Fortanix Key Insight for AWS Concepts

1.0 Introduction

1.1 Purpose

Welcome to the Fortanix Key Insight for AWS Guide. The purpose of this guide is to describe the Fortanix Key Insight feature concepts for AWS. Fortanix Key Insight is a cloud service that enables you to apply uniform key lifecycle management policies and processes to cryptographic key management systems across multiple clouds.

1.2 Intended Audience

This guide is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Chief Information Security Officer (CISO) who will use this feature to see compliance information or deficiencies at a very high level and is interested in trends and drift, and the Security Engineer, who will use this feature to find and fix issues with the implementation and management of cryptographic data protection.

2.0 Terminology References

2.1 AWS Terminology

AWS Organization An entity created to consolidate all AWS accounts and administer them as a single unit. An organization has one management account and zero or more member accounts. The accounts in an organization can be arranged in a hierarchical tree-like structure with the “root” at the top and the “organizational unit” and “account” nested under the “root”. Fortanix Key Insight scans an AWS organization and all the accounts within that organization.
AWS Accounts A container for your AWS resources. You create and manage your AWS resources in an AWS account. Fortanix Key Insight scans all the regions within an AWS account in an AWS organization.

AWS Role


AWS Identity and Access Management (IAM) roles are entities you create and assign specific permissions to that allow trusted identities, such as workforce identities and applications, to perform actions in AWS. Fortanix Key Insight requires an AWS IAM user to have the AWS Management Account and Member Account permissions. For more details, refer to <AWS Configuration for Scanning>.

AWS Services


AWS Services allows users to set up their IT infrastructure online. The most popular AWS services include Elastic Compute Cloud (EC2), AWS Relational Database Service (RDS), AWS S3, Elastic Block Store (EBS) and Virtual Private Cloud.

For now, Fortanix Key Insight scans only the AWS KMS, RDS, EBS, and S3 services.

AWS KMS keys (KMS keys) are the primary resource in AWS KMS, which are logical representations of cryptographic keys. AWS assigns an Amazon Resource Name (ARN) to each KMS key, which includes a unique key identifier, or key ID. Fortanix Key Insight scans all the AWS accounts within an AWS organization and identifies the key compliance status across multiple AWS cloud regions.

AWS scan

The act of making a connection with the AWS KMS and obtaining information about services of interest for Fortanix Key Insight.

AWS sync

The act of synchronizing cryptographic key information and state between the cloud scanner and Fortanix DSM so that the state and contents of DSM reflect the state and content of the cloud key manager(s).

3.0 Key Insight Features - AWS

The Fortanix Key Insight for AWS has the following features -

  • It allows a user to scan all the regions for all the AWS accounts under an AWS organization, and for each region, scan the corresponding keys, AWS services such as Simple Storage Service (S3) buckets, AWS Relational Database Service (RDS), and Elastic Block Store (EBS), and check which keys and services are encrypted and which keys were used to encrypt them.
  • Generates reports on AWS KMS non-compliant keys and services. For each region, the report shows:
    • Corresponding keys
    • S3 buckets with default encryption
    • S3 buckets backed by Bring Your Own Keys (BYOK)
    • S3 buckets backed by an External Key Service (XKS) key
    • RDS instances that are unencrypted
    • RDS instances encrypted by the default key
    • RDS instances encrypted by a managed key
    • EBS services that are unencrypted
    • EBS services encrypted by the default key
    • EBS services encrypted by a managed key
  • Provides a dashboard view of cryptographic key compliance status across multiple AWS cloud regions. The dashboard shows information such as:
    • Top five accounts with the most keys
    • Protected services
    • Key types
    • Key status
    • Key source
  • For every AWS key in a region,
    • Provides a tabular view that shows the key identifier, key source, key state, key type, AWS account ID, and so on.
    • Provides a map of the key compliance statuses.
  • For every AWS service for a region,
    • Provides a tabular view that shows the service name, service type, region, encryption status, AWS account ID, and so on.
  • Allows users to download a report of the AWS keys’ primary parameters.
  • Provides an assessment report that identifies vulnerabilities by providing a snapshot of your data security posture, and risk score, highlighting areas of strength, and pinpointing opportunities for improvement.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful