Fortanix Key Insight User Interface Components - AWS

1.0 Introduction

1.1 Purpose

Welcome to the Fortanix Key Insight – User Interface Components Guide. The purpose of this guide is to describe the Fortanix Key Insight AWS user interface (UI) features.

1.2 Intended Audience

This guide is intended to be used by technical stakeholders of Fortanix Key Insight, such as the Chief Information Security Officer (CISO) who will use this feature to see compliance information or deficiencies at a very high level and is interested in trends and drift, and the Security Engineer, who will use this feature to find and fix issues with the implementation and management of cryptographic data protection.

2.0 Terminology References

For Fortanix Key Insight - AWS terminologies, refer to Fortanix Key Insight - AWS Concepts Guide.

3.0 Key Insight Overview Menu

Users can access the Fortanix Key Insight Overview tab after adding a cloud account. The Overview page summarizes the Cloud Service Provider (CSP) keys and services for a CSP organization. The Overview page helps users get a summary of the CSP keys and services, as described in the following sections:

3.1 Cloud Discovery Accounts

This section summarizes the count of all the parameters for a CSP organization. It shows the count of:

  • Total number of accounts within the cloud organization
  • Total number of regions under all the cloud accounts
  • Total number of keys in all the cloud regions
  • Total number of services in all the cloud regions

Dashboard1.png Figure 1: Cloud Discovery Accounts

Clicking the Keys and Services labels in the Cloud Discovery Accounts section takes you to their list view.

Keys list view:

Click the GRAPH button to see the key map.

dashboard-KeyInsight-Keylist.png Figure 2: Keys list view

Services list view:

On the Services page, there are four tabs: RDS INSTANCE, S3 BUCKET, AWS KMS, and EBS. Each of these tabs lists all the RDS instances, S3 buckets, AWS KMS, and EBS keys found within the AWS cloud organization, respectively.

dashboard-KeyInsight-discoveryDetailed.png Figure 3: Dashboard detailed view

The RDS instance, S3 bucket, and EBS tables have an ENCRYPTION column that tells whether an RDS instance, S3 bucket, or EBS service was encrypted. Clicking the cell opens a dialog box that shows details such as the server-side encryption (SSE) algorithm, key state, origin, key manager, key specification, and key usage.

dashboard-KeyInsight-EncryptionDetails1.png Figure 4: Encryption details of services

3.2 Assessment Report

This section allows the user to view the Assessment Report on the Assessment page. The report allows you to assess your key’s security posture to ensure the safety of your data.

Dashboard11.png Figure 5: Assessment

Click the ASSESSMENT REPORT button to go to the Assessment page. For more details about the Assessment page, refer to Section 4.0: Key Insight – Assessment Menu.

3.3 Top Accounts That Need Attention

This section gives you a quick overview of the AWS Services map that shows the top accounts whose services are vulnerable due to either using shared keys or they are not encrypted.

Click the Services map to go to the detailed view of the Services map page.

Dashboard3.png Figure 6: Top accounts that need attention

3.4 Top Accounts by Keys and Status

This section lists, in descending order, the top five accounts with the greatest number of keys since the last key scan operation. The count for each account includes both enabled and disabled keys. Blue color indicators denote enabled keys, while orange color indicators denote disabled keys in each account.

Dashboard2.png Figure 7: Accounts with top keys

Click the account ID to go to the list view of the account that shows all the keys in the account.

KeyInsight-ServicesTable.png Figure 8: Account detailed view

3.5 Protected Services

This section presents a summary of the number of encrypted cloud services compared to the number of unencrypted services.

Dashboard12.png Figure 9: Protected services

Clicking the Encrypted label takes you to the Services table, which shows all the RDS, S3, and EBS services that is encrypted.

dashboard-KeyInsight-ServicesEncrypted.png Figure 10: Encrypted services

Clicking the Unencrypted cell takes you to the Services table, which shows the RDS, S3, and EBS services that are not encrypted.

ServicesTableAssess-Fortanix Key Insight.png Figure 11: Services not encrypted

3.6 Keys by Type

This section provides a count of the key specifications in the cloud accounts. For AWS CSP, it shows the total number of AES, RSA, and EC keys that are present in all the AWS cloud accounts.

Dashboard5.png Figure 12: Key types

You can also click the “key type” label to go to the tabular view of the key specification. For the selected “key type”, the table shows the key identifier, key state, key specification, key source details, region, and the AWS account ID.

dashboard-KeyInsight-keytypedetail.png Figure 13: Key specification details

3.7 Key by Status

This section provides a summary of the status of the cloud keys across all the cloud accounts in an organization. It provides a count of the enabled keys and the count of the disabled keys. Click the Keys by Status label to go to the list view of the keys.

Dashboard4.png Figure 14: Key status

3.8 Key Source

This section summarizes the source of all the cloud keys. For AWS CSP, it provides a count of the following:

  • AWS KMS: count of all the keys that were directly created in AWS KMS.
  • BYOK: count of all the keys that were imported into AWS using an external source, for example: Fortanix DSM using the Bring Your Own Key (BYOK) concept, where the key material of the key is imported into AWS KMS.
  • External Key Store (XKS): count of all the keys that are stored in an external key store, for example: a key store created by connecting AWS XKS with Fortanix DSM to encrypt or decrypt the customer’s data in AWS.

Dashboard6.png Figure 15: Key source

Clicking the key source labels will take you to the tabular view of the keys for the selected key source.

dashboard-KeyInsight-keysourcedetails.png Figure 16: Key source details

3.9 Rescan

Perform a re-scan operation by clicking this option to check if any new keys were added, deleted, or updated in the CSP organization.

KeyInsight-Dashboard-Rescan.png Figure 17: Scan again

If you click RESCAN and start the scan, you can monitor the progress bar while the scan is running.

After the scan is completed successfully,

  • The Last updated label will be updated with the date and time of the completion.
  • The Overview page will reflect the new state of the AWS CSP keys and services.

4.0 Key Insight - Assessment Menu

Users can access the Fortanix Key Insight Assessment menu after adding a cloud account. The Assessment page shows:

  • How good or bad the key security posture is for the cloud accounts.
  • Violations that must be remediated to improve the security status.
  • Remediation advice to improve the security status.

These are described in detail in the following sections:

4.1 Risk Score

This section provides the overall risk score of the CSP keys and services. There are three types of risks:

  • High – A high score signifies the total number of shared keys or non-compliant keys in use.
  • Critical – A critical risk score indicates the total number of unencrypted cloud services detected that need attention.
  • Medium – A medium risk score indicates the total number of CSP-generated keys in use.

RiskScore.png Figure 18: Risk score

In the above example, the overall risk score is Critical. The priority of the overall risk score is based on the count of risks in the following order:

  • Critical
  • High
  • Medium

4.2 Key Count by Sources

For AWS CSP, this section will provide information about the security and risk assessment of the natively managed keys (key source is AWS KMS or AWS Cloud HSM) and externally managed keys (key source is External or External Key Store). The various circles show the total key count in the cloud account.
The circles indicate the color-coded breakup of the keys in different key sources. The blue circle indicates keys in KMS, the green circle indicates keys that are externally managed (BYOK), and the yellow circle indicates keys in the External Key Store.

  • KMS: The KMS circle represents the total number of keys directly generated in AWS KMS. These keys increase the risk of unauthorized access to encrypted data. For better security, you can use the Fortanix Data Security Manager. Click the circle or the warning icon WarningIcon.png to go to the list view of the KMS keys.
  • BYOK: The BYOK circle represents the total number of keys that were imported into AWS using an external source. Refer to the Fortanix DSM using the Bring Your Own Key (BYOK) guide, where the key material of the key is imported into AWS KMS. Users bringing their keys must ensure that their key storage mechanisms are secure, preventing unauthorized access or key exposure. Click the circle or the warning icon WarningIcon.png to go to the list view of the BYOK keys.
  • Key Store: The XKS circle represents the count of all the keys that are stored in an external key store, for example: a key store created by connecting AWS XKS with Fortanix DSM to encrypt or decrypt the customer’s data in AWS. Keys present in an External Key Store are more secure than BYOK or KMS keys.

KeySourceAssFortanix Key Insight.png Figure 19: Key source assessment

4.3 Top Security Issues

This section provides the following information about the keys:

  • Shared Keys: This section shows the total number of keys in the cloud account that are shared by two or more services for encrypting the services. This information will help you determine which keys are at risk so that you can use unique encryption keys for better security.
  • Cryptography Report: This section shows the total number of keys in the cloud account that are violating the cryptographic policy that is set for a Fortanix Data Security Manager account. These non-compliant keys increase the data security risk. This information will help you determine which keys are non-compliant with the DSM account Cryptographic policy so that you can generate new keys that are compliant with the DSM Cryptographic policy to encrypt the AWS services.
  • Quantum-vulnerable keys: For AWS CSP, this is the total number of keys in the AWS cloud account that utilizes Quantum-vulnerable algorithms. These are symmetric keys such as RSA, EC, and so on. This information will help you determine which services are encrypted using Quantum-vulnerable keys so that you can choose to re-encrypt the services using a symmetric key such as AES 256.

Violations-Fortanix Key Insight.png Figure 20: Observations

4.4 Service Violations

For an AWS CSP, this section will provide information on the service violations. The following data points are shown:
This section shows the total number or percentage of services in the cloud account that are vulnerable since they are using shared, non-compliant keys, or unencrypted keys. This information will help you determine which services are at risk so that you can use unique, compliant, and encrypted keys for better security. Click the S3, RDS, or EBS tab to see the count of vulnerable keys.

NOTE
  • For S3, RDS, and EBS the count of Non-Compliant keys will always be 0 since all keys are compliant by default.
  • For S3 buckets the count of Unencrypted keys will always be 0 since AWS S3 buckets are always encrypted.

ServiceViolations-Fortanix Key Insight.png Figure 21: Violations

5.0 Download Report

Click the DOWNLOAD REPORT button on the top-right corner of the Assessment page to view the Data Security Assessment Report for the CSP account.

DownloadReport.png Figure 22: Download assessment report

5.1 Rescan

Perform a re-scan operation by clicking this option to check if any new keys were added, deleted, or updated in the CSP organization.

Rescan.png Figure 23: Scan again

After the scan is completed, the Assessment page will reflect the new state of the CSP keys and services.

6.0 Keys

After onboarding the AWS organization, click the Keys menu in the Fortanix Key Insight left navigation bar.

Clicking the Keys menu will take you to the Keys page that shows a map of all the AWS KMS accounts grouped by key source (KMS, Cloud HSM, BYOK, XKS, and others) as described in Section 3.8: Key Source. The key map shows the following information:

  • For every key source, it shows the account names, and for each account, it shows the map of all the keys in that account that are used to encrypt the AWS services.
  • Each key displays the S3 bucket, RDS instance, or EBS service encrypted by it.
  • If a key is used by more than one AWS service (S3, RDS, or EBS), it shows a vulnerability warning to indicate that the key is used with multiple services, and Key Insight recommends using a unique key per service.

KeyInsight-KeyVulnerability.png Figure 24: Key vulnerability

KeyInsight-KeyVulnerability1.png Figure 25: Shared key vulnerability

You can click on various points in the key map to go to the tabular view of that entity.

KeyInsight-Keys.png Figure 26: Clickable points in the map

For example, click the account icon for the AWS KMS key source to go to the tabular view of the keys for that account.

KeyInsight-Keys_Table.png Figure 27: Tabular view of XKS keys for an AWS account

6.1 Keys Filter

You can filter the keys by Key Source, Account, Key Id, Vulnerability, and Service on the key map.

To apply the filter on the key map:

  1. Click the Key Source drop down menu to select or search keys by key source. For AWS the key sources are KMS, Cloud HSM, BYOK, XKS, and Other.
  2. Click SEARCH.

    KeyInsight-Keys-FilterServiceType.png Figure 28: Filter keys by service type

    You will see that the key map displays only the keys for the KMS key source. KeyInsight-KeysFilterApply.png Figure 29: Filter applied

You can further filter the keys by selecting the following other filter options:

  • Account: Filter the keys by the selected account.
  • Key Id: Filter the keys by the key ID entered.
  • Vulnerability: Filter the keys by the vulnerability types - Non-compliant keys and Shared keys.
  • Service: Filter the keys by the AWS services - S3, RDS, and EBS.

You can use a combination of the above filter options to display the key map with specific results.

7.0 Services

After onboarding the AWS organization, click the Services menu in the Fortanix Key Insight left navigation bar.

Clicking the Services menu will take you to the Services page, which shows a map of all the AWS services (S3 buckets, RDS instances, and EBS services) grouped by AWS accounts. The service map shows the following information:

  • For every AWS account represented as big grey circles, it shows the AWS regions represented as white circles in that account, and for each AWS region, it shows the RDS instances, S3 buckets, and EBS services in that region.
  • For every region in an AWS account, it shows the encryption status of the S3 buckets, RDS instances, and EBS services.
  • If an AWS service (S3, RDS, and EBS) is not encrypted, it shows a vulnerability warning that recommends adding an encryption key for that service or disabling that service.

KeyInsight-ServicesWithoutVulnerability.png Figure 30: Service map

KeyInsight-ServicesVulnerability.png Figure 31: Service vulnerability

KeyInsight-ServicesVulnerability1.png Figure 32: Service vulnerability

You can click on various points in the service map to go to the tabular view of that entity.

KeyInsight-ServicesClick.png Figure 33: Clickable points in the service map

For example, click the S3 bucket icon under the us-west-2 account map to go to the tabular view of the S3 buckets. The table shows the S3 buckets under the selected region.

KeyInsight-ServicesTable1.png Figure 34: Tabular view of service by region

Clicking anywhere other than the instance or bucket icons expands the circles and shows the region names.

KeyInsight-ServicesRegions.png Figure 35: Service region names

7.1 Services Filter

You can filter the AWS services by Account, Region, Vulnerability, and Service on the AWS services map.

To apply a filter on the key map:

  1. Click the Account drop down menu to select or search services by AWS accounts.
  2. Click SEARCH. KeyInsight-ServicesMapApplyFilter.png Figure 36: Filter services by accounts You will see that the service map displays only the services for the selected AWS account. KeyInsight-ServicesMapAppliedFilter.png Figure 37: Filter applied

You can further filter the services by selecting the following other filter options:

  • Region: Filter the services by a selected region.
  • Vulnerability: Filter the services by the vulnerability types – Encrypted with Non-compliant keys.
  • Service: Filter the services by the AWS services namely S3, RDS, and EBS.

You can use a combination of the above filter options to display the service map with specific results.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful