Fortanix Key Insight - Getting Started With Cloud Connection

1.0 Introduction

This article helps you get started with the Fortanix Key Insight cloud connection. It also describes the following:

• Sign up and log in to Fortanix Key Insight.

• Configure the Amazon Web Services (AWS) organization to scan the keys and services.

• Configure the Azure cloud connection to scan the keys and services.

• Manage the cloud connections on Fortanix Key Insight.

• Manage the external key source (Fortanix-Data-Security-Manager (DSM) SaaS) connections on Fortanix Key Insight.

• Manage Federated Authentication on Fortanix Key Insight.

• Manage policy center on Fortanix Key Insight.

2.0 Terminology Reference

Refer to the Fortanix Key Insight - AWS Concepts Guide for the AWS terminologies.

Refer to the Fortanix Key Insight - Azure Concepts Guide for the Azure terminologies.

3.0 Fortanix Key Insight - Log In and Create an Account

Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the platform if you do not already have one.

3.1 Sign Up and Log In to Fortanix Armor Platform - New Users

If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly.

For more details on how to sign up, log in, and create an account for Fortanix Key Insight, refer to the Fortanix Armor – Getting Started Guide.

3.2 Log In to Fortanix Armor Platform - Existing Users

You can directly log in to the Fortanix Armor platform to access Key Insight if you have already signed up and have an account.

For more details on how to log in and create an account on Fortanix Armor, refer to the Fortanix Armor – Getting Started Guide.

4.0 Fortanix Key Insight - Configure AWS Cloud Connection

After you access the Key Insight solution from Fortanix Armor, if you want to onboard AWS cloud accounts, then you need to configure the AWS cloud connection to scan your keys and services.

4.1 Prerequisites

The following are the prerequisites before configuring an AWS cloud connection on Fortanix Key Insight:

4.1.1 Set Up an AWS Role in an AWS Organization

Follow the steps described in Fortanix Key Insight - AWS Configuration for Scanning to set up your AWS Role in the AWS organization before onboarding the AWS cloud account.

4.1.2 Configure Federated Authentication in AWS

The following are the prerequisites to configure an AWS cloud connection with your identity provider:

1. Register a client application with your identity provider.

2. Configure the redirect URI on the client application.

3. Gather the Client ID, a unique identifier for your registered application.

4. Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.

5. Set up IdP on your cloud account.

6. Set up the necessary permissions for AWS single account onboarding.

7. Set up the necessary permissions for AWS organization onboarding.

NOTE

• Currently, Fortanix has tested PingOne and Microsoft Entra ID as the identity providers for configuring an AWS cloud connection based on federated authentication in Key Insight.

  • For more details on configuring PingOne, refer to the Fortanix Key Insight - AWS Configuration For PingOne as Open ID Connect Identity Provider

  • For more details on configuring Microsoft Entra ID, refer to the Fortanix Key Insight - AWS Configuration For Microsoft Entra ID as Open ID Connect Identity Provider.

• Fortanix Key Insight suggests creating a dedicated user account in the respective IdP for federated authentication in AWS. This account will be used to authenticate with the IdP or authorization server and consent to authorization.

• The dedicated user account must stay active, and if any changes occur, re-authorization is required to refresh the authentication configuration.

4.2 Onboard AWS Cloud Account or AWS Organization

After you create a Fortanix Armor account, you will be redirected to the Fortanix Armor Available Solutions page.

To onboard the AWS cloud accounts:

1. Click GO TO KEY INSIGHT.

2. On the Let's Connect to Your Cloud or On-Premises Provider page, select Cloud Connections type and the Amazon Web Services cloud provider.

3. Click NEXT.

   

4. On the Select Authentication method form, you can select Secret based or Federated authentication as the connection type.

   1. If you selected Secret based authentication, enter the AWS access key and the AWS secret access key. Click NEXT.

      

   2. If you selected Federated authentication,  

      1. Click the drop down menu for Select identity provider configuration and click ADD CONFIGURATION to add a new IdP configuration.

      2. On the Configure Identity Provider form,

         • Select Authorization code flow.

         • Enter the Name of configuration.

         • Enter the Well-known URL.

         • Enter the Client ID of your IdP.

         • Add the required Scope(s). The default scopes are available to select. You can also add custom scopes if you have already configured them.

           NOTE

           Ensure to include the offline_access scope when configuring Microsoft Entra ID IdP.

         • Click AUTHORIZE.

           For authorization, a new dedicated browser window opens depending on the IdP. After you complete the required steps, you will be navigating back to the Configure Identity Provider form with authorization processing.

           After the authorization is completed, the new IdP will be added to the Select identity provider configuration.

           

5. On the Setup Cloud Connections form, enter the following details:

   1. Enter an AWS cloud connection name. For example, AWS connection1.

   2. In the Select scope section, select Organization if you want to onboard an AWS organization. This will allow you to onboard all the AWS accounts in the AWS organization. However, if you want to onboard a single AWS account, select Account.

   3. Click NEXT.

      

6. In the Select scope section:

   • If you selected Organization, then on the Select AWS Accounts screen, you can either select all the cloud accounts in the AWS organization using Select All to scan and onboard all the AWS accounts in the AWS organization or you can select the required accounts to onboard only the selected AWS accounts.

   • If you selected Account, then on the Select AWS Accounts screen, you can select the single AWS account to scan and onboard this account.

   • Click NEXT.

   NOTE

   Fortanix Key Insight will not scan the AWS key material, only the available metadata.

   

7. The System Defined Policy is selected by default on the Key Insight Policy page. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations. If necessary, you can later choose and apply any user-defined cryptographic policy that has been created in the Policy Center, allowing you to meet specific requirements or use cases.  For more details, refer to Section 8.0: Fortanix Key Insight - Manage Policy Center.

   

8. Click NEXT.

9. On the Select External Key Source page, you can select to integrate Fortanix Key Insight with an external key source, that is Fortanix DSM (SaaS) to correlate keys and improve key management.

   You can select any of the following options:

   • Yes, connect now: This option allows you to add an external key source for your AWS cloud connection and correlate keys using the ADD EXTERNAL KEY SOURCE feature. For more details, refer to Section 7.1: Add an External Key Source Connection.

     Once added, you must select that external key source to finish the onboarding.

     

   • No, I’ll connect later: This option allows you to onboard the AWS connection without adding an external key source. You can add it later if needed.

     

10. Click FINISH to scan the selected cloud account and onboard all services and keys, including those from external key sources.

11. This will take you to the AWS connection Overview page. You can see that the page lists all the scanned AWS keys and services.

    

    For more information on the AWS connection overview and its features, refer to the Fortanix Key Insight-AWS User Interface Components.

    NOTE

    • After creating the AWS cloud connection, a group with the same name will be created on the Fortanix IAM Groups page. For more details, refer to the Fortanix Armor Identity and Access Management-IAM.

    • If you added an external key source (Fortanix DSM SaaS) during AWS cloud connection onboarding, the Overview page will display the following after the successful scan:

      • The total key counts in all sections will be updated to include the correlated keys from the external key source.

      • The BYOK key source label will be replaced with “Fortanix”, displaying the count of the BYOK key source. This indicates that the BYOK keys are now correlated from the external key source, “Fortanix”.

    • If the count of the AWS accounts before the scan does not match the count of the AWS accounts displayed on the Overview page:

      • Ensure all the roles and permissions are appropriate in the AWS accounts before performing the scan.

      • Perform re-scan operation using the RESCAN option on the Overview page after some time.

5.0 Fortanix Key Insight - Configure Azure Cloud Connection

After you access the Key Insight solution from Fortanix Armor, if you want to onboard Azure subscriptions, then you need to configure the Azure cloud connection to scan your keys and services.

5.1 Prerequisites

The following are the prerequisites to configure an Azure cloud connection on Fortanix Key Insight:

5.1.1 Set Up Azure Permissions

Before onboarding the Azure cloud,

• Follow the steps described in Fortanix Key Insight - Azure Configuration for Scanning Using Custom Roles to set up your Azure permissions using custom roles.

• Follow the steps described in Fortanix Key Insight - Azure Configuration for Scanning Using Built-In Roles to set up your Azure permissions using built-in roles.

5.1.2 Configure Federated Authentication in Azure

The following are the prerequisites to configure an Azure cloud connection with your identity provider:

1. Register a client application with your identity provider.

2. Configure the redirect URI on the client application.

3. Gather the Client ID, a unique identifier for your registered application.

4. Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.

5. Provide the necessary Azure application permissions to scan resources.

NOTE

• Currently, Fortanix has tested Microsoft Entra ID and PingOne as the identity providers for configuring an Azure cloud connection based on federated authentication in Key Insight.

  • For more details on configuring Microsoft Entra ID, refer to the Fortanix Key Insight - Azure Configuration For Microsoft Entra ID as Open ID Connect Identity Provider.

  • For more details on configuring PingOne, refer to the Fortanix Key Insight - Azure Configuration For PingOne as Open ID Connect Identity Provider.

• Fortanix Key Insight suggests creating a dedicated user account in the respective IdP for federated authentication in Azure. This account will be used to authenticate with the IdP or authorization server and consent to authorization.

• The dedicated user account must stay active, and if any changes occur, re-authorization is required to refresh the authentication configuration.

5.2 Onboard an Azure Management Group or Azure Subscription

6.0 Fortanix Key Insight - Manage Cloud Connections

The Connections page allows you to manage the cloud, on-premises, and external key source connections you have added to the Fortanix Key Insight.

The CLOUD tab shows all the cloud connections configured for the selected Key Insight account. You can use the Search bar to search for a specific cloud connection by entering its Name.

You can perform the following for a cloud connection:

• Add

• Edit

• Delete

• Rescan

NOTE

Users with the Account Administrator and Group Administrator roles can only perform add, edit, delete, and rescan operations for the cloud connection.

6.1 Add a Cloud Connection

You can add a new cloud connection using ADD CLOUD CONNECTION.

• For details on how to add a new AWS cloud connection, refer to Section 4.2: Onboard an AWS Organization or AWS Account.

• For details on how to add an Azure cloud connection, refer to Section 5.2: Onboard an Azure Management Group or Azure Subscription.

NOTE

When adding or editing a cloud connection,

• You can select any policies you have configured in the Policy Center instead of the default policy on the Key Insight Policy page. If you change the policy while adding or editing the cloud connection, you must rescan the cloud connection to apply the new policy.

• You cannot map more than one external key source to a single cloud connection.

• You cannot map the external key source to any cloud connection unless it is properly configured and mapped to Fortanix DSM SaaS.

6.2 Edit the Cloud Connection

Use this feature to update the cloud connection details if required.

6.3 Delete the Cloud Connection

Use this feature to remove a cloud connection and its associated information.

1. If you click DELETE, a deletion confirmation dialog box will appear.

2. Read all the details and enter the cloud connection name.

3. Click CONFIRM.

   WARNING

   Deleting the cloud connection cannot be undone.

   After deletion, the cloud connection will be removed from the list on the Cloud tab.

6.4 Rescan the Cloud Connection

Use this feature to restart the cloud-based scan for keys and services. Click START SCANNING to restart the scan. If the scan is successful, the LAST SCAN column will be updated with the latest scan date and time.

7.0 Fortanix Key Insight - Manage External Key Source Connections

An external key source, such as Fortanix Data Security Manager (DSM) SaaS integrated with Fortanix Key Insight, is used to manage and protect cryptographic keys. This integration also simplifies compliance by providing a unified, cohesive view of the entire key inventory and lifecycle governance.

Fortanix Key Insight correlates with Fortanix DSM SaaS using the Key ID and ensures real-time synchronization between the two.

You can add, edit, delete, and rescan external key sources within Fortanix Key Insight using the EXTERNAL KEY SOURCE tab on the Connections page.

NOTE

Users with the Account Administrator and Group Administrator roles can only perform add, edit, delete, and rescan operations for the external key source connection.

7.1 Add an External Key Source Connection

The following are the prerequisites to add an external key source to Fortanix Key Insight:

• Fortanix DSM Account Setup: A valid and active Fortanix DSM SaaS account is set up to allow communication between DSM and Key Insight.

• Application Configuration: An application must be created in Fortanix DSM SaaS to enable interaction between both. This application defines the roles and permissions needed for key management.

• Security Objects Setup: Security objects, such as keys or key versions, must be created and configured within Fortanix DSM SaaS to allow secure key management and usage by Fortanix Key Insight.

• Group Configuration: User groups or access policies should be configured in Fortanix DSM SaaS to ensure appropriate access control and permissions for users interacting with the keys through Fortanix Key Insight.

For more details on how to configure the above, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

Perform the following steps to add an external key source connection:

1. Click ADD EXTERNAL KEY SOURCE in the EXTERNAL KEY SOURCE tab.

2. On the Add External Key Source page, add a Fortanix DSM connection using the following steps:

   1. Enter a unique Connection name.

   2. Select the required Region from the drop down. For example, North America. Refer to the Fortanix DSM SaaS Global Availability Map for details.

   3. Click SAVE AND PROCEED. The connection will be added under the EXTERNAL KEY SOURCE tab, though it will not yet be integrated with Fortanix DSM SaaS.

   

3. On the Admin App UUID page, configure the private key and certificate to establish a connection with Fortanix DSM SaaS using the following steps:

   1. Click GENERATE PRIVATE KEY to create a private key. You can generate a maximum of two private keys.

      • Click GENERATE ANOTHER PRIVATE KEY to generate an additional key.

      • You can delete the private key using .

   2. Click GENERATE CERTIFICATE to generate a self-signed certificate. This button will only be enabled after generating a private key.

      • You can copy the generated certificate details.

      • You can also RE-GENERATE THE CERTIFICATE if required.

   3. After generating and downloading the certificate,

      • Log in to your Fortanix Data Security Manager account in the same region selected in Step 2.b above to ensure proper correlation.

      • Create an admin app using the steps mentioned in Create Admin Apps, selecting Certificate as the authentication method, and uploading the certificate generated in Step b.

      • After creating the admin app, copy the UUID value.

   4. Enter the Admin app UUID obtained from Fortanix DSM admin app.

   5. Click CONNECT to establish the connection between Fortanix DSM SaaS and Fortanix Key Insight. If your credentials (region and certificate) are incorrect, an error message will appear. Ensure you use the correct credentials to establish the connection with Fortanix DSM SaaS.

   

After the external key source is added,

• All security objects configured in your Fortanix DSM SaaS account that are accessible by the admin app will be imported to Fortanix Key Insight.

• The new external key source will appear in the EXTERNAL KEY SOURCE tab with the TYPE value set to DSM.

• LAST SCAN value reflecting the creation time stamp.

• You can access the external key source Overview and Keys pages. For more details on the external key source overview and keys, refer to the Fortanix Key Insight User Interface Components - External Key Source.

NOTE

• When adding or editing an external key source, it is recommended to use a unique admin app UUID for each external key source to prevent performance degradation and avoid unnecessary clutter.

• After creating the external key source (DSM SaaS) connection, a group with the same name will be created on the Fortanix IAM Groups page.

  For more details, refer to the Fortanix Armor Identity and Access Management-IAM.

7.2 Edit an External Key Source Connection

Use this feature to update the external key source connection details if required.

Perform the following steps to edit the external key source connection:

1. Click EDIT for the required key source connection under the EXTERNAL KEY SOURCE tab.

2. On the Edit <External Key Source> page, update the following details, if required:

   1. Connection name

   2. Region

   3. Generate Private key and certificate

   4. Admin app UUID

3. Click SAVE to apply the changes. Click CANCEL to discard the changes.

NOTE

• You can also edit the external key source connection during the cloud connections onboarding.

• When you update the external key source details, you must rescan both the external key source connection and any associated parent cloud connection to apply the new values.

7.3 Delete an External Key Source Connection

Use this feature to remove an external key source connection and its associated information.

Perform the following steps to delete the external key source connection:

1. Click DELETE for the required external key source connection under the EXTERNAL KEY SOURCE tab.

2. On the Delete External Key Source Connection dialog box, read all the details and enter the external key source name.

3. Click CONFIRM to delete the external key source.

WARNING

Deleting the external key source connection cannot be undone.

After deletion, the external key source connection will be removed from the EXTERNAL KEY SOURCE list.

7.4 Rescan an External Key Source Connection

Use this feature to restart the scan for external key sources.

Perform the following steps to rescan the external key source:

1. Click RESCAN for the required external key source connection under the EXTERNAL KEY SOURCE tab.

2. On the Scan Connection page, click START SCANNING to restart the scan.

If the re-scan is successful, the LAST SCAN column under the EXTERNAL KEY SOURCE tab will be updated with the latest scan date and time.

NOTE

After successfully rescanning the DSM connection, you must manually rescan the associated parent or linked cloud connection(s) (AWS or Azure) if any, to update the correlated key data.

8.0 Fortanix Key Insight - Manage Policy Center

Fortanix Key Insight supports account-level cryptographic policies that can be applied to accounts, allowing restrictions on the types of keys that can be created and the operations that are permitted.

When onboarding a connection (cloud or on-premises), Fortanix Key Insight by default applies a system-defined cryptographic policy to scan keys, services, or resources.

It also allows users to create customized, user-defined policies, configure access to Fortanix DSM (using API keys), and utilize the synchronized policies from Fortanix DSM SaaS for these connections.

NOTE

Users with the Account Administrator and Group Administrator roles can only manage (Import, Duplicate, Edit, and Delete) the cryptographic policies on Fortanix Key Insight – Policy Center.

8.1 Access System Defined Cryptographic Policy

By default, when a connection (cloud or on-premises) is onboarded into Fortanix Key Insight, the system automatically applies a pre-configured cryptographic policy. This policy is labeled as System Defined Policy and is classified under the System default policy type on Policy Center. It serves as the baseline policy for managing cryptographic operations until the user decides to customize or modify it.

This ensures that every new connection adheres to a set of predefined security rules and cryptographic standards, maintaining consistency and minimizing the risk of configuration errors.

NOTE

You cannot edit and delete the system-defined cryptography policy. You can only duplicate and modify it to generate a new user-defined policy.

8.2 Manage User-Defined Cryptographic Policy

Fortanix Key Insight allows users to customize and modify the default cryptographic policy, allowing them to create their user-defined policies. This customization enables users to develop the cryptographic rules and operations to meet their specific security requirements or compliance standards.

8.2.1 Add a User-Defined Cryptographic Policy

To add a user-defined cryptographic policy for the first time from the default policy:

1. Click Duplicate and Modify on the default policy.

2. On the Duplicate and modify Cryptographic Policy page,

   1. Enter the Policy Name.

   2. In the Allowed object types for the account section, select the key types that you want to allow for this account. By default, all the key types are selected except DES3, DES, BLS, ML-KEM, and ML-DSA.

   3. In the Allowed key sizes section, add the required allowed key size(s) for the keys. The default key sizes are carefully selected to ensure that the keys meet compliance requirements and are not flagged as non-compliant.

      For more details on the different key sizes and operations, refer to the User's Guide: Account Cryptographic Policy.

   4. Click SAVE POLICY to add the new user-defined policy.

The new user-defined policy will be added under the User defined (KI) category in the policy center, with the name specified in Step a.

To add a user-defined cryptographic policy from the existing user-defined policy:

1. Click Duplicate and Modify on the current user-defined policy.

2. Repeat Step 2 above.

NOTE

After the user-defined policy is added, it will be available for selection on the Key Insight Policy form during a connection onboarding.

8.2.2 Edit a User-Defined Cryptographic Policy

To edit the details of the existing user-defined cryptographic policy:

1. Click Edit on the user-defined cryptographic policy.

2. On the Edit Cryptographic Policy page, update the policy name and allowed object types or key sizes as per the requirement.

3. Click SAVE POLICY to update the policy details.

8.2.3 Delete a User-Defined Cryptographic Policy

You can delete the user-defined policy if it is no longer required.

To delete a user-defined cryptographic policy:

1. Click Delete on the required user-defined cryptographic policy.

2. On the Delete Cryptographic Policy dialog box,

   1. You can view the number of connections linked to the policy and read all the details.

   2. Enter the policy name to confirm the deletion.

   3. Click CONFIRM to remove the policy from the Policy Center.

WARNING

Deleting the user-defined policy is irreversible and will remove the policy permanently. Affected connections will revert to the System Default Policy.

8.3 Import Fortanix DSM Policy

Fortanix Key Insight offers the flexibility to import cryptographic policies from Fortanix DSM to streamline the management and application of cryptographic standards across your cloud or on-premises environments. By importing policies from Fortanix DSM, you can ensure consistency in key management, encryption protocols, and security settings, allowing you to easily apply the same policies across multiple connections.

WARNING

For a single account, you can duplicate or import policies using the user interface (UI) up to 10 times. To import or duplicate policies beyond this limit, you must first delete the existing ones.

You can import Fortanix DSM cryptographic policies to Fortanix Key Insight using an administrative (admin) application (app) API Key.

To import a Fortanix DSM cryptographic policy using the admin app API key:

1. Click IMPORT DSM POLICY.

2. On the Import DSM Policy dialog box,

   1. Enter the Fortanix DSM Admin app API key. For details on how to obtain the admin app API key, refer to the User’s Guide: Authentication.

   2. Select the region from the drop down menu. For example, North America. Refer to the Fortanix DSM SaaS Global Availability Map for other region details.

   3. Click IMPORT to import the policy from Fortanix DSM to Fortanix Key Insight. The imported policy will be listed on the Policy Center page with the type Fortanix DSM.

After the Fortanix DSM cryptographic policy is imported, you can only duplicate and delete it similar to the user-defined policy explained in Section 8.2: Manage User-Defined Cryptographic Policy.

9.0 Fortanix Key Insight - Manage Authentication

You can manage the Federated Authentication identity provider (IdP) configurations on the Authentication page in Fortanix Key Insight.

For the selected Fortanix Key Insight account, the Authentication page lists all the existing AWS and Azure IdP configurations.

NOTE

Users with the Account Administrator and Group Administrator roles can only manage (Add, Edit, and Delete) the authentications in Fortanix Key Insight.

NOTE

Expired authentication configurations will have the Status column marked as Expired. For these configurations, you must click and click Authorize to perform reauthorization.

• For Microsoft Entra ID IdP using the single page application (SPA) option in Azure, you must reauthorize every 24 hours because refresh tokens are valid only for 24 hours, according to the Refresh Tokens Policy in the Microsoft Identity Platform.

9.1 Add an IdP Configuration

To configure a new AWS or Azure IdP, click ADD CONFIGURATION.

Refer to Section 4.2: Onboard an AWS Organization or an Account on how to add a new Identity provider configuration.

The new IdP will be added to:

• The Authentication page to the list of IdPs.

• The Select identity provider configuration drop down menu in the Select Authentication form while onboarding the AWS or Azure cloud connection.

9.2 Edit an IdP Configuration

You can modify the details of the IdP configuration if required. To perform this:

1. Select the required IdP configuration to edit.

2. Click .

3. Update the new values in Steps 1 to 6 mentioned in Section 9.1: Add an IdP Configuration.

9.3 Delete the IdP Configuration

Use this feature to remove an IdP configuration and its associated information.

1. If you click , a deletion confirmation dialog box will appear.

2. Read all the details and enter the cloud connection name.

3. Click DELETE.

   

   WARNING

   Deleting the IdP configuration cannot be undone.

4. The IdP configuration will be removed from the the Authentication page and also on the Select identity provider configuration drop down in the Select Authentication form while onboarding the AWS or Azure cloud connection.