--- title: "AWS Connection - User Interface Components" slug: "fortanix-key-insight-user-interface-components-aws" updated: 2026-05-26T10:35:12Z published: 2026-05-26T10:43:02Z canonical: "support.fortanix.com/fortanix-key-insight-user-interface-components-aws" --- > ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # AWS Connection - User Interface Components ## 1.0 Introduction This article describes the user interface (UI) features of the Amazon Web Services (AWS) cloud connection on Fortanix Key Insight. ## 2.0 Terminology References *For Fortanix Key Insight - AWS concepts and supported features, refer to*[*AWS Connection Concepts*](/v1/docs/fortanix-key-insight-for-aws-concepts)*.* ## 3.0 Overview The AWS connection **Overview** page appears after adding an AWS cloud connection. The **Overview** page displays AWS keys, certificates, and services based on the applied Fortanix Key Insight policy. *For more information on the Fortanix Key Insight policy, refer to*[*Cryptographic Policy Management*](https://support.fortanix.com/docs/cryptographic-policy-management)*.* ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI AWS Overview(1).png) **Figure 1: Access AWS overview** - Click **ASSESSMENT REPORT** to navigate to the **Assessment** page and view the assessment report. This report allows you to assess your key security posture to ensure the safety of your data. *For more information, refer to*[*Section 4.0: Assessments*](/v1/docs/fortanix-key-insight-user-interface-components-aws#40-assessments)*.* - If the count of the AWS accounts before the scan does not match the count of the AWS accounts: - Verify that all required roles and permissions are correctly configured in the AWS accounts before running the scan. - After confirming permissions, initiate a re-scan using the **RESCAN** option. *For more information, refer to*[*Section 5.0: Rescan an AWS Connection*](/v1/docs/fortanix-key-insight-user-interface-components-aws#50-rescan-an-aws-connection). > [!NOTE] > NOTE > > - If your Fortanix Armor account is deactivated and you are accessing the Fortanix Key Insight AWS connection, you will not be able to view data on the **Overview, Assessments, Keys, Services**, **Certificates**, or **PQC Central** pages. You will only have access to view and delete items within the **Connections**, **Policy Center,**and**Authentication** pages. > - If you added any external key source (Fortanix DSM SaaS or On-Premises) during the AWS cloud connection onboarding, the **Overview** page will display the total key count, reflecting the correlated keys from the external key source after a successful scan. The **Overview** page helps users get a summary of the AWS keys, certificates, and services, as described in the following sections: ### 3.1 Cloud Discovery Accounts This section summarizes the discovered asset counts for an AWS connection. It shows the count of: - The AWS organizations - The regions under all the AWS accounts - The certificates in all the AWS regions - The keys in all the AWS regions - The services in all the AWS regions Clicking the **Keys, Certificates,** and **Services** labels in the **Cloud Discovery Accounts** section takes you to their list view. ### 3.2 Cryptography Bill of Materials (CBOM) This section describes how to export cryptographic asset metadata from AWS into a standardized CBOM JSON file. The exported CBOM file can be used to maintain a cryptographic inventory, demonstrate regulatory compliance, and assess post-quantum cryptography (PQC) readiness. To export the CBOM file, click **EXPORT**. A file named `bom_report_<AWS_scan_id>.json` will be downloaded to your local system, where `AWS_scan_id` is the unique identifier generated for each AWS connection scan. For example, [](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/bom_report_0a2a015a-5712-11f0-accb-49ec68b32ff0(1).json)bom_report_0a2a015a-5712-11f0-accb-49ec68b32ff036.76 KB[**](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/bom_report_0a2a015a-5712-11f0-accb-49ec68b32ff0(1).json) The exported file adheres to the **CycloneDX** specification and includes the following components: - `bomFormat`: Specifies the format of the bill of materials. For CBOM exports, this value is set to `CycloneDX`. - `specVersion`: Indicates the version of the CycloneDX specification used. - `version`: Denotes the version of the generated CBOM file. - `components`: Lists cryptographic components such as keys and certificates. Each entry includes attributes such as type, name, algorithm, associated services, and so on. - `services`: Describes the AWS services that interact with the listed cryptographic components. Each service includes attributes such as its name and Universally Unique Identifier (UUID). - `dependencies`: Defines the relationships between keys or certificates and services, representing how cryptographic elements are interconnected or used together. > [!NOTE] > NOTE > > If your AWS connection was last scanned before the Fortanix Key Insight 25.07 release and has not been rescanned, you must perform a **Rescan** to ensure the correct CBOM export. > > *For more information on how to perform a rescan, refer to*[*Section 5.0: Rescan an AWS Connection*](/docs/fortanix-key-insight-user-interface-components-aws#50-rescan-an-aws-connection)*.* ### 3.3 Keys by Status This section provides a summary of AWS keys categorized by their status: - **Enabled keys**: These keys are active cryptographic keys in AWS that can be used for encryption and decryption operations. In Fortanix Key Insight, these keys are tracked for ongoing usage, risk, and compliance. - **Disabled keys**: These keys are cryptographic keys in AWS that are turned off and cannot be used for encryption or decryption until they are re-enabled. In Fortanix Key Insight, these keys are monitored as part of the key lifecycle to help identify unused or deprecated keys that may require clean-up or reactivation. - **Cross Account Key Usage**: These are keys created in one AWS account but accessed by services or resources in another AWS account. Fortanix Key Insight detects and flags these keys to provide visibility into external access and highlight potential security or compliance risks. - **Platform managed keys**: These are encryption keys automatically created and managed by AWS to enable transparent encryption across AWS services such as S3, EBS, and RDS. Users cannot configure, manage, or rotate these keys. In Fortanix Key Insight, platform-managed keys are discovered and classified to support auditing and inventory management. - **Customer managed keys**: These are encryption keys created, owned, and controlled by users through AWS Key Management Service (KMS). Customers can define key policies, control permissions, set rotation schedules, and manage the full lifecycle of these keys. This also includes keys that have been imported into AWS KMS. Fortanix Key Insight provides deep visibility and governance for these keys, including usage tracking, risk assessment, rotation monitoring, and compliance enforcement. Click the **Keys by Status** label, and each key type will go to the corresponding list view. ### 3.4 Keys by Type This section displays a count of key specifications across all AWS accounts included in the scan. For AWS CSP, it shows the total number of keys that are configured in all the AWS cloud accounts based on the applied Key Insight policy. Click any key type to navigate to its corresponding list view. ### 3.5 Top Accounts by Key and Status This section lists, in descending order, the top five accounts with the greatest number of keys since the last key scan operation. The count for each account includes both enabled and disabled keys. Blue indicators represent enabled keys, while Orange indicators represent disabled keys. Click an account ID to open the list view showing all keys in that account. ### 3.6 Key Source This section provides a summary of AWS keys grouped by their source. The key counts are categorized as follows: - **AWS KMS**: count of all the keys that were directly created in AWS KMS. - Bring Your Own Key (**BYOK**): count of all the keys that were imported into AWS using an external source, for example, [*AWS KMS Bring Your Own Key*](https://support.fortanix.com/docs/fortanix-dsm-aws-kms-byok-bring-your-own-key) concept, where the key material of the key is imported into AWS KMS. - **External Key Store (XKS)**: count of all the keys that are stored in an external key store, for example, a key store created by connecting [*Fortanix DSM with AWS External Key Store (XKS)*](https://support.fortanix.com/docs/using-fortanix-dsm-with-aws-external-key-store-xks) to encrypt or decrypt the customer’s data in AWS. > [!NOTE] > NOTE > > If you added an external key source (Fortanix DSM SaaS or On-Premises) during AWS cloud connection onboarding, the BYOK key source label will be replaced with “**Fortanix**”, displaying the count of the **BYOK** key source. This indicates that the **BYOK** keys are now correlated from the external key source, “**Fortanix”**. Clicking the key source labels will take you to the tabular view of the keys for the selected key source. ### 3.7 Protected Services This section presents a summary of the number of encrypted AWS services compared to the number of unencrypted services. - Clicking the **Encrypted** label takes you to the **Services** table, which shows all the encrypted services. - Clicking the **Unencrypted** label takes you to the **Services** table, which shows all the services that are not encrypted. ### 3.8 Certificates by Status This section summarizes the status of scanned AWS certificates, showing the number of issued certificates, validation pending, and expired certificates. Click any label or count to navigate to a filtered list view of the corresponding certificates. ### 3.9 Certificates by Algorithm Type This section provides a summary of certificate distribution by key algorithm type (For example, RSA 2048). For AWS certificates, it displays the total count of each key algorithm used across all scanned certificates. Click any key algorithm type to view a filtered list of certificates using that algorithm. ## 4.0 Assessments After adding an AWS connection, you can access the Fortanix Key Insight **Assessment** page from the left navigation panel. The **Assessment** page shows: - Key security posture details for the AWS connection. - Violations that must be remediated to improve the security status. - Remediation advice to improve the security status. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Assessment(12).png) **Figure 2: AWS assessment report** > [!NOTE] > NOTE > > If you added any external key source during the AWS cloud connection onboarding, the **Assessment** page will display the total key count, reflecting the correlated keys from the external key source after a successful scan. ### 4.1 Risk Score This section provides the overall risk score of the CSP keys, certificates, and services. The following are the different risk score categories and their associated risks: - **High** – A high score signifies the total number of shared keys, shared certificates, overly permissive (usage) keys, overly permissive certificate (keys usage), or non-compliant keys in use. - **Critical** – A critical risk score indicates the total number of deleted keys, expired certificates, Services encrypted with cross-account key usage, non-compliant certificates by algorithm, and unencrypted cloud services detected that need attention. - **Medium** – A medium risk score indicates the total number of CSP-generated and overly permissive (management) keys in use. - **Good** – A good risk score signifies that no risks have been identified, or only minimal risks are present. The overall risk score is prioritized based on the number of risks, in order of severity from highest to lowest: - Critical - High - Medium - Good Click each risk label or count to access its corresponding list view. ### 4.2 Service Violations For an AWS CSP, this section provides insights into service violations across your AWS cloud environment. You can view the total number of AWS accounts and their associated services, along with specific violations tied to each service. These violations may result from issues such as the use of shared, deleted, or soon-to-be-deleted keys, excessive permissions, cross-account key usage, non-compliant configurations, or unencrypted keys. This information helps you identify which services are at risk, enabling you to implement unique, compliant, and encrypted keys to strengthen your security posture. Also, - Risk levels for each service are color-coded for easier identification and prioritization. - Select **VIEW ALL** to navigate to the **Services** page and explore all key-related violations for each service. > [!NOTE] > NOTE > > For **S3**, **RDS**, and **EBS** the count of **Non-Compliant keys** will always be **0** since all keys are compliant by default. - Click any service to view a detailed list of the top 10 key violations associated with it, sorted by severity. Select any violation type to navigate to its corresponding full list. - Click **BACK** to navigate to the service violations card view. ### 4.3 Top Security Issues This section provides the following information about the keys and certificates: - **Shared keys**: Displays the total number of keys in the AWS connection that are shared by two or more services for encrypting the services. Shared keys increase security risk, and this information will help you determine which keys are at risk so that you can use unique encryption keys for better security. - **Shared certificates:**Displays the total number of certificates in the AWS connection that are shared across two or more services. Identifying these shared certificates helps you assess potential exposure risks and take action by using unique encryption certificates for enhanced security. - **Services using Platform Managed Keys**: These represent AWS services that automatically encrypt customer data using platform-managed encryption keys, which are fully controlled by AWS and are not accessible for customer-based configuration or lifecycle management. Encryption is applied by default and transparently. Fortanix Key Insight detects these services and associates them with their respective platform-managed keys, providing insight into AWS’s default encryption behavior. - **Non-compliant keys**: Displays the total number of keys in the AWS connection that are violating the cryptographic policy that is set for a Fortanix Key Insight account. This information will help you determine which keys are non-compliant with the Key Insight Cryptographic policy so that you can generate new keys to encrypt the AWS services. Any key that utilizes the following algorithm and key size combinations is considered **Non-Compliant** in Fortanix Key Insight, according to the National Institute of Standards and Technology (NIST) 800-57 standard: The non-compliant keys increase the data security risk. They will be flagged as vulnerabilities on the **Keys** page. Fortanix Key Insight recommends using stronger key algorithms and ensuring that the key strength aligns with your defined policies and NIST standards. - **AES**: Any key size less than 128 bits. - **3DES**: Keys with sizes 112 bits and 168 bits. - **DES**: Keys with size 56 bits. - **RSA**: Keys with a size less than 2048 bits. - **DSA**: Keys with a size less than 2048 bits. - **ECC**: Keys with a size less than 224 bits. - **HMAC**: Keys with a size less than 112 bits. - **PQC readiness:**Indicates the percentage of your AWS cryptographic assets that are currently quantum-safe, showing your AWS cloud environment's preparedness for PQC. This percentage reflects the portion of assets using PQC-compliant algorithms or configurations. Clicking the percentage value takes you to the**PQC Central**page, where you can view detailed data for the corresponding AWS connection and assess the readiness of individual assets. - **Cross Account Key Usage**: Displays the total number of keys from one AWS account that are accessed by services or resources in another AWS account. A violation is flagged when a key that previously had cross-account access enabled is no longer detected during the latest scan. Instead of marking such keys as “Deleted,” they are now flagged as **Cross Account Key Usage** if there is a history of cross-account usage. This distinction provides greater clarity by differentiating between keys that have been truly deleted and those that may still exist but are no longer visible due to permission changes, configuration updates, or access restrictions. - **Unused keys**: Displays the total number of AWS keys that remain unused for encryption in the scanned data and supported services. You can use this information to identify unused keys and remove them for enhanced security. > [!NOTE] > NOTE > > Fortanix Key Insight recommends removing any unused keys from your AWS cloud as a best practice. - **Overly permissive keys [Usage]**: Displays the total number of AWS KMS keys with excessive usage permissions. Such keys can result in service violations and are assigned a high-risk score. This information helps analyze key usage to improve security. The overly permissive keys (usage) check examines [Key Policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) and [Grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) to determine if an AWS service principal is allowed to execute cryptographic operations without utilizing `EncryptionContext` or `aws:SourceArn` condition keys. Additionally, it identifies wildcard entries in the `Principal` field of policy statements that grant broad permissions for cryptographic operations on AWS KMS. - **Overly permissive keys [Management]**: Displays the total number of AWS KMS keys with excessive management permissions. Keys with overly permissive management permissions can lead to service violations and are assigned a medium risk score. This information helps analyze key usage to improve security. The overly permissive keys (management) check specifically examines [Key Policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)to identify policy statements that allow actions to modify keys where the `Principal` field contains wildcard entries. These wildcards (for example, `users/*`) can grant broad permissions and may expose the keys to unauthorized modifications. - **Overly permissive certificates [Key usage]**: Displays the total number of AWS certificates with excessive key usage permissions. The certificates with overly permissive key usage permissions can lead to service violations and are assigned a high risk score. Key usages are assigned based on specific roles, such as, Certificates are flagged as violated if they include multiple key usages beyond acceptable combinations, with three exceptions: Any other combination is considered overly permissive and potentially vulnerable. > [!NOTE] > NOTE > > Fortanix Key Insight recommends reviewing and revalidating the AWS key and certificate policies as a best practice to avoid overly permissions. - TLS Web Server Authentication - TLS Web Client Authentication - Code Signing - Email Protection - Timestamping - OCSP Signing - IPSec End System - IPSec Tunnel - IPSec User 1. A single key usage type. 2. A combination of Web Server and Web Client Authentication. 3. An empty or undefined key usage. Click each top security issue to access its corresponding list view. ### 4.4 Certificate Expiry by Issuers This section provides insights into monitoring and managing the expiration status of certificates in AWS Certificate Manager (ACM), organized by issuer (For example, Amazon, DigiCert, Let's Encrypt, and so on), if any. This section gives you visibility of certificate lifecycle risks and helps ensure continuous compliance and availability across AWS environments. This section contains two sub-sections: #### 4.4.1 About to Expire in 30 Days This section displays the **top 10** ACM certificates that are scheduled to expire within the next 30 days, grouped by certificate issuer, if any. Each issuer is represented using a distinct color for easy identification. Click the count associated with a specific issuer or the overall total to navigate to a filtered list view displaying the corresponding certificates. Click **VIEW ALL** to view the list of all certificates in the category. #### 4.4.2 Expired Certificates This section displays the **top 10** ACM certificates that have already expired, grouped by certificate issuer, if any. Each issuer is represented using a distinct color for easy identification. This data helps to identify misconfigurations, overlooked assets, or potential security risks from expired certificates. Click the count associated with a specific issuer or the overall total to navigate to a filtered list view displaying the corresponding certificates. Click **VIEW ALL** to view the list of all certificates in the category. ### 4.5 Certificate by Violation Type This section displays the total number of non-compliant ACM certificates categorized by specific violation types (For example, shared certificates), helping you take targeted action to address security or policy gaps. > [!NOTE] > NOTE > > Fortanix Key Insight currently does not support the **Non-compliant Certificates (Signature Algorithm)** violation type in the Policy Center; therefore, its count will always be **0**. Click the count for a specific violation type or the overall total to navigate to a filtered list view of the affected certificates. ### 4.6 Key Count by Sources For AWS CSP, this section provides information about the security and risk assessment of the natively managed keys (key source is AWS KMS or AWS Cloud HSM) and externally managed keys (key source is External or External Key Store). The visual indicators (circles) represent the total number of keys found in the AWS account. #### 4.6.1 Cloud Generated This section displays the details of natively managed keys (the key source is AWS KMS or AWS Cloud HSM). It is represented as a blue circle. - **KMS**: The KMS represents the total number of keys directly generated in AWS KMS. These keys increase the risk of unauthorized access to encrypted data. For better security, you can use the Fortanix Data Security Manager. Click the circle or the warning icon ![WarningIcon.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25759762517652.png) to go to the list view of the KMS keys. - **Cloud HSM**: These keys in Fortanix refer to cryptographic keys that are stored and managed within Fortanix using their Hardware Security Module (HSM) services. Click the circle or the warning icon to go to the list view of the HSM-protected keys. #### 4.6.2 External This section displays information about externally managed keys. - **BYOK**: The BYOK circle represents the total number of keys that were imported into AWS using an external source. *Refer to the*[*Fortanix DSM using the Bring Your Own Key (BYOK)*](/v1/docs/fortanix-dsm-aws-kms-byok-bring-your-own-key)*guide*, where the key material of the key is imported into AWS KMS. Users bringing their keys must ensure that their key storage mechanisms are secure, preventing unauthorized access or key exposure. Click the circle or the warning icon ![WarningIcon.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/25759762517652.png) to go to the list view of the BYOK keys. - **External Key Store (XKS)**: The XKS circle represents the count of all the keys that are stored in an external key store, for example, a key store created by connecting [*AWS XKS with Fortanix DSM*](/v1/docs/using-fortanix-dsm-with-aws-external-key-store-xks) to encrypt or decrypt the customer’s data in AWS. Keys present in an External Key Store are more secure than BYOK or KMS keys. - **Fortanix**: This key source refers to the external key source configured during AWS connection onboarding. The key count represents the number of keys correlated with Fortanix Key Insight from Fortanix DSM SaaS or On-Premises. ### 4.7 Download Assessment Report Click **DOWNLOAD REPORT** on the top-right corner of the **Assessmen**t page to view the **Data Security Assessment Report** for the AWS connection in PDF format. The report will open in the **Print** dialog box, where you can select to print it or save it locally to your machine as needed. ## 5.0 Rescan an AWS Connection Click **RESCAN** on the top-right corner of the **Overview** or **Assessment**page to perform a rescan and verify if any keys have been added, deleted, or updated in the CSP organization. If you click **RESCAN**and start the scan, you can monitor the progress bar while the scan is running. After the scan is completed successfully, - The**Last scanned** label will be updated with the completion date and time. - The **Overview** page will reflect the new state of the AWS CSP keys, certificates, and services. > [!NOTE] > NOTE > > The **RESCAN** option is accessible only to users with the **Account Administrator** and **Group Administrator** roles. ## 6.0 Keys After onboarding the AWS connection, click **Keys** in the Fortanix Key Insight left navigation panel to access the scanned keys details. On the **Keys** page, you can switch between the **LIST** and **GRAPH** views using the ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS View Switcher.png) toggle in the top left corner. The **LIST** view is selected by default. ### 6.1 List View The keys list view displays all keys in a table, along with details such as key ID, state, violations, region, owners, usage description, AWS account ID, key creation date, external key store name(s), key alias, last rotation date, next rotation date, auto-rotation status, key specification, and key source. > [!NOTE] > NOTE > > Each key can have multiple aliases, displayed as a comma-separated list. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764322149998.png) **Figure 3: AWS keys list view** - Use the **Search** field to filter keys based on the available criteria and supported values. For example: - Key Spec - Key State - Compliance: Compliant keys, Non-compliant keys - Click ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/gcp-connection---user-interface-components-image-oikbq2v5.png) in the top-right corner of the table to customize which columns are displayed, beyond the default six. - Click**EXPORT** to export the scanned keys data. *For more information, refer to*[*Section 9.0: Export Scanned Data*](/v1/docs/fortanix-key-insight-user-interface-components-aws#90-export-scanned-data)*.* - Click ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/gcp-connection---user-interface-components-image-ouncgje0.png) in the **VIOLATIONS** column to view detailed information about the associated vulnerabilities. #### 6.1.1 Add Key Details You can assign owners to the scanned keys to enhance key management, simplify tracking, and improve remediation workflows. Perform the following steps to add the key(s) details: 1. Select the check box (![image.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(133).png)) next to the required key(s) in the list. 2. Click **ADD DETAILS** in the top right corner of the list view. > [!NOTE] > NOTE > > If your AWS connection was last scanned before the Fortanix Key Insight 25.03 release and a new scan was not performed, clicking the **ADD DETAILS** option will show a **Rescan Required to Add Details** dialog box. To ensure your key details are correctly added, you must rescan the AWS connection and then add the key details. > > *For more information on how to perform a rescan, refer to*[*Section 5.0: Rescan an AWS Connection*](/docs/fortanix-key-insight-user-interface-components-aws#50-rescan-an-aws-connection)*.* 3. In the **Add Details** dialog box: > [!NOTE] > NOTE > > To add ownership details, specifying a primary owner is mandatory before adding a secondary owner. On the **Keys** page, the primary and secondary owners’ names or employee IDs and email addresses will appear in the **OWNERS** column, and the description will appear in the **USAGE** **DESCRIPTION** column. 1. **Primary owner**: Enter the primary owner’s name or employee ID. 2. **Email ID**: Enter the primary owner’s valid email ID. 3. Click **ADD SECONDARY OWNER** to add the secondary owner’s details, if required. 4. **Description (Optional)**: Enter an optional description. 5. Click **ADD** to add the ownership details to the selected key(s). > [!NOTE] > NOTE > > Only users with **Account Administrator** permissions can add or edit key details. #### 6.1.2 Edit Key Details You can modify the details of the selected key(s). Perform the following steps to edit the key(s) details: 1. Select the check box (![image.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(133).png)) next to the required key(s) in the list. 2. Click **EDIT DETAILS** in the top right corner. 3. In the **Edit Details** dialog box, update the required values. 4. Click **UPDATE** to apply the changes. #### 6.1.3 View Key Details Click any **key Identifier** in the **Keys** list to view its properties, rotation history, associated violations, and service mappings. - The **KEY DETAILS** tab displays the key’s properties, ownership information (if provided), external key source (XKS), and automatic rotation policy details If required, click **EDIT DETAILS** on the **Ownership** section to update the ownership details for the selected key. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764322560363.png) **Figure 4: Access key details view** > [!NOTE] > NOTE > > The **Key Correlation** section is visible only if an external key source (Fortanix DSM SaaS or On-Premises) has been configured for the Fortanix Key Insight AWS cloud connection. You can filter the correlated keys using the **Key Source = Fortanix** or **Key Correlation = Correlated** attributes. > > For a selected correlated key in the list, this section displays details such as the key source, key source type, last correlated date, and source key ID. Click the **Key ID** to navigate to Fortanix DSM SaaS and view the key details. > > ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764322590689.png) > > **Figure 5: Access keys correlated data** - The **VIOLATIONS** tab displays violation details associated with the key. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764322610963.png) **Figure 6: View key violations** - The **SERVICE MAPPING** tab displays the mapping between the key and AWS service(s), if any. You can view the details of the key and its associated services through **Legends**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764322634774.png) **Figure 7: Key and service mapping** ### 6.2 Graph View The graph view shows the following information: - For every key source, it shows the account names, and for each account, it shows the map of all the keys in that account that are used to encrypt the AWS services. - If the AWS cloud connection is linked to an external key source, you can also view the details of the correlated key and the associated service mapping. - Each key displays all the services encrypted by it. - If a key is used by more than one AWS service, is non-compliant, has cross-account keys, and has overly usage or management permissions, it shows a vulnerability warning, and Key Insight recommends proceeding with the appropriate action items to minimize those warnings. - The keys display the non-compliance vulnerabilities based on the configured key sizes and types, following the NIST standards specified in the applied Key Insight policy. - Based on the configured key sizes and types, non-compliance vulnerabilities will be displayed following the NIST standards specified in the applied Key Insight policy. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764322661602.png) **Figure 8: Key vulnerability** - Click various points in the key map to go to the tabular view of that entity. For example, click the account icon (![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Account Icon.png)) for the AWS **KMS** key source to go to the tabular view of the keys for that account. - Filter the keys by **Key Sources**, **Accounts**, **Key ID**, **Vulnerabilities**, and **Services**on the key map. For example, to apply the filter on the key map using the key source: 1. Click the **Key Source** drop down to select or search keys by key source. For AWS, the key sources are **KMS**, **Cloud HSM**, **BYOK**, **XKS**, and **Fortanix**. 2. Click **SEARCH**. You will see that the key map displays only the keys for the **KMS** key source. ## 7.0 Services After onboarding the AWS organization, click **Services** in the Fortanix Key Insight left navigation panel to access the map of all the AWS services (**S3** BUCKET, **RDS** INSTANCE, **EBS, DynamoDB, EKS, Redshift,**and**EFS** services) grouped by AWS accounts. On the **Services** page, you can switch between the **LIST** and **GRAPH** views using the ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS View Switcher(1).png) on the top left corner. The **LIST** view is selected by default. ### 7.1 List View The services list view displays all services in a table, along with details such as name, type, encryption, violations, region, and AWS account ID. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764322940198.png) **Figure 9: AWS services list view** - Click **ENCRYPTION** column values to check whether the service was encrypted. Clicking the label opens a dialog box that shows details such as the server-side encryption (SSE) algorithm, key state, origin, key manager, key specification, and key usage. - Click ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_Violation%20Icon.png) in the **VIOLATIONS** column to view detailed information about the associated vulnerabilities. - Use the **Search** field to filter services based on the available criteria and supported values. For example: - Name - AWS Account ID - Encryption: Encrypted, Unencrypted - Click **EXPORT** to export the scanned services data. *For more information, refer to*[*Section 9.0: Export Scanned Data*](/v1/docs/fortanix-key-insight-user-interface-components-aws#90-export-scanned-data). #### 7.1.1 Service Details You can click any AWS service name in the **Services** list to view its configuration details and associated violations. - The **SERVICE DETAILS** tab displays the service configurations and associated keys data. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764322970199.png) **Figure 10: Access services details view** > [!NOTE] > NOTE > > The **Key Correlation** section is visible only when the selected service is encrypted and associated with a correlated key from an external key source connection. You can filter the correlated data using the **Name** attribute. For the filtered data, it displays details such as the key source, key source type, last correlated date, linked key ID, and source key ID. > > You can click **Key Id** and **Linked Key Id** to navigate to Fortanix DSM SaaS to view the corresponding key details. > > ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764322991572.png) > > **Figure 11: Key correlation in service details** - The **VIOLATIONS** tab displays any violations associated with the service. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764323014942.png) **Figure 12: View service violations** ### 7.2 Graph View In the services graph view, the services are grouped into the following categories, and you can also view the total counts for services, violations, regions, and accounts within each category: - **Service Type**: Selecting this category allows you to view all services grouped by type**and their corresponding risk levels. The color of each service indicates its associated risk level. This category is selected by default. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Services by Type.png) **Figure 13: Access services graph view** Click any service to view the types of violations for that service and the count for each violation, sorted by severity, if applicable. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Services by a Specific Type.png) **Figure 14: Select and view an AWS service details** - Clicking a specific violation in the list will take you to the corresponding service list view, filtered accordingly. - **Violation Type**: Selecting this category allows you to view all services grouped by violation type, along with their corresponding risk levels. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Services by Violations(3).png) **Figure 15: AWS services by violation types** Click any violation to view the types of services that share the violation and the count for each service type, if applicable. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Services by a Specific Violations.png) **Figure 16: Select and view AWS service violations details** - Clicking a specific service type in the list will take you to the corresponding service list view, filtered accordingly. - **Accounts and Regions**: Selecting this category allows you to view all services grouped by different accounts and regions, along with their associated risk levels. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Services by Regions.png) **Figure 17: AWS services by accounts and regions** Click any accounts and regions to view the types of services that share the same account and regions. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Services by a specific Regions.png) **Figure 18: View and select services by accounts and regions** - Click any service to view the types of violations and the count for each violation, sorted by severity, if applicable. - Clicking a specific service type in the list will take you to the corresponding service list view, filtered accordingly. You can filter the services by **Account**, **Region**, **Vulnerability**, and **Service Type** for each category explained in [*Section 7.2: Graph View.*](/v1/docs/fortanix-key-insight-user-interface-components-aws#72-graph-view) For example, to filter services by **Region**, 1. Select the **Group by:** category. For example, **Service Type**. 2. Click the **Region** drop down to select the region. For example, **us-east-1**. 3. Click **APPLY**. The **Services** page will display only the services for the selected region. Additionally, the count for the total number of services, violations, regions, and accounts shown in the top bar will be updated accordingly. Click **RESET** to clear all filters or select the **All (Default)** option from the dropdown in the desired filter to reset that specific filter. ## 8.0 Certificates The **Certificates** feature provides a unified view that links AWS ACM certificates to their corresponding private keys and identifies the AWS services where these certificates are actively in use. This mapping offers end-to-end visibility into certificate usage, enabling better management of encryption assets, risk assessment, and compliance monitoring across your AWS environment. After onboarding the AWS organization, click **Certificates** in the Fortanix Key Insight left navigation panel. Clicking **Certificates** opens a list view that displays a mapped overview of all AWS ACM certificates, along with their associated keys, and the AWS services using them. ### 8.1 List View The certificate list view displays all certificates in a table, along with details such as certificate ID or ARN, status, violations, issuer, key algorithm, serial number, domain name, Subject Alternative Name (SAN), renewal status, in use by, not valid before, owners, usage description, and creation and expiration timestamps. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764323055361.png) **Figure 19: AWS certificates list** - Use the **Search** field to filter certificates based on the available criteria and supported values. For example: - Certificate ID/ARN - Issuer - Key Algorithm Type: RSA 2046, RSA 3072, RSA 4096, Unknown - Click (![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/gcp-connection---user-interface-components-image-oikbq2v5.png)) in the top-right corner of the table to customize which columns are displayed, beyond the default six. - Click **EXPORT** to export the scanned certificates data. *For more information, refer to*[*Section 9.0: Export Scanned Data*](/v1/docs/fortanix-key-insight-user-interface-components-aws#90-export-scanned-data)*.* - Click ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_Violation%20Icon.png) in the **VIOLATIONS** column to view detailed information about the associated vulnerabilities. #### 8.1.1 Add Certificate Details You can assign owners to the scanned certificates to enhance certificate management, simplify tracking, and improve remediation workflows. Perform the following steps to add the certificate details: 1. Select the check box (![image.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(133).png)) next to the required certificate(s) in the list. 2. Click **ADD DETAILS** on the top right corner of the list view. > [!NOTE] > NOTE > > If your AWS connection was last scanned before the Fortanix Key Insight 25.05 release and a new scan was not performed, clicking the **ADD DETAILS** option will show a **Rescan Required to Add Details** dialog box. To ensure your certificate details are correctly added, you must rescan the AWS connection and then add the certificate details. > > *For more information on how to perform a rescan, refer to*[*Section 5.0: Rescan an AWS Connection*](/docs/fortanix-key-insight-user-interface-components-aws#50-rescan-an-aws-connection)*.* 3. In the **Add Details** dialog box: > [!NOTE] > NOTE > > To add ownership details, specifying a primary owner is mandatory before adding a secondary owner. On the **Certificates** page, the primary and secondary owners’ names or employee IDs and email addresses will appear in the **OWNERS** column, and the description will appear in the **USAGE** **DESCRIPTION** column. 1. **Primary owner**: Enter the primary owner’s name or employee ID. 2. **Email ID**: Enter the primary owner’s valid email ID. 3. Click **ADD SECONDARY OWNER** to add the secondary owner’s details, if required. 4. **Description (Optional)**: Enter an optional description. 5. Click **ADD** to add the ownership details to the selected certificate(s). > [!NOTE] > NOTE > > Only users with **Account Administrator** permissions can add or edit certificate details. #### 8.1.2 Edit Certificate Details You can modify the details of the selected certificate(s). Perform the following steps to edit the certificate(s) details: 1. Select the check box (![image.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(133).png)) next to the required certificate(s) in the list. 2. Click **EDIT DETAILS** in the top right corner. 3. In the **Edit Details** dialog box, update the required values. 4. Click **UPDATE** to apply the changes. #### 8.1.3 View Certificate Details Click any certificate ID or ARN in the **Certificates** list to view its properties, domain name details, associated violations, and service mappings. - The**CERTIFICATE DETAILS** tab displays the certificate properties, Domain Name and Subject Alternative Names (SANs), and ownership details (if already provided). If required, click **EDIT DETAILS** on the **Ownership** section to update the ownership details for the selected certificate. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764323388092.png) **Figure 20: Access certificate details** - The **VIOLATIONS** tab displays the violations associated with the certificate. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764323409371.png) **Figure 21: Certificate violations** - The **SERVICE MAPPING** tab displays the mapping between the certificate and AWS service(s), if any. You can view the details of the certificate and its associated services through **Legends**. ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764323431686.png) **Figure 22: Access certificate and service mapping** ## 9.0 Export Scanned Data This feature allows you to export the AWS scanned key and service-related data from Fortanix Key Insight in **Comma-Separated Values (CSV)**format. Also, it provides flexibility, enabling you to download data for detailed analysis, audits, or reporting, and to access real-time status. In the AWS **Keys, Certificates,** and **Services** list view, click **EXPORT** to export the scanned data using any of the available options: ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image-1764323467805.png) **Figure 23: Access data export feature** - **Export current page**: Use this option to export all column data from the current page in CSV format. > [!NOTE] > NOTE > > You can download a maximum of 100 items at a time, based on the settings specified in the **Items per page** drop down. - **Export all raw data:**Use this option to****export all scanned data shown in the keys, certificates, and services tables in CSV format. If you select this option, you can read the details on the **Export All Raw Data** dialog box and click **PROCEED** to export all the data. After the export process begins, you can track its progress. The export status will be logged with a message on the **Activities** tab in Fortanix Key Insight. *For more information, refer to*[*Section 9.1: View Export Activities*](/v1/docs/fortanix-key-insight-user-interface-components-aws#91-view-export-activities)*.* - **Export selected rows**: This option is disabled by default. You can select the check box (![image.png](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/image(133).png)) next to the required rows on the current page and export them in CSV format using this option. > [!NOTE] > NOTE > > - Users with the **Account Administrator** and **Group Administrator** roles can only perform the scanned data export. > - Within a single account, multiple exports can run concurrently across different connections (cloud, on-premises, external key sources, and vendor applications). ### 9.1 View Export Activities After you initiate the export process using **Export All Raw Data**, you can track the export status in the **Activities**menu located in the left navigation panel. The following details are available for each export activity: - Name of the activity. For example, the activity would be named **Export_all_keys** if you had exported all the AWS keys. - Name of the file. For example,**AWS Keys.csv**. - Activity status indicates the current state of the data export. This can be any of the following: - **Completed**: The data export has been successful, and the CSV file will automatically download to the location specified on your local machine. - **In Progress**: The data export is in progress, and you can cancel it using ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Resume Activity.png) if required. - **Cancelled**: The data export has been canceled due to switching accounts or manually canceling it while it was in progress. - **Failed**: The data export was not completed and failed due to errors. - Name of the connection - Export creation date and time ![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/KI_AWS Activities(5).png) **Figure 24: Access AWS activities** > [!NOTE] > NOTE > > - If you switch to a different account during export, the export will be cancelled and logged in the **Activities** tab. > - If you navigate to a different solution (for example, Identity and Access Management), the export will continue, but no logs will appear in the **Activities** tab. The export status will be confirmed using a message. > - If you refresh the web page during the export, the confirmation dialog box will appear. If you refresh, the export will be cancelled, and all entries in the **Activities** tab will be removed. Therefore, it is recommended not to refresh the page during the export. Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era. Fortanix Armor is a comprehensive cybersecurity solution that protects data and applications across on-premises, hybrid, and multi-cloud environments. It integrates Fortanix solutions into a single unified product, securing data throughout its lifecycle. Built on the **Confidential Computing** **Platform**, it ensures real-time encryption of data at rest, in transit, and during processing. Additionally, it includes platform services such as Identity and Access Management (IAM), Key Management Service (KMS), and Audit and Monitoring to simplify security management. Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface. Fortanix DSM’s BYOK feature generates Linked or Copied virtual keys from a source key enabling backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. This includes seamless movement between private clouds (on-premises) and public clouds. BYOK keys also allow tracking of key activities across multiple CSP repositories for easier restoration if keys are deleted or disabled. ## Related - [Getting Started with Cloud Connection](/fortanix-key-insight-getting-started-with-cloud-connection.md) - [AWS Connection Concepts](/fortanix-key-insight-aws-connection-concepts.md) - [Azure Connection Concepts](/fortanix-key-insight-azure-connection-concepts.md) - [Azure Connection - User Interface Components](/fortanix-key-insight-user-interface-components-azure.md) - [All Connections Concepts](/fortanix-key-insight-concepts-for-all-connections.md)