId": {
"Description": "The ID of the IAM policy for AWS EBS ReadOnly permission",
"Value": {
"Ref": "FortanixEbsReadOnlyPolicy"
}
},
"EfsPolicyId": {
"Description": "The ID of the IAM policy for AWS EFS ReadOnly permission",
"Value": {
"Ref": "FortanixEfsReadOnlyPolicy"
}
},
"RedshiftPolicyId": {
"Description": "The ID of the IAM policy for AWS Redshift ReadOnly permission",
"Value": {
"Ref": "FortanixRedshiftReadOnlyPolicy"
}
},
"EksPolicyId": {
"Description": "The ID of the IAM policy for AWS EKS ReadOnly permission",
"Value": {
"Ref": "FortanixEksReadOnlyPolicy"
}
},
"DynamodbPolicyId": {
"Description": "The ID of the IAM policy for AWS DynamoDB ReadOnly permission",
"Value": {
"Ref": "FortanixDynamodbReadOnlyPolicy"
}
},
"AccountPolicyId": {
"Description": "The ID of the IAM policy for AWS Account ListRegions permission",
"Value": {
"Ref": "FortanixListRegionsPolicy"
}
}
}
}