Getting Started with Cloud Connection

  • Updated on Nov 19, 2025
  • Published on Jun 11, 2024
  • 20 minute(s) read
Prev Next

1.0 Introduction

This article helps you get started with the Fortanix Key Insight cloud connection.

It also describes:

  • How to sign up and log in to Fortanix Key Insight.

  • How to configure the Amazon Web Services (AWS) connection.

  • How to configure the Azure cloud connection.

  • How to configure the external key source (Fortanix Data Security Manager (DSM)) connections within cloud connections on Fortanix Key Insight.

  • How to manage the existing cloud connections on Fortanix Key Insight.

  • How to manage Federated Authentication on Fortanix Key Insight.

2.0 Terminology Reference

Refer to AWS Connection Concepts for AWS connection concepts and supported features.

Refer to Azure Connection Concepts for Azure connection concepts and supported features.

3.0 Log In and Create an Account

Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the Fortanix Armor platform if you do not already have one.

3.1 Sign Up and Log In to Fortanix Armor Platform - New Users

If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly.

For more information on how to sign up, log in, and create an account for Fortanix Key Insight, refer to Fortanix Armor – Getting Started.

3.2 Log In to Fortanix Armor Platform - Existing Users

You can directly log in to the Fortanix Armor platform to access Key Insight if you have already signed up and have an account.

For more information on how to log in and create an account on Fortanix Armor, refer to Fortanix Armor – Getting Started.

4.0 Configure an AWS Connection

After you access the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard an AWS connection to scan your cryptographic materials (Keys, Services, and Certificates).

4.1 Prerequisites

The following are the prerequisites before configuring an AWS connection on Fortanix Key Insight:

4.1.1 Set Up an AWS Role in an AWS Organization

Perform the steps described in AWS Connection Scanning Configuration to set up your AWS Role in the AWS organization before onboarding an AWS connection.

4.1.2 IP Whitelisting Requirements in AWS

To enable secure and reliable communication between Fortanix Key Insight and your AWS cloud environment, certain network connections may need to be allowed.

If your AWS accounts enforce inbound restrictions, the following Internet Protocol (IP) addresses must be whitelisted in your firewall to allow Fortanix Key Insight to initiate scanning connections into your AWS resources:

  • 149.14.69.36/32

  • 149.14.123.28/32

  • 184.104.204.100/32

IP whitelisting is not mandatory. It is required only if there are network restrictions on your AWS accounts for inbound traffic.

4.2 AWS Authentication Methods

AWS supports the following authentication mechanisms to control how users and applications obtain credentials for accessing AWS services:

  • Secret-based authentication: An authentication method in which an application stores long-lived AWS access keys (Access Key ID and Secret Access Key) and uses them directly to sign AWS API requests.

  • Federated authentication: An authentication method where users or applications access AWS resources using existing credentials from an external identity provider (IdP), such as PingOne or Microsoft Entra ID. This eliminates the need to store long-lived secrets.

       AWS commonly uses the following OAuth flows in federated authentication scenarios:

    • Authorization code Flow: Used when a user is involved. The user authenticates with the IdP, the application receives an authorization code, and the code is exchanged for tokens (ID, access, and/or refresh tokens).

    • Client credentials Flow: Used for machine-to-machine communication. The application authenticates directly with the IdP using its client ID and secret to obtain tokens, with no user interaction required.

      • API Gateway (Optional): In AWS, an API gateway (such as Kong Gateway) validates tokens, signs AWS requests when required, and proxies them to AWS services, providing centralized authentication and authorization.

4.3 Select Connection Type

Perform the following steps to select the AWS connection type:

  1. After you create and select the Fortanix Armor account, you will be redirected to the Fortanix Armor Available Solutions page. Click GO TO KEY INSIGHT.

Figure 1: Access available solutions

  1. On the Let's Connect to Your Cloud, On-Premises or External Key Source Provider page, select Cloud Connections type and the Amazon Web Services cloud provider.

  2. Click NEXT.

    Figure 2: Select the AWS cloud provider

4.4 Select Authentication

AWS supports the secret-based and federated authentication methods to control how users and applications obtain credentials to access AWS services. For more information on the definitions of the AWS authentication methods, refer to Section 4.2: AWS Authentication Methods.

4.4.1 Secret-based Authentication

Perform the following steps to add a secret-based AWS authentication:

  1. In the Select Authentication method form, select the Secret based authentication.

  2. Enter the AWS access key and the AWS secret access key. For more information on how to fetch the secret-based authentication credentials, refer to AWS Connection Scanning Configuration.

  3. Click NEXT.

Figure 3: Select AWS secret-based authentication

4.4.2 Federated Authentication - Authorization Code Flow

Fortanix Key Insight has tested PingOne and Microsoft Entra ID as the identity providers for configuring AWS connections using the Authorization code flow.

For more information on how to configure the IdPs and obtain the credentials (Client ID, Well-known URL, and Scopes), refer to the following:

NOTE

  • Fortanix Key Insight recommends creating a dedicated user account in the respective IdP for AWS federated authentication. This account is used to authenticate with the IdP or authorization server and to grant the necessary authorization consent during the connection setup.

  • The dedicated user account must remain active, and any modifications to the account will require re-authorization to update and refresh the authentication configuration.

Perform the following steps to add an IdP configuration using the Authorized Code flow:

  1. In the Select Authentication method form, select Federated authentication.

  2. Click ADD CONFIGURATION in the Select identity provider configuration drop down to add a new Identity Provider (IdP) configuration.

  3. In the Add New Configuration dialog box, the Authorization code flow option is selected by default.

    1. Enter the Name of configuration.

    2. Enter the Well-known URL.

    3. Enter the Client ID of your IdP.

    4. Add the required Scope(s). The default scopes are available to select. You can also add custom scopes if they are already configured.

      NOTE

      Ensure to include the offline_access scope when configuring a Microsoft Entra ID IdP.

    5. Click AUTHORIZE.  A new browser window opens for authorization, depending on the IdP. After you complete the required steps, you will be redirected back to the Add New Configuration form while authorization is processed.

      Figure 4: Add a Configuration using Authorization Code Flow

  4. After selecting an IdP, enter the Amazon Resource Name (ARN) in the Role ARN field. For more information on how to fetch the ARN, refer to AWS Connection Scanning Configuration.

    NOTE

    The Role ARN field is visible only if you have added and selected an IdP configured with the Authorization code flow.

  5. Click NEXT.

NOTE

You can also add an IdP using the Authorization code flow by clicking ADD CONFIGURATION in the top-right corner of the Authentication page.

4.4.1 Federated Authentication - Client Credentials Flow

Fortanix Key Insight has tested and validated Kong as the API Gateway and Okta and Auth0 as supported IdPs to ensure secure and reliable API Gateway authentication.

For more information on configuring the IdPs and obtaining the required credentials, refer to:

NOTE

  • The Client credentials flow is currently supported only for AWS connections.

  • A dedicated application registration in each identity provider is required to securely validate tokens.

  • Any updates to the IdP configuration such as Client ID, Client Secret, or Issuer URL, require re-authorization to maintain a valid onboarding configuration.

Perform the following steps to add an IdP configuration using the Client credentials flow:

  1. In the Select Authentication method form, select Federated authentication.

  2. Click ADD CONFIGURATION in the Select identity provider configuration drop down to add a new IdP configuration.

  3. In the Add New Configuration dialog box,

    1. Select the Client credentials flow option.

    2. Enter the Name of configuration.

    3. Enter the Client ID of your IdP.

    4. Enter the Client Secret of your IdP.

    5. Enter the Well-known URL of your IdP.

    6. (Optional) Add any custom Scope(s).

    7. Enter the API Gateway URL in the text box for Add API Gateway URL for this authentication. This is the public URL of the API Gateway deployed in your environment (for example, Kong Gateway). You can obtain this URL from your API Gateway deployment or from the administrator managing the gateway. For example, https://ki-kong.westus2.cloudapp.azure.com:8443/auth0.

    8. Click AUTHORIZE to complete the authorization.

      Figure 5: Add a configuration using Client Credentials flow

  4. After adding and selecting an IdP, click NEXT.

NOTE

  • When adding or editing the configuration, an Authorization Failed error message may appear if authorization cannot be completed due to incorrect credentials, invalid scope, or other configuration issues.

  • You can also add an IdP using the Client credentials flow by clicking ADD CONFIGURATION in the top-right corner of the Authentication page.

4.5 Set Up Cloud Connections

In the Setup Cloud Connections form, enter the following details:

  1. Enter an AWS cloud connection name. For example, AWS connection1.

  2. On the Select scope section, select Organization if you want to onboard an AWS organization. This will allow you to onboard all the AWS accounts in the AWS organization. However, if you want to onboard a single AWS account, select Account.

  3. Click NEXT.

Figure 6: Configure AWS cloud account in Fortanix Key Insight

4.6 Select AWS Accounts

Perform the following steps to select AWS accounts:

  1. On the Select AWS Accounts page,

    • If you selected Organization scope in the previous section, you can either onboard all AWS accounts in the AWS organization by choosing Select All or manually select only the AWS accounts you want to onboard.

    • If you selected Account, select the single AWS account to scan and onboard that account.

  2. Click NEXT.

    NOTE

    Fortanix Key Insight scans only the AWS metadata and does not access any AWS key material.

    Figure 7: Select AWS accounts

4.7 Select Fortanix Key Insight Policy

The System Defined Policy is selected by default on the Key Insight Policy page. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations.  

Click NEXT to proceed.

Additionally, you can:

  • Click ADD POLICY to add a new user-defined policy to the policy center.

  • Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

Figure 8: Select Key Insight policy

4.8 Select External Key Source

On the Select External Key Source page, you can integrate Fortanix Key Insight with an external key source such as Fortanix DSM to enable key correlation and improve key management.

Perform the following steps:

  1. Select any of the following options:

    • Yes, connect now: This option allows you to add an external key source for your AWS cloud connection and correlate keys using the ADD EXTERNAL KEY SOURCE feature. For more information, refer to Getting Started With External Key Source Connection.

      Figure 9: Add external key source

    • No, I’ll connect later: This option allows you to onboard the AWS connection without adding an external key source. You can add it later if needed.

      Figure 10: Onboard AWS connection without an external key source

  2. Click FINISH to complete the AWS connection onboarding. After the connection is onboarded, you can access its Overview page and view the discovered AWS keys, services, and certificates.

    Figure 11: Fortanix Key Insight AWS connection overview

    For more information about the AWS connection overview and related user interface (UI) elements, refer to AWS Connection - User Interface Components.

    NOTE

    After onboarding the AWS connection, a group with the same name will be created on the Fortanix IAM Groups page. For more information, refer toFortanix Armor Identity and Access Management-IAM.

5.0 Configure an Azure Connection

After you access the Fortanix Key Insight solution from Fortanix Armor, if you want to onboard Azure subscriptions, then you need to configure the Azure cloud connection to scan your keys and services.

5.1 Prerequisites

The following are the prerequisites to configure an Azure cloud connection on Fortanix Key Insight:

5.1.1 Set Up Azure Permissions

Before onboarding the Azure cloud,

NOTE

  • Currently, Fortanix has tested Microsoft Entra ID and PingOne as the identity providers for configuring an Azure cloud connection based on federated authentication in Key Insight.

  • Fortanix Key Insight suggests creating a dedicated user account in the respective IdP for federated authentication in Azure. This account will be used to authenticate with the IdP or authorization server and consent to authorization.

  • The dedicated user account must stay active, and if any changes occur, re-authorization is required to refresh the authentication configuration.

5.1.2 IP Whitelisting Requirements in Azure

To enable secure and reliable communication between Fortanix Key Insight and your Azure cloud environment, certain network connections may need to be allowed.

If your Azure subscriptions enforce inbound restrictions, the following Internet Protocol (IP) addresses must be whitelisted in your firewall to allow Fortanix Key Insight to initiate scanning connections into your Azure resources:

  • 149.14.69.36/32

  • 149.14.123.28/32

  • 184.104.204.100/32

IP whitelisting is not mandatory. It is required only if there are network restrictions on your Azure accounts for inbound traffic.

5.2 Azure Authentication Methods

Azure supports the following authentication mechanisms to control how users and applications obtain credentials for accessing Azure services.

  • Secret-based authentication: An authentication method in which an application stores long-lived Azure credentials (Client ID, Client Secret, and Tenant ID) and uses them directly to sign Azure API requests.

  • Federated authentication: An authentication method where users or applications access Azure resources using existing credentials from an external identity provider (IdP), such as PingOne or Microsoft Entra ID. This eliminates the need to store long-lived secrets.

       Azure commonly uses the following OAuth flow in federated authentication scenarios:

    • Authorization code Flow: Used when a user is involved. The user authenticates with the IdP, the application receives an authorization code, and the code is exchanged for tokens (ID, access, and/or refresh tokens).

5.3 Select Connection Type

Perform the following steps to select the Azure connection type:

  1. After you create and select the Fortanix Armor account, you will be redirected to the Fortanix Armor Available Solutions page. Click GO TO KEY INSIGHT.

  2. On the Let's Connect to Your Cloud, On-Premises or External Key Source Provider page, select Cloud Connections type and the Azure cloud provider.

  3. Click NEXT.

    Figure 12: Select Azure cloud provider

5.4 Select Authentication

Azure supports the secret-based and federated authentication methods to control how users and applications obtain credentials to access Azure services. For more information on the definitions of the Azure authentication methods, refer to Section 5.2: Azure Authentication Methods.

5.4.1 Secret-based Authentication

Perform the following steps to add a secret-based Azure authentication:

  1. On the Select Authentication method form, select the Secret based authentication.

  2. Enter the Client ID, Client secret, and Tenant ID.

  3. Click NEXT.

Figure 13: Select Azure secret-based authentication

5.4.2 Federated Authentication - Authorization Code Flow

Fortanix Key Insight has tested PingOne and Microsoft Entra ID as the identity providers for configuring Azure connections using the Authorization code flow.

For more information on how to configure the IdPs and obtain the credentials (Client ID, Well-known URL, and Scopes), refer to the following:

NOTE

  • Fortanix Key Insight recommends creating a dedicated user account in the respective IdP for Azure federated authentication. This account is used to authenticate with the IdP or authorization server and to grant the necessary authorization consent during the connection setup.

  • The dedicated user account must remain active, and any modifications to the account will require re-authorization to update and refresh the authentication configuration.

Perform the following steps to add an IdP configuration using the Authorized Code flow:

  1. In the Select Authentication method form, select Federated authentication.

  2. Click ADD CONFIGURATION in the Select identity provider configuration drop down to add a new IdP configuration.

  3. In the Add New Configuration dialog box, the Authorization code flow option is selected by default.

    1. Enter the Name of configuration.

    2. Enter the Well-known URL of your IdP.

    3. Enter the Client ID of your IdP.

    4. Add the required Scope(s). The default scopes are available to select. You can also add custom scopes if they are already configured.

      NOTE

      Ensure to include the offline_access scope when configuring a  Microsoft Entra ID IdP.

    5. Click AUTHORIZE to add a new IdP. A new browser window opens for authorization, depending on the IdP. After you complete the required steps, you will be redirected back to the Add New Configuration form while authorization is processed.

      Figure 14: Add an Azure IdP

  4. After selecting the IdP configuration, enter the Azure application client ID.

  5. Enter the Tenant ID of your Azure application.

  6. Click NEXT.

NOTE

You can also add an IdP using the Authorization code flow by clicking ADD CONFIGURATION in the top-right corner of the Authentication page.

5.5 Set Up Cloud Connections

In the Setup Cloud Connections form, enter the following details:

  1. Enter an Azure cloud connection name. For example, Azure Cloud.

  2. On the Select scope section, select Management Groups to onboard all the Azure subscriptions. However, if you want to onboard a single subscription, select Subscription.

  3. Enter the Management group ID or Subscription ID based on the scope.

  4. Click NEXT.

    Figure 15: Configure Azure cloud subscription in Fortanix Key Insight

5.6 Select Azure Subscriptions

Perform the following steps to select the Azure subscriptions:

  1. On the Select Azure Subscriptions page,

    • If you selected the Management Groups scope in the previous section, you can either onboard all subscriptions in the management group by choosing Select All Subscriptions or manually select only the subscriptions you want to onboard.

    • If you selected Subscription, select the single Azure subscription to scan and onboard that subscription.

  2. Click NEXT.

    NOTE

    Fortanix Key Insight scans only the Azure metadata and does not access any Azure key material.

    Figure 16: Select Azure subscriptions

5.7 Select Fortanix Key Insight Policy

The System Defined Policy is selected by default on the Key Insight Policy page. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations.

Click NEXT to proceed.

Additionally, you can:

  • Click ADD POLICY to add a new user-defined policy to the policy center.

  • Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

Figure 17: Azure Key Insight policy

5.8 Select External Key Source

On the Select External Key Source page, you can integrate Fortanix Key Insight with an external key source such as Fortanix DSM to enable key correlation and improve key management.

  1. Select any of the following options:

    • Yes, connect now: This option allows you to add the external key source for your Azure cloud connection to correlate keys using the ADD EXTERNAL KEY SOURCE feature. For more information, refer to Getting Started With External Key Source Connection.

      Figure 18: Add external key source

    • No, I’ll connect later: This option allows you to onboard the Azure connection without adding an external key source. You can add it later if needed.

      Figure 19: Onboard AWS connection without an external key source

  2. Click FINISH to complete the Azure connection onboarding. After the connection is onboarded, you can access its Overview page and view the discovered Azure keys and services..

    Figure 20: Azure cloud connection overview

    For more information about the Azure connection overview and related UI elements, refer to Azure Connection - User Interface Components.

    NOTE

    After creating the Azure cloud connection, a group with the same name will be created on the Fortanix IAM Groups page. For more information, refer toFortanix Armor Identity and Access Management-IAM.

6.0 Manage Cloud Connections

The Connections page allows you to manage the cloud, on-premises, and external key source connections you have added to the Fortanix Key Insight.

The CLOUD tab shows all the cloud connections configured for the selected Key Insight account.

Figure 21: Access cloud connections

  • Use the Search field to search for a specific cloud connection by entering its Name.

  • Click each connection to navigate to its corresponding Overview page.

  • Click ADD CLOUD CONNECTION to add a new cloud connection.

    NOTE

    When adding or editing a cloud connection,

    • In the Select identity provider configuration drop down of the Select Authentication form, you cannot select the IdP configuration whose authorization with expired or pending authorization while onboarding the AWS or Azure cloud connection. To use it, you must renew its authorization by selecting REAUTHORIZE.

    • On the Key Insight Policy page,

      • You can select any policy you have configured in the Policy Center instead of the default policy.

      • You can add a new user defined policy using ADD POLICY.

      • You can copy and modify any policy using .

      • You can edit the user defined policy using .

      For more information on managing (add, duplicate and modify, edit, and delete) the cryptographic policies, refer to Cryptographic Policy Management.

      If you change or update the policy while adding or editing a cloud connection, you must rescan the cloud connection to apply the new policy.

    • You can select any policies you have configured in the Policy Center instead of the default policy on the Key Insight Policy page. If you change the policy while adding or editing the cloud connection, you must rescan the cloud connection to apply the new policy.

    • You cannot map more than one Fortanix DSM (SaaS or On-Premises) connection to a single cloud connection.

    • You cannot map the external key source to any cloud connection unless it is properly configured and mapped to Fortanix DSM (SaaS or On-Premises).

  • Use the following options to manage a cloud connection:

    • Edit

    • Delete

    • Rescan

Figure 22: Manage a cloud connection

NOTE

Users with the Account Administrator and Group Administrator roles can only perform add, edit, delete, and rescan operations for the cloud connection.

6.1 Edit the Cloud Connection

Use this feature to update the cloud connection details if required.

Perform the following steps to edit the cloud connection:

  1. Click on the required cloud connection.

  2. Select Edit. The edit cloud connection form will appear.

  3. Update the required details in each step, if required.

  4. Click FINISH.

6.2 Delete the Cloud Connection

Use this feature to remove a cloud connection and its associated information.

Perform the following steps to delete the cloud connection:

  1. Click on the required cloud connection.

  2. Select Delete. A deletion confirmation pop-up will appear.

  3. Read all the details and enter the cloud connection name.

  4. Click CONFIRM.

    WARNING

    Deleting the cloud connection cannot be undone.

    After deletion, the cloud connection will be removed from the cloud connection list on the CLOUD tab.

6.3 Rescan the Cloud Connection

Use this feature to restart the cloud-based scan for keys and services.

Perform the following steps to rescan the cloud connection:

  1. Click on the required cloud connection.

  2. Select Rescan. A confirmation dialog box will appear.

  3. Click START SCANNING to restart the scan. If the scan is successful, the LAST SCAN column will be updated with the latest scan date and time.

7.0 Manage Authentications

You can manage IdP configurations from the Authentication page on the Fortanix Key Insight left navigation panel.

For the selected Fortanix Key Insight account, the Authentication page lists all the existing AWS and Azure IdP configurations.

NOTE

Only users with the Account Administrator and Group administrator roles can manage (Add, Edit, and Delete) the authentication in Fortanix Key Insight.

Figure 23: Access Authentication

NOTE

  • Expired authentication configurations will have the Status column marked as Expired. For these configurations, you must click Edit Icon.png and click Authorize to perform reauthorization.

  • For Microsoft Entra ID IdP using the single page application (SPA) option in Azure, you must reauthorize it every 24 hours because refresh tokens are valid only for 24 hours, according to the Refresh Tokens Policy in the Microsoft Identity Platform.

7.1 Edit the IdP Configuration

You can modify the details of the IdP configuration if required.

Perform the following steps to edit the IdP configuration:

  1. Select the required IdP configuration to edit.

  2. Click Edit Icon.

  3. On the Edit Configuration – Authorization Code Flow or Edit Configuration – Client Credentials Flow page (depending on the selected authentication method), update the required values.

    NOTE

    On the Edit Configuration – Client Credentials Flow page, if the API Gateway URL is updated, the Client ID and Client Secret must also be updated to ensure that credentials configured by one account administrator cannot be redirected to a gateway managed by another account administrator.

  4. Click Authorize to apply the changes.

7.2 Delete the IdP Configuration

Use this feature to remove an IdP configuration and its associated information.

Perform the following steps to delete the IdP configuration:

  1. Select the required IdP configuration.

  2. Click Delete Icon.png. The deletion confirmation dialog box will appear.

  3. Read all the details and enter the cloud connection name.

  4. Click DELETE.

    WARNING

    Deleting the IdP configuration cannot be undone.

The IdP configuration will be removed from the Authentication page and also from the Select identity provider configuration drop down in the Select Authentication form while onboarding the AWS or Azure cloud connection.

8.0 Troubleshooting

For guidance on troubleshooting steps for common issues encountered while configuring and running Fortanix Key Insight in cloud environments, refer to Cloud Connection Troubleshooting.

Related articles