--- title: "AWS Connection Scanning Configuration" slug: "fortanix-key-insight-aws-configuration-for-scanning" updated: 2026-03-23T06:16:40Z published: 2026-03-23T06:38:28Z --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # AWS Connection Scanning Configuration ## 1.0 Introduction This article describes the minimum access privileges required for Fortanix Key Insight to scan the Amazon Web Services (AWS) cloud account(s) or organization. ## 2.0 Terminology Reference *For AWS terminologies and concepts, refer to*[*All Connections Concepts*](https://support.fortanix.com/docs/fortanix-key-insight-concepts-for-all-connections)*and*[*AWS Connection Concepts*](https://support.fortanix.com/docs/fortanix-key-insight-aws-connection-concepts). ## 3.0 AWS Single Account - Onboarding Setup This section describes the steps to onboard a single AWS account in Fortanix Key Insight. *For a comprehensive list of AWS permissions required to onboard an AWS connection, refer to the*[*AWS Connection Permissions*](https://support.fortanix.com/docs/fortanix-key-insight-aws-connection-permissions). ### 3.1 Set Up an IAM User with the Necessary Permissions - AWS Account Perform the following steps: 1. Create an Identity and Access Management (IAM) user in the AWS account to be scanned. *For more information, refer to the*[*AWS official documentation*](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html)*.* 2. Attach the following policy during the user creation. ```bash {    "Version": "2012-10-17",    "Statement": [        {            "Sid": "FortanixFkiScannerPermissions",            "Effect": "Allow",            "Action": "account:ListRegions",            "Resource": "*"        }    ] } ``` > [!NOTE] > NOTE > > Fortanix Key Insight also uses `sts:GetCallerIdentity` permission. This is allowed by default and does not need to be explicitly granted in the IAM policy. 3. Attach the additional read-only permissions required to scan AWS services: You can attach these policies as a single custom policy or as multiple separate policies, depending on your internal security and governance standards. 1. On the **Users** page, select the user you created in *Step 1*. For example, **FortanixKeyInsightScanner**. 2. Go to the **Permissions** tab. 3. Click **Add permissions → Attach policies directly**. 4. Select **Create policy**. 5. Switch to the **JSON** tab and paste the required JSON as described in [*Section 4.0: Access Control Permissions*](/v1/docs/fortanix-key-insight-aws-configuration-for-scanning#40-access-control-permissions)*.* 6. Click **Add permissions**. ### 3.2 Create and Save an Access Key for the IAM User - AWS Account Create an access key (**Access key ID** and **Secret access key**) for the IAM user created in [*Section 3.1: Set Up an IAM User with the Necessary Permissions - AWS Account*](/v1/docs/fortanix-key-insight-aws-configuration-for-scanning#31-set-up-an-iam-user-with-the-necessary-permissions-aws-account). This access key pair will be used when creating the AWS cloud account connection in Fortanix Key Insight. Perform the following steps: 1. Log in to the **AWS Management Console** with your credentials. 2. Open the **Identity and Access Management (IAM)**console. 3. On the **Access management** section, select **Users**. 4. On the **Users** page, select your IAM user from the list. 5. On the user details page, click the **Security credentials** tab. 6. On the **Access keys** section, select **Create access key** to create an access key. 7. After creating the access key, copy the access key ID and secret access key values to use them when onboarding an AWS connection. ![1.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25759380731796.png) **Figure 1: Create AWS access key** ## 4.0 Access Control Permissions This section describes the general requirements for AWS access permissions. - For **single-account**onboarding, the policies are attached directly to the IAM user in that account. - For AWS **Organization** onboarding, these permissions are provisioned automatically using the CloudFormation Template (CFT) deployed using AWS CloudFormation StackSets, as explained in [*Section 5.3: Deploy the CFT*](/v1/docs/fortanix-key-insight-aws-configuration-for-scanning#53-deploy-the-cft). ### 4.1 Scan AWS Services The following **read-only** permissions are required for scanning the AWS KMS, S3, EBS, EKS, EFS, DynamoDB, Redshift, and RDS services: - **KMS** ```bash {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [        "kms:ListKeys",        "tag:GetResources"      ],      "Resource": "*"    },    {      "Effect": "Allow",      "Action": [        "kms:GetKeyRotationStatus",        "kms:GetKeyPolicy",        "kms:DescribeKey",        "kms:ListGrants",        "kms:ListResourceTags",        "kms:ListKeyRotations"      ],      "Resource": "arn:aws:kms:*:*:key/*"    }  ] } ``` Additionally, to list AWS KMS aliases, the IAM policy must include the `kms:ListAliases` action with the `Resource` set to "`*`". Fortanix Key Insight recommends creating a separate policy for this permission, as shown below, to meet AWS requirements and prevent permission errors: ```bash {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [        "kms:ListAliases"      ],      "Resource": "*"    }  ] } ``` - **RDS** ```bash {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "rds:DescribeDBInstances",      "Resource": "*"    }  ] } ``` - **EBS** ```bash {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "ec2:DescribeVolumes",      "Resource": "*"    }  ] } ``` - **S3** ```bash {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [        "s3:ListAllMyBuckets",        "s3:GetEncryptionConfiguration",        "s3:GetBucketLocation"      ],      "Resource": "*"    }  ] } ``` - **DynamoDB** ```bash {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [        "dynamodb:ListTables",        "dynamodb:DescribeTable",        "dynamodb:ListStreams",        "dynamodb:DescribeStream"      ],      "Resource": "*"    }  ] } ``` - **EKS** ```bash {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [        "eks:DescribeCluster",        "eks:ListClusters"      ],      "Resource": "*"    }  ] } ``` - **EFS** ```bash {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "elasticfilesystem:DescribeFileSystems",      "Resource": "*"    }  ] } ``` - **Redshift** ```bash {  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": [         "redshift:DescribeClusters"       ],      "Resource": "*"    }  ] } ``` ### 4.2 Scan AWS Certificates The following **read-only** permissions are required for scanning the AWS certificates: ```bash { "Version": "2012-10-17", "Statement": [    { "Effect": "Allow", "Action": [    "acm:ListCertificates", "acm:DescribeCertificate" ], "Resource": "*"   }    ] } ``` ## 5.0 AWS Organization - Onboarding Setup This section describes the steps to configure an AWS organization for performing key scans using Fortanix Key Insight. Before you add a new AWS cloud account and create a new AWS connection in Fortanix Key Insight for the first time, you must set up your AWS role in the AWS organization as described in the following sections: > [!NOTE] > NOTE > > Fortanix Key Insight will not scan the management account of your AWS Organization even if it appears as a selectable account. ### 5.1 Set up an IAM User with the Necessary Permissions - AWS Organization *For steps to set up an IAM user with the necessary permissions for an AWS organization, refer to*[*Section 6.1: Set Up an IAM User with the Necessary Permissions – AWS Organization.*](/v1/docs/fortanix-key-insight-aws-configuration-for-scanning#61-set-up-an-iam-user-with-the-necessary-permissions-aws-organization) ### 5.2 Create and Save an Access Key for the IAM User - AWS Organization *For detailed steps on how to create and save an access key for the IAM user in AWS organization, refer to*[*Section 3.2: Create and Save an Access Key for the IAM User – AWS Account*](/v1/docs/fortanix-key-insight-aws-configuration-for-scanning#32-create-and-save-an-access-key-for-the-iam-user-aws-account)*.* This access key pair will be used when creating the AWS cloud account connection in Fortanix Key Insight. ### 5.3 Deploy the CFT This section outlines the steps for deploying the CFT through StackSets to create roles that the IAM user (created in [*Section 6.1: Set Up an IAM User with the Necessary Permissions - AWS Organization*](/v1/docs/fortanix-key-insight-aws-configuration-for-scanning#61-set-up-an-iam-user-with-the-necessary-permissions-aws-organization)) can assume in member accounts. To deploy the CFT for role creation from a root or user account, the account must have the following permissions policy (if no other attached policies already cover these permissions). > [!NOTE] > NOTE > > To attach the following permission policy, the IAM user needs the corresponding IAM service read or write permissions. ```bash {    "Version": "2012-10-17",    "Statement": [        {            "Sid": "FortanixCFTPermissions",            "Effect": "Allow",            "Action": [                "cloudformation:*",                "organizations:*",                "s3:*"            ],            "Resource": "*"        }    ] } ``` > [!NOTE] > NOTE > > *Refer to the*[*AWS official documentation*](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html)*for more information about enabling trusted access for StackSets.* > > Enabling trusted access creates the following service-linked roles: > > - `AWSServiceRoleForCloudFormationStackSetsOrgAdmin` (management account) > - `AWSServiceRoleForCloudFormationStackSetsOrgMember` (member accounts) > > These roles allow AWS CloudFormation StackSets to perform supported operations within accounts in your AWS Organization. Perform the following steps: 1. Create the JSON file for the CFT. For example, `fortanix-key-insight-AWS-CFT-template.json`. *Refer to*[*Section 6.2: Download the JSON file for CFT*](/v1/docs/fortanix-key-insight-aws-configuration-for-scanning#62-download-the-json-file-for-cft)*to create the CFT.* 2. Go to your AWS account from which the CFT will be deployed. Activate trusted access with AWS Organization as described above, if it is not already enabled. 3. In the AWS Management Console, navigate to **CloudFormation → StackSets** page. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Scanning_Stackset(1).png) **Figure 2: CloudFormation StackSets page** 4. Click **Create StackSets.** 5. On the **Choose a template** page, select **Upload a template file** and upload the JSON file that you created in *Step 1*. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Scanning_Choose Template.png) **Figure 3: Choose the CTF template** ![4.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25761299251988.png) **Figure 4: JSON file uploaded** 6. After you upload the CFT template, you will see the JSON file uploaded in the template field. 7. On the **Specify StackSet details** page: > [!NOTE] > NOTE > > The **AWSAccountID** and **AWSUserName** must be created in advance as described in [*Section 6.1: Set Up an IAM User With the Necessary Permissions - AWS Organization*](/v1/docs/fortanix-key-insight-aws-configuration-for-scanning#61-set-up-an-iam-user-with-the-necessary-permissions-aws-organization). ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Scanning_Stackset Details.png) **Figure 5: StackSet details** 1. **StackSet name:**Enter a stack set name. 2. **StackSet description** (optional): Enter a description. 3. **AWSAccountID:**Enter the AWS account ID of the user who initiates the scan**.** 4. **AWSUserName:** Enter the AWS user name of the user who initiates the scan. 5. Click **Next**. 8. On the **Set deployment options** page, specify the required deployment targets and regions. 9. Click **Next**. 10. On the **Review** section, review the details and create a StackSet. ## 6.0 Appendix ### 6.1 Set up an IAM User with the Necessary Permissions - AWS Organization Create an IAM user in AWS and attach the following permissions policy to allow it to list organization accounts and assume the Fortanix role created by the CFT: ```bash {    "Version": "2012-10-17",    "Statement": [        {            "Sid": "FortanixFkiScannerPermissions",            "Effect": "Allow",            "Action": [                "organizations:DescribeOrganization",                "organizations:ListAccounts",                "organizations:ListAccountsForParent",                "organizations:ListChildren",                "organizations:ListOrganizationalUnitsForParent"            ],            "Resource": "*"        },        {            "Sid": "FortanixFkiScannerPermissionsRole",            "Effect": "Allow",            "Action": [                "sts:AssumeRole"            ],            "Resource": "arn:aws:iam::*:role/FortanixOrganizationAccessRoleForCredentials"        }    ] } ``` > [!NOTE] > NOTE > > The above IAM user must be created using one of the two options: > > - From the AWS Organizations management account. > - From an AWS member account, where the IAM user is then assigned as a delegated administrator for AWS organizations. *For more information, refer to the*[*AWS official documentation*](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html?icmpid=docs_orgs_console)*.* For example, if you create the IAM user with the name `FortanixKeyInsightScanner`, you should attach the following JSON to the settings of the AWS Organizations service: ```bash {  "Version": "2012-10-17",  "Statement": [    {      "Sid": "Statement",      "Effect": "Allow",      "Principal": {        "AWS": "arn:aws:iam::{REPLACE_WITH_ACCOUNT_NUMBER_OF_CREATED_IAM_USER}:user/FortanixKeyInsightScanner"      },      "Action": [        "organizations:DescribeOrganization",        "organizations:ListAccounts",        "organizations:ListAccountsForParent",        "organizations:ListChildren",        "organizations:ListOrganizationalUnitsForParent"      ],      "Resource": "*"    }  ] } ``` ### 6.2 Download the JSON File for CFT Download to the following CFT JSON file (`fortanix-key-insight-AWS-CFT-template.json`), which should be deployed using StackSets across the entire AWS Organization. Enter the Account ID and IAM username created in [*Section 6.1: Set Up an IAM User with the Necessary Permissions - AWS Organization*](/v1/docs/fortanix-key-insight-aws-configuration-for-scanning#61-set-up-an-iam-user-with-the-necessary-permissions-aws-organization) in the `AwsAccountId` and `AwsUserName` fields, respectively. [](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight-AWS-CFT-template.json)fortanix-key-insight-AWS-CFT-template9.47 KB[**](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/fortanix-key-insight-AWS-CFT-template.json) Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era. ## Related - [Azure Connection Scanning Configuration Using Custom Roles](/fortanix-key-insight-azure-configuration-for-scanning-using-custom-roles.md) - [Azure Connection Scanning Configuration Using Built-In Roles](/fortanix-key-insight-azure-configuration-for-scanning-using-built-in-roles.md) - [Command-Line Interface (CLI) for Fortanix DSM (sdkms-cli)](/clients-command-line-interface-cli-for-fortanix-data-security-manager.md)