Fortanix Key Insight - AWS Connection Permissions

  • Published on May 21, 2025
  • 1 minute(s) read
Prev Next

1.0 Fortanix Key Insight - AWS Permissions

This section describes the read permissions required to onboard an Amazon Web Services (AWS) connection in Fortanix Key Insight. It provides a detailed list of permissions that must be granted to enable secure and successful integration with AWS keys and services.

1.1 AWS Permissions (Services)

This section describes the permissions required to integrate AWS services with Fortanix Key Insight.

AWS Service

Permission

Description

Key Management Service (KMS)

kms:ListKeys

Lists all KMS keys in the account.

tag:GetResources

Retrieves tags for AWS resources, including KMS keys.

kms:GetKeyRotationStatus

Checks if automatic key rotation is enabled.

kms:GetKeyPolicy

Retrieves the access control policy for a key.

kms:DescribeKey

Describes metadata about the key.

kms:ListGrants

Lists all grants for the specified key.

kms:ListResourceTags

Lists all tags attached to a KMS key.

kms:ListKeyRotations

Returns information about all completed key material rotations for the specified KMS key.

Relational Database Service (RDS)

rds:DescribeDBInstances

Provides metadata about RDS DB instances.

Elastic Block Store (EBS)

ec2:DescribeVolumes

Lists information about EBS volumes and configurations.

Simple Storage Service (S3)

s3:ListAllMyBuckets

Lists all buckets owned by the authenticated sender.

s3:GetEncryptionConfiguration

Retrieves the default encryption configuration of an S3 bucket.

s3:GetBucketLocation

Gets the region where the bucket resides.

DynamoDB

dynamodb:ListTables

Lists all DynamoDB tables.

dynamodb:DescribeTable

Provides metadata about a specific DynamoDB table.

dynamodb:ListStreams

Lists all available DynamoDB Streams.

dynamodb:DescribeStream

Provides details about a specified stream, such as shards and records.

Elastic Kubernetes Service (EKS)

eks:DescribeCluster

Describes an Amazon EKS cluster.

eks:ListClusters

Lists all Amazon EKS clusters in the account.

Elastic File System (EFS)

elasticfilesystem:DescribeFileSystems

Lists all Amazon EFS file systems and metadata.

Redshift

redshift:DescribeClusters

Lists Amazon Redshift clusters and their configurations.

1.2 AWS Permissions (Others)

This section describes the additional AWS permissions required to access identity roles, retrieve regional configurations, and enable onboarding of multiple AWS accounts using AWS Organization.

AWS Category

Permission

Description

Identity and Access Management (IAM) Security Token Service (STS)

sts:AssumeRole

Allows Fortanix Key Insight to assume the IAM role using the provided AWS user credentials.

Account (Global)

account:ListRegions

Allows Fortanix Key Insight to identify the list of regions enabled in the AWS account.

AWS Organization

organizations:DescribeOrganization

Retrieves details about the organization (For example, master account, feature set).

organizations:ListAccounts

Lists all accounts in the AWS Organization.

organizations:ListAccountsForParent

Lists accounts under a specific organizational unit (OU).

organizations:ListChildren

Lists all child OUs or accounts under a parent root or OU.

organizations:ListOrganizationalUnitsForParent

Lists the organizational units under a parent root or OU.