1.0 Introduction
This article describes the user interface (UI) features for the Google Cloud Platform (GCP) cloud connection in Fortanix Key Insight.
2.0 Terminology References
For GCP concepts and supported features, refer to GCP Connection Concepts.
3.0 GCP Connection - Overview
Users can access the GCP connection Overview page after adding a GCP cloud connection. The Overview page displays the scanned GCP keys and services based on the applied Fortanix Key Insight policy.
For more information on the Fortanix Key Insight policy, refer to Cryptographic Policy Management.
NOTE
If your Fortanix Armor account is deactivated and you are accessing the Fortanix Key Insight GCP connection, you will not be able to view data under the Overview, Assessments, Keys, Services, or PQC Central pages. You will only have access to view and delete items within the Connections, Policy Center, and Authentication pages.
If the count of GCP projects before the scan does not match the number displayed on the Overview page:
Verify that all required roles and permissions are correctly configured in the GCP projects before running the scan.
After confirming permissions, initiate a re-scan using the RESCAN option on the Overview page. For more information, refer to Section 5.0: Rescan a GCP Connection.
Figure 1: Access GCP Overview
Click ASSESSMENT REPORT to navigate to the Assessment page and view the assessment report. This report allows you to assess your key security posture to ensure the safety of your data. For more information, refer to Section 4.0: GCP Connection - Assessments.
The Overview page helps users get a summary of the GCP keys and services, as described in the following sections:
3.1 Discovered GCP Assets
This section summarizes the discovered asset counts for a GCP connection.
It shows the count of:
The GCP organizations
The folders under all the organizations
The projects under all the folders
The GCP regions
The keys in all the GCP cloud regions
The services in all the GCP cloud regions
NOTE
The total number of keys displayed reflects only the count of the current key version for each key in the GCP Cloud Key Management Service (KMS).
Clicking the Keys and Services labels takes you to their list view.
3.2 Keys by Status
This section provides a summary of GCP keys categorized by their status:
Keys enabled: The number of GCP keys that are currently enabled and may be used by multiple GCP services.
Keys not enabled: The number of GCP keys that are currently inactive.
Rotation disabled: The number of GCP keys for which key rotation is turned off.
Click the Keys by Status label to navigate to the corresponding list view for each key category.
3.3 Keys by Type
This section displays a count of key specifications across all GCP projects included in the scan. It shows the total number of keys found in all GCP Cloud KMS locations based on the applied Fortanix Key Insight policy.
Click any key type to navigate to its corresponding list view.
3.4 Top Projects by Key and Status
This section lists, in descending order, the top five GCP projects with the highest number of keys since the most recent key scan. The count for each project includes both enabled and disabled keys.
Blue indicators represent enabled keys, while Orange indicators represent disabled keys.
Click a project name to open the list view showing all keys in that project.
3.5 Key Source
This section provides a summary of GCP keys grouped by their source.
The key counts are categorized as follows:
Google Cloud Software Protected Key: Keys and crypto-metadata discovered from Cloud KMS software-based encryption services.
Google Cloud HSM Protected Key: Keys backed by Google Cloud HSM or Cloud KMS HSM integrations. These keys provide stronger key isolation and hardware-based safeguards.
Click any key source category to navigate to the corresponding list view.
3.6 Protected Services
This section presents a comparison of GCP services based on their encryption configuration, showing the number of services using:
Google-managed keys (purple)
Customer-managed keys (CMK) (blue)
Unencrypted services (teal blue)
Clicking any service takes you to its respective list view.
4.0 GCP Connection - Assessments
Users can access the Fortanix Key Insight Assessment page after adding a GCP cloud connection.
The Assessment page shows:
Key security posture details for Google Cloud projects and organizations.
Policy violations and misconfigurations that should be remediated to improve the security posture.
Recommended remediation actions to strengthen the overall security status across Google Cloud resources.
Figure 2: GCP assessment report
4.1 Risk Score
This section provides the overall risk score of the GCP keys and services.
The following are the different risk score categories and their associated risks:
Critical – A critical risk score indicates the total number of unencrypted GCP services that need attention.
High – A high score signifies the total number of shared keys, keys with rotation disabled, keys without expiry, and non-compliant keys in use.
Medium – A medium risk score indicates the total number of CSP-generated services that are encrypted with GCP-generated keys.
Good – A good risk score signifies that no risks have been identified, or only minimal risks are present
The overall risk score is prioritized based on the number of risks, in order of severity from highest to lowest:
Critical
High
Medium
Good
Click each risk label or count to access its corresponding list view.
4.2 Service Violations
This section provides insights into service violations across your GCP cloud environment.
You can view the total number of GCP services, along with the specific violations identified for each service. These violations may result from issues such as the use of shared, deleted, or soon-to-be-deleted keys, excessive permissions, non-compliant configurations, or unencrypted keys
This information helps you identify which services are at risk, enabling you to implement unique, compliant, and encrypted keys to strengthen your security posture.
Additionally:
Risk levels for each service are color-coded for easier identification and prioritization.
Select VIEW ALL to navigate to the Services page and explore all key-related violations for each service.
Click any service to view a detailed list of the top 10 key violations, sorted by severity. Select any violation type to navigate to its corresponding full list.
Click BACK to return to the service violations card view.
4.3 Top Security Issues
This section provides the following information about the keys:
Shared keys: Displays the total number of Cloud KMS or Cloud HSM keys that are shared by two or more GCP services. Shared keys increase security risk, and this information helps you identify which keys should be replaced with unique, service-specific encryption keys.
Expired keys: Displays the number of Cloud KMS keys that have passed their expiration date. This information helps you review expired keys and delete them as needed.
Unused keys: Displays the total number of GCP keys that remain unused for encryption in the scanned data and supported services. You can use this information to identify and remove unused keys for enhanced security.
NOTE
Fortanix Key Insight recommends removing any unused keys from your GCP cloud as a best practice.
Services using Platform Managed Keys: These represent GCP services that automatically encrypt customer data using Google-managed encryption keys, which are fully controlled by Google and are not accessible for customer-based configuration or lifecycle management.
Fortanix Key Insight detects these services and associates them with their respective platform-managed keys, providing insight into GCP’s default encryption behavior.
PQC readiness: Indicates the percentage of your GCP cryptographic assets that are currently post-quantum-safe, showing your environment’s preparedness for post-quantum cryptography (PQC). The percentage reflects the portion of assets using PQC-compliant algorithms or configurations.
Non-compliant keys: Displays the total number of GCP keys that do not meet the cryptographic policies set in your Fortanix Key Insight account. These keys should be replaced with new ones that align with your configured policies and the security requirements defined by the National Institute of Standards and Technology (NIST).
Fortanix Key Insight classifies a key as non-compliant if it uses any algorithm or key-size combination that is not permitted under NIST 800-57 guidelines, including (but not limited to) the following:
AES: Any key size less than 128 bits.
3DES: Keys with sizes 112 bits and 168 bits.
DES: Keys with size 56 bits.
RSA: Keys with a size less than 2048 bits.
DSA: Keys with a size less than 2048 bits.
ECC: Keys with a size less than 224 bits.
HMAC: Keys with a size less than 112 bits.
The non-compliant keys increase the data security risk. They will be flagged as vulnerabilities on the Keys page.
Fortanix Key Insight recommends using stronger key algorithms and ensuring that the key strength aligns with your defined policies and NIST standards.
Click each top security issue to access its corresponding list view.
4.4 Key Count By Sources
This section provides information about the security and risk posture of keys discovered across native Google Cloud encryption services (for example, Cloud KMS and Cloud HSM) as well as any externally managed or integrated key sources.
The visual indicators (circles) represent the total number of keys found in the GCP project or organization.
4.4.1 Cloud Generated
This section displays the details of all natively generated keys in GCP.
Google Cloud Software Protected Key: These refer to keys and crypto-metadata discovered from Cloud KMS software-based encryption services.
Since software-protected keys depend on Google-managed, software-based cryptographic modules, they may introduce a higher risk of exposure compared to hardware-backed keys.Click the circle or the warning icon to go to the list view of the software-protected keys.
Google Cloud HSM Protected Key: These are keys backed by Google Cloud HSM or Cloud KMS HSM integrations. These keys provide stronger key isolation and hardware-based safeguards.
Click the circle or the warning icon to go to the list view of the HSM-protected keys.
4.4.2 External
This section displays information about externally managed keys.
External: These keys refer to cryptographic keys managed outside Google Cloud. These keys never reside within Google Cloud infrastructure, offering enhanced control and enabling compliance with stringent data-sovereignty requirements.
Unspecified: These are keys for which Cloud metadata does not clearly identify the originating key source. This can occur due to incomplete API responses or older configurations that no longer map to an active key management system. Administrators should verify and resolve these entities to ensure visibility and enforce governance.
Click the circle or the warning icon to go to the list view of the external keys.
4.5 Download Assessment Report
Click DOWNLOAD REPORT on the top-right corner of the Assessment page to view the Data Security Assessment Report for the GCP connection in PDF format.
The report will open in the Print dialog box, where you can choose to print it or save it locally to your machine as needed.
5.0 Rescan a GCP Connection
Click RESCAN on the top right corner of the Overview page to perform a rescan and verify if any keys have been added, deleted, or updated in your GCP environment.
If you click RESCAN to start the scan, you can monitor the progress bar as it runs. After the scan completes successfully:
The Last scanned label will update with the completion date and time.
The Overview page will reflect the updated status of the GCP keys and services.
NOTE
The RESCAN option is accessible only to users with the Account Administrator and Group Administrator roles.
You can also click RESCAN on the top right corner of the Assessment page to perform the rescan. After the scan is completed, the Assessment page will reflect the updated status of the GCP keys and services.
6.0 GCP Connection - Keys
After onboarding the GCP connection, click Keys in the Fortanix Key Insight left navigation panel to view the scanned key details. Selecting Keys will open the Keys page, which displays the details of all scanned GCP keys.
6.1 Keys List View
The keys list view displays all keys in a table, along with details such as key ID, region, state, violations, project ID, owners, usage description, key source, specification, creation date, expiration date, rotation date, and so on.
Figure 3: GCP keys list view
Use the Search field to filter keys based on the available criteria and supported values.
For example:
Key ID
Key Name
Key Rotation: Enabled, Disabled
Click
in the top-right corner of the table to customize which columns are displayed, beyond the default six.Click EXPORT to export the scanned keys data. For more information, refer to Section 8.0: GCP Connection - Scanned Data Export.
Click
in the VIOLATIONS column to view detailed information about the associated vulnerabilities.
6.1.1 Add Key Details
You can assign owners to the scanned keys to enhance key management, simplify tracking, and improve remediation workflows.
Perform the following steps to add the key(s) details:
Select the checkbox (
) next to the required key(s) in the list.Click ADD DETAILS in the top right corner of the table.
In the Add Details dialog box, enter the following details:
Primary owner: Enter the primary owner’s name or employee ID.
Email ID: Enter the primary owner’s valid email ID.
Click ADD SECONDARY OWNER to add the secondary owner’s details, if required.
Description (Optional): Enter an optional description.
Click ADD to add the ownership details to the selected key(s).
NOTE
To add ownership details, specifying a primary owner is mandatory before adding a secondary owner.
On the Keys page, the primary and secondary owners’ names or employee IDs and email addresses will appear in the OWNERS column, and the description will appear in the USAGE DESCRIPTION column.
NOTE
Only users with Account Administrator permissions can add or edit key details.
6.1.2 Edit Key Details
You can modify the details of the selected key(s).
Perform the following steps to edit the key(s) details:
Select the checkbox (
) next to the required key(s) in the list.Click EDIT DETAILS in the top right corner.
In the Edit Details dialog box, update the required values and click UPDATE to apply the changes.
6.1.3 View Key Details
Click any Key Identifier in the Keys list to view its properties, rotation history, associated violations, and service mappings.
The KEY DETAILS tab displays the key’s properties, ownership information (if provided), and automatic rotation policy details.
If required, click EDIT DETAILS on the Ownership section to update the ownership details for the selected key.
Figure 4: Access key details view
The VIOLATIONS tab displays violation details associated with the key.
Figure 5: View key violations
7.0 GCP Connection - Services
After onboarding the GCP connection, click Services in the Fortanix Key Insight left navigation panel to view the scanned service details. Selecting Services will open the Services page, which displays the details of all scanned GCP services.
7.1 Services List View
The services list view displays all services in a table, along with details such as name, type, region, encryption, violations, and project ID.
Figure 6: GCP services list view
Use the Search field to filter services based on the available criteria and supported values.
For example:
Region
Name
Key Rotation: Enabled, Disabled
Click EXPORT to export the scanned services data. For more information, refer to Section 8.0: GCP Connection - Scanned Data Export.
Click
in the VIOLATIONS column to view detailed information about the associated vulnerabilities.
7.1.1 View Service Details
You can click any GCP service name in the Services list to view its configuration details and associated violations.
The SERVICE DETAILS tab displays the service configurations and key data.
Figure 7: Access services details view
The VIOLATIONS tab displays the violations associated with the service.
Figure 8: View service violations
8.0 GCP Connection - Scanned Data Export
This feature allows you to export the GCP scanned key and service-related data from Fortanix Key Insight in Comma-Separated Values (CSV) format. Also, it provides flexibility, enabling you to download data for detailed analysis, audits, or reporting, and to access real-time status.
Figure 9: Access Data Export feature
In the GCP Keys and Services list view, click EXPORT to export the scanned data using any of the available options:
Export current page: Use this option to export all column data from the current page in CSV format.
NOTE
You can download a maximum of 100 items at a time, based on the settings specified in the Items per page drop down.
Export all raw data: Use this option to export all scanned data shown in the keys and services tables in CSV format. If you select this option, you can read the details on the Export All Raw Data dialog box and click PROCEED to export all the data.
After the export process begins, you can track its progress. The export status will be logged with a message under the Activities tab in Fortanix Key Insight. For more information, refer to Section 8.1: View Export Activities.
Export selected rows: This option is disabled by default. You can select the checkbox (
) next to the required rows on the current page and export them in CSV format using this option.
NOTE
Users with the Account Administrator and Group Administrator roles can only perform the scanned data export.
Within the same account, you can have multiple exports running simultaneously from different cloud, on-premises, and external key source connections.
8.1 View Export Activities
After you initiate the export process using Export All Raw Data, you can track the export status in the Activities tab located on the Fortanix Key Insight left navigation panel.
You can view the following details for each export:
Name of the activity. For example, Export_all_gcp_keys.
Name of the file. For example, GCP Keys.csv.
Activity status: This indicates the current state of the data export. This can be,
Completed: The data export has been successful, and the CSV file will automatically download to the location specified on your local machine.
In Progress: The data export is in progress, and you can cancel it using
if required.Cancelled: The data export has been cancelled due to switching accounts or manually cancelling it while it was in progress.
Failed: The data export was not completed and failed due to errors.
Name of the connection.
Export creation date and time.
Figure 10: View export details
NOTE
If you switch to a different account during export, the export will be cancelled and logged in the Activities tab.
If you navigate to a different solution (for example, Identity and Access Management), the export will continue, but no logs will appear in the Activities tab. The export status will be confirmed using a toast message.
If you refresh the web page during the export, the confirmation dialog box will appear. If you refresh, the export will be cancelled, and all entries in the Activities tab will be removed. Therefore, it is recommended not to refresh the page during the export.