--- title: "AWS Connection Permissions" slug: "fortanix-key-insight-aws-connection-permissions" updated: 2025-11-28T06:56:57Z published: 2025-11-28T06:56:57Z canonical: "support.fortanix.com/fortanix-key-insight-aws-connection-permissions" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # AWS Connection Permissions ## 1.0 AWS Connection Permissions This article describes the **read** permissions required to onboard an Amazon Web Services (AWS) connection in Fortanix Key Insight. It provides a detailed list of permissions that must be granted to enable secure and successful integration with AWS keys and services. > [!NOTE] > NOTE > > Fortanix Key Insight does **not** have access to customer data. The permissions outlined in the article are exclusively for cryptographic operations and security enforcement. ### 1.1 AWS Permissions (Services) This section describes the permissions required to integrate AWS services with Fortanix Key Insight. | **AWS Service** | Permission | **Description** | | --- | --- | --- | | **Key Management Service (KMS)** | `kms:ListKeys` | Lists all KMS keys in the account. | | `tag:GetResources` | Retrieves tags for AWS resources, including KMS keys. | | `kms:GetKeyRotationStatus` | Checks if automatic key rotation is enabled. | | `kms:GetKeyPolicy` | Retrieves the access control policy for a key. | | `kms:DescribeKey` | Describes metadata about the key. | | `kms:ListGrants` | Lists all grants for the specified key. | | `kms:ListResourceTags` | Lists all tags attached to a KMS key. | | `kms:ListKeyRotations` | Returns information about all completed key material rotations for the specified KMS key. | | `kms:ListAliases` | Returns a list of aliases in the account and region for the specified KMS key. | | **Relational Database Service (RDS)** | `rds:DescribeDBInstances` | Provides metadata about RDS DB instances. | | **Elastic Block Store (EBS)** | `ec2:DescribeVolumes` | Lists information about EBS volumes and configurations. | | **Simple Storage Service (S3)** | `s3:ListAllMyBuckets` | Lists all buckets owned by the authenticated sender. | | `s3:GetEncryptionConfiguration` | Retrieves the default encryption configuration of an S3 bucket. | | `s3:GetBucketLocation` | Gets the region where the bucket resides. | | **DynamoDB** | `dynamodb:ListTables` | Lists all DynamoDB tables. | | `dynamodb:DescribeTable` | Provides metadata about a specific DynamoDB table. | | `dynamodb:ListStreams` | Lists all available DynamoDB Streams. | | `dynamodb:DescribeStream` | Provides details about a specified stream, such as shards and records. | | **Elastic Kubernetes Service (EKS)** | `eks:DescribeCluster` | Describes an Amazon EKS cluster. | | `eks:ListClusters` | Lists all Amazon EKS clusters in the account. | | **Elastic File System (EFS)** | `elasticfilesystem:DescribeFileSystems` | Lists all Amazon EFS file systems and metadata. | | **Redshift** | `redshift:DescribeClusters` | Lists Amazon Redshift clusters and their configurations. | ### 1.2 AWS Permissions (Certificates) This section describes the permissions required to integrate AWS certificates with Fortanix Key Insight. | **AWS Certificate Service** | Permission | **Description** | | --- | --- | --- | | **AWS Certificate Manager (ACM)** | `acm:ListCertificates` | Lists all ACM certificates in the account. | | `acm:DescribeCertificate` | Retrieves detailed information about a specific ACM certificate. | ### 1.3 AWS Permissions (Others) This section describes the additional AWS permissions required to access identity roles, retrieve regional configurations, and enable onboarding of multiple AWS accounts using AWS Organization. | **AWS Category** | Permission | **Description** | | --- | --- | --- | | **Identity and Access Management (IAM) Security Token Service (STS)** | `sts:AssumeRole` | Allows Fortanix Key Insight to assume the IAM role using the provided AWS user credentials. | | **Account (Global)** | `account:ListRegions` | Allows Fortanix Key Insight to identify the list of regions enabled in the AWS account. | | **AWS Organization** | `organizations:DescribeOrganization` | Retrieves details about the organization (For example, master account, feature set). | | `organizations:ListAccounts` | Lists all accounts in the AWS Organization. | | `organizations:ListAccountsForParent` | Lists accounts under a specific organizational unit (OU). | | `organizations:ListChildren` | Lists all child OUs or accounts under a parent root or OU. | | `organizations:ListOrganizationalUnitsForParent` | Lists the organizational units under a parent root or OU. | Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.