1.0 Introduction
1.1 Purpose
The purpose of this article is to describe the Fortanix Key Insight concepts for Amazon Web Services (AWS). Fortanix Key Insight enables you to apply uniform key lifecycle management policies and processes to cryptographic key management systems across multiple clouds.
1.2 Intended Audience
This article is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Chief Information Security Officer (CISO) who will use this feature to see compliance information or deficiencies at a very high level and is interested in trends and drift, and the Security Engineer, who will use this feature to find and fix issues with the implementation and management of cryptographic data protection.
2.0 Terminology References
2.1 AWS Terminology
CONCEPT | DESCRIPTION |
|---|---|
AWS Organization | An entity created to consolidate all AWS accounts and administer them as a single unit. An organization has one management account and zero or more member accounts. The accounts in an organization can be arranged in a hierarchical tree-like structure with the “root” at the top and the “organizational unit” and “account” nested under the “root”. Fortanix Key Insight scans an AWS organization and all the accounts within that organization. |
AWS Accounts | A container for your AWS resources. You create and manage your AWS resources in an AWS account. Fortanix Key Insight scans all the regions within an AWS account in an AWS organization. |
AWS Role
| AWS Identity and Access Management (IAM) roles are entities you create and assign specific permissions to that allow trusted identities, such as workforce identities and applications, to perform actions in AWS. Fortanix Key Insight requires an AWS IAM user to have permission to access the AWS Management Account and Member Account. |
AWS Services
| AWS Services allows users to set up their IT infrastructure online. The most popular AWS services include Elastic Compute Cloud (EC2), AWS Relational Database Service (RDS), AWS Simple Storage Service (S3), Elastic Block Store (EBS), and Virtual Private Cloud.
|
AWS KMS Keys | AWS KMS keys are the primary resource in AWS KMS, which are logical representations of cryptographic keys. AWS assigns an Amazon Resource Name (ARN) to each KMS key, which includes a unique key identifier, or key ID. Fortanix Key Insight scans all the AWS accounts within an AWS organization and identifies the key compliance status across multiple AWS cloud regions. |
AWS Scan | The act of connecting with the AWS KMS and obtaining information about services of interest for Fortanix Key Insight. |
AWS Sync | The act of synchronizing cryptographic key information and state between the cloud scanner and Fortanix-Data-Security-Manager (DSM) so that the state and contents of DSM reflect the state and content of the cloud key manager(s). |
3.0 Fortanix Key Insight Features - AWS
The Fortanix Key Insight for AWS has the following features:
It allows a user to scan all the regions for all the AWS accounts under an AWS organization, and for each region, scan the corresponding keys, AWS services such as S3 buckets, RDS, DynamoDB, Redshift, EKS, and EFS, and Elastic Block Store (EBS). Also, it checks which keys and services are encrypted and which keys were used to encrypt them.
Generates reports on AWS KMS non-compliant keys and services. For each region, the report shows:
Corresponding keys
Top security issues
S3 buckets with default encryption
S3 buckets backed by Bring Your Own Keys (BYOK)
S3 buckets backed by an External Key Service (XKS) key
RDS, EBS, DynamoDB, EKS, EFS, and Redshift instances that are unencrypted
RDS, EBS, DynamoDB, EKS, EFS, and Redshift instances encrypted by the default key
RDS, EBS, DynamoDB, EKS, EFS, and Redshift instances encrypted by a managed key
Provides a dashboard view of cryptographic key compliance status across multiple AWS cloud regions. The dashboard shows information such as:
Top five accounts with the most keys
Protected services
Key types
Key status
Key source
For every AWS key in a region,
Provides a tabular view that shows the key details such as identifier, key source, key state, key type, AWS account ID, last rotation date, next rotation date, and so on.
Provides a map of the key compliance statuses.
Detects non-compliant keys based on the applied policy and issues vulnerability alerts according to NIST standards.
Provides essential information such as key properties, key owner(s), rotation, service mapping, and related violations.
For each AWS service in a region,
Displays a comprehensive overview that allows you to filter services by type, violations, account, and region. You can click on each service to view a detailed list of associated vulnerabilities, if applicable.
Offers a tabular view showing key information such as the service name, service type, region, encryption status, AWS account ID, and other relevant details.
Provides detailed insights into service configurations and any violations associated with each service, helping you to understand potential issues and compliance gaps.
Allows users to download a report of the AWS keys’ primary parameters.
Allows users to export all scanned key and service data in comma-separated values (CSV) format and provides the ability to track export activities.
Allows users to optionally select pre-configured Fortanix DSM (SaaS) app credentials for correlation when onboarding an AWS cloud connection. This enables Fortanix Key Insight to determine if the scanned keys originate from Fortanix DSM (SaaS) after the scan is initiated.
Enables users to automatically retrieve the crypto policies configured in Fortanix DSM and apply them to scans and assessments, ensuring that Fortanix Key Insight remains aligned with any updates in Fortanix DSM.
Provides an assessment report that identifies vulnerabilities by providing a snapshot of your data security posture, and risk score, highlighting areas of strength, and pinpointing opportunities for improvement.