1.0 Introduction
The purpose of this article is to outline the necessary steps for configuring the connection between Fortanix Key Insight on Amazon Web Service (AWS) and Microsoft Entra ID as an Open ID Connect (OIDC) identity provider (IdP).
Federated authentication in AWS refers to the process of enabling users to access AWS resources using their existing credentials from an external IdP, such as PingOne, Microsoft Entra ID, and so on.
Configuring Microsoft Entra ID as an Open ID Connect IdP in AWS involves the following steps:
Register a client application with your identity provider.
Configure the redirect Uniform Resource Locator (URL) on the client application.
Gather the Client ID, a unique identifier for your registered application.
Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.
Set up IdP on your cloud account.
Set up the necessary permissions for AWS single account onboarding.
Set up the necessary permissions for AWS organization onboarding.
2.0 Register a Client Application with Microsoft Entra ID
Perform the following steps to register a client application with Microsoft Entra ID:
Perform the following steps to set up an OIDC web application in Microsoft Entra ID:
Navigate to the Azure portal and search for Microsoft Entra ID.
Select App registrations under Manage in the left navigation menu on the Microsoft Entra ID page.
NOTE
You can also directly search for App registrations in the Microsoft Azure search bar.
Click New registration.
On the Register an application page, configure the following fields and click Register to register an application:
Name: The user-facing display name for this application. For example, key-insight-app.
Supported account type: Select Accounts in this organizational directory only (<your organization name> only - Single tenant).
Redirect URI: This is optional.
.png?sv=2022-11-02&spr=https&st=2025-04-04T20%3A05%3A22Z&se=2025-04-04T20%3A28%3A22Z&sr=c&sp=r&sig=j%2BCwRTAbVnRg%2BFpVeEix5gBi%2BmBdy6XY9q4fbr2Qd9E%3D)
Figure 1: Register the New Application
For more details, refer to Quickstart: Register an Application with the Microsoft Identity Platform.
Configure the platform settings using the following:
In the Microsoft Entra ID, in App registrations, select your application.
In your application, select Manage → Authentication.
On the Authentication page, under Platform configurations, click Add a platform.
On the Add a platform page, under Configure platforms, select Single-page application.
Configure API permissions for OIDC using the following steps:
In the Microsoft Entra ID, in App registrations, select your application.
In your application, select Manage → API permissions.
Select delegated permissions and OpenId permissions: openid, email, profile, and offline_access.
.png?sv=2022-11-02&spr=https&st=2025-04-04T20%3A05%3A22Z&se=2025-04-04T20%3A28%3A22Z&sr=c&sp=r&sig=j%2BCwRTAbVnRg%2BFpVeEix5gBi%2BmBdy6XY9q4fbr2Qd9E%3D)
Figure 2: Provide API Permissions
3.0 Configure the Redirect URL on the Client Application
The redirect URL is the address to which Microsoft Entra ID forwards the OIDC response after authentication.
The following is the redirect URL for AWS Microsoft Entra ID IdP:
https://armor.fortanix.com/system/discovery/oauth/callbackFor more details, refer to Add a Redirect URI.
4.0 Gather the Client ID
A Client ID is a unique identifier for the registered client application. It allows you to validate the security tokens you receive from the IdP.
To retrieve the Client ID,
In the Microsoft Entra ID, in App registrations, select your application.
In your application, select Overview page.
Copy the
Application(client)IDfrom the Overview page.
For more details, refer to Obtain Client ID.
NOTE
Ensure to copy and save Application (client) ID. This value is required during the AWS cloud connection setup on the Fortanix Key Insight.
5.0 Gather the OpenID Configuration Document (Well-Known) URL
An OIDC provider provides a standard well-known URL that your client application can use to discover information about the provider's configuration dynamically.
This URL is specific to your IdP tenant or account.
To retrieve this value, copy the OpenID Connect metadata document from the Endpoints section of the registered application.
.png?sv=2022-11-02&spr=https&st=2025-04-04T20%3A05%3A22Z&se=2025-04-04T20%3A28%3A22Z&sr=c&sp=r&sig=j%2BCwRTAbVnRg%2BFpVeEix5gBi%2BmBdy6XY9q4fbr2Qd9E%3D)
Figure 3: Obtain a Well-Known URL
NOTE
Ensure to record the well-known URL value as it is necessary for the identity provider configuration when setting up the AWS cloud connection in the Fortanix Key Insight user interface (UI).
6.0 Setup an IdP on your Cloud Account
Perform the following steps to set up IdP on your cloud account:
Configure the Microsoft Entra ID (OIDC IdP) in AWS using the issuer and client ID:
Sign in to the AWS Management Console and open the IAM console.
In the left navigation menu, select Identity providers.
Click Add provider to add a new IdP.
On the Configure Provider page, for Provider type, select OpenID Connect.
For Provider URL, enter
https://login.microsoftonline.com/{tenant-id}/v2.0. Ensure{tenant-id}is replaced with your actual Microsoft Entra ID tenant ID.For the Audience, enter the Application ID (
Client ID) from the Azure registered application.Click Add provider to complete the setup.
Figure 4: Add an Identity Provider in AWS
Verify the details of the identity provider created in AWS using the following steps:
Navigate to the IAM console in AWS.
Click your OIDC identity provider.
Ensure the Provider URL is correctly set to
https://login.microsoftonline.com/{tenant-id}/v2.0.Ensure the Audience matches the Application (client) ID from Microsoft Entra ID.
(Optional) Ensure the thumbprint in the Thumbprints the section is correct and matches the one you obtained.
Figure 5: Verify the IdP in AWS
For more details, refer to Create an OpenID Connect (OIDC) identity provider in IAM.
7.0 AWS Single Account - Onboarding Setup
7.1 Create an IAM Role for the Web Identity Federation
Perform the following steps to create an IAM role:
On the IAM page, select Roles.
Select Create role.
Select Web Identity as the trusted entity type.
Select the identity provider created in Section 6.0: Set up an IdP on your Cloud Account.
Enter the Audience value as the Application (Client) ID from the Microsoft Entra ID registered application. Click Next.
Attach the necessary policies to the role, as explained in Section 7.2: Access Control Permissions to Scan AWS.
Verify the details and complete the role creation.
.png?sv=2022-11-02&spr=https&st=2025-04-04T20%3A05%3A22Z&se=2025-04-04T20%3A28%3A22Z&sr=c&sp=r&sig=j%2BCwRTAbVnRg%2BFpVeEix5gBi%2BmBdy6XY9q4fbr2Qd9E%3D)
Figure 6: Create an IAM Role
7.2 Access Control Permissions to Scan AWS
This section describes the general requirements for AWS access permissions.
The following read-only permissions are required for scanning the AWS KMS, S3, EBS, EKS, EFS, DynamoDB, Redshift, and RDS services. These permissions will be added manually for single account on-boarding setup and will be propagated automatically by the CloudFormation Template (CFT) in the AWS organization on-boarding setup.
KMS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:ListKeys", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:GetKeyRotationStatus", "kms:GetKeyPolicy", "kms:DescribeKey", "kms:ListGrants", "kms:ListResourceTags", "kms:ListKeyRotations" ], "Resource": "arn:aws:kms:*:*:key/*" } ] }RDS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" } ] }EBS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeVolumes", "Resource": "*" } ] }S3
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetEncryptionConfiguration", "s3:GetBucketLocation" ], "Resource": "*" } ] }
DynamoDB
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:ListTables", "dynamodb:DescribeTable", "dynamodb:ListStreams", "dynamodb:DescribeStream" ], "Resource": "*" } ] }
EKS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ] }
EFS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "elasticfilesystem:DescribeFileSystems", "Resource": "*" } ] }
Redshift
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "redshift:DescribeClusters" ], "Resource": "*" } ] }
8.0 AWS Organization - Onboarding Setup
8.1 Create an IAM Role for the Web Identity Federation
For steps to set up an IAM role for the Web Identity Federation with the necessary permissions for an AWS organization, refer to Section 9.1: Set up an IAM Role with the Necessary Permissions – AWS Organization.
8.2 Deploy the CFT
This section outlines the steps for deploying the CFT through StackSets to create roles that the IAM role, as created in Section 8.1: Create an IAM Role for the Web Identity Federation, can assume.
To deploy the CFT for role creation from a root or user account, the account must have the following permissions policy (if there are no other attached policies covering these permissions already).
NOTE
To attach the following permission policy, the IAM role needs the corresponding IAM service read or write permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FortanixCFTPermissions",
"Effect": "Allow",
"Action": [
"cloudformation:*",
"organizations:*",
"s3:*"
],
"Resource": "*"
}
]
}
NOTE
Refer to Activate trusted access with AWS organizations - AWS CloudFormation for details.
This will create a
AWSServiceRoleForCloudFormationStackSetsOrgAdminrole in the management account and aAWSServiceRoleForCloudFormationStackSetsOrgMemberrole in member accounts. These roles allow AWS CloudFormation Stacksets to perform supported operations within the organization's accounts.
Create the JSON file for the CFT. Refer to Section 9.2: Create a JSON file for CFT to create the CFT.
Go to your AWS account from which the CFT will be deployed. Activate trusted access with AWS Organization as described in the beginning of this section.
Go to your AWS console CloudFormation → StackSets page.
Figure 7: CloudFormation StackSets Page
Create StackSets and upload the CFT template JSON file that you created in Step 1 above.
Figure 8: Choose the CFT Template
After you upload the CFT template, you will see the JSON file uploaded in the template field.
Figure 9: JSON File Uploaded
Enter the StackSet name (and optionally the StackSet description). Enter AWSAccountID and AWSRoleName of the role that initializes the scan.
NOTE
The AWSAccountID and AWSRoleName must be created in advance as described in Section 9.1: Set Up an IAM Role With the Necessary Permissions - AWS Organization.
.png?sv=2022-11-02&spr=https&st=2025-04-04T20%3A05%3A22Z&se=2025-04-04T20%3A28%3A22Z&sr=c&sp=r&sig=j%2BCwRTAbVnRg%2BFpVeEix5gBi%2BmBdy6XY9q4fbr2Qd9E%3D)
Figure 10: StackSet Details
9.0 Appendix
9.1 Set up an IAM Role with the Necessary Permissions - AWS Organization
Create an IAM role as described in Section 7.1 Create an IAM Role for the Web Identity Federation in AWS and attach the following permissions policy to list accounts and assume roles:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FortanixFkiScannerPermissions",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent"
],
"Resource": "*"
},
{
"Sid": "FortanixFkiScannerPermissionsRole",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/FortanixOrganizationAccessRoleForOIDC"
}
]
}
NOTE
The above IAM role must be created using one of the two options:
From the AWS management account.
From an AWS member account, where the IAM role is then assigned as a delegated administrator for AWS organizations. Refer to Delegated Administrator for AWS Organizations for details.
When creating an IAM role as a delegated organization administrator, use the delegation policy listed below in the organization management account to register the IAM role as a delegated administrator. This IAM role also needs sts:AssumeRole permission in their account to assume the Fortanix access role in member accounts.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{REPLACE_WITH_ACCOUNT_NUMBER_OF_CREATED_IAM_ROLE}:role/FortanixKeyInsightScanner"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent",
]
"Resource": "*"
}
]
}
9.2 Create a JSON File for CFT
The CFT to be deployed in the StackSets for the whole AWS organization is attached as follows:
Here, the account ID and the IAM rolename created in Section 9.1: Set Up an IAM Role with the Necessary Permissions - AWS Organization needs to be entered.
{
"Description": "Create IAM roles and policies to grant read-only access to Fortanix Key Insight. Version 1.0",
"Parameters": {
"AwsAccountId": {
"Type": "Number",
"Description": "Enter the AWS account ID from which the data security scan will be performed. The access key and secret key associated with the user of this account are used by Fortanix data security assessment for scanning."
},
"AwsUserName": {
"Type": "String",
"Description": "Enter the AWS user name associated with the AwsAccountId. The access key and secret key associated with this user of the account are used by Fortanix data security assessment for scanning."
}
},
"Resources": {
"FortanixOrganizationAccessRoleForCredentials": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "FortanixOrganizationAccessRoleForCredentials",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AwsAccountId}:user/${AwsUserName}"
}
},
"Action": "sts:AssumeRole"
}
]
}
}
},
"FortanixKmsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixKmsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"tag:GetResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:GetKeyRotationStatus",
"kms:GetKeyPolicy",
"kms:DescribeKey",
"kms:ListGrants",
"kms:ListResourceTags",
"kms:ListKeyRotations"
],
"Resource": "arn:aws:kms:*:*:key/*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixS3ReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixS3ReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixRdsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixRdsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:DescribeDBInstances",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixEbsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixEbsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeVolumes",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixEfsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixEfsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "elasticfilesystem:DescribeFileSystems",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixRedshiftReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixRedshiftReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixDynamodbReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixDynamodbReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListStreams",
"dynamodb:DescribeStream"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixEksReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixEksReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixListRegionsPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixListRegionsPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "account:ListRegions",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
}
},
"Outputs": {
"RoleId": {
"Description": "The ID of the IAM role",
"Value": {
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
},
"RoleArn": {
"Description": "The ARN of the IAM role",
"Value": {
"Fn::GetAtt": [
"FortanixOrganizationAccessRoleForCredentials",
"Arn"
]
}
},
"KmsPolicyId": {
"Description": "The ID of the IAM policy for AWS KMS ReadOnly permission",
"Value": {
"Ref": "FortanixKmsReadOnlyPolicy"
}
},
"S3PolicyId": {
"Description": "The ID of the IAM policy for AWS S3 ReadOnly permission",
"Value": {
"Ref": "FortanixS3ReadOnlyPolicy"
}
},
"RdsPolicyId": {
"Description": "The ID of the IAM policy for AWS RDS ReadOnly permission",
"Value": {
"Ref": "FortanixRdsReadOnlyPolicy"
}
},
"EbsPolicyId": {
"Description": "The ID of the IAM policy for AWS EBS ReadOnly permission",
"Value": {
"Ref": "FortanixEbsReadOnlyPolicy"
}
},
"EfsPolicyId": {
"Description": "The ID of the IAM policy for AWS EFS ReadOnly permission",
"Value": {
"Ref": "FortanixEfsReadOnlyPolicy"
}
},
"RedshiftPolicyId": {
"Description": "The ID of the IAM policy for AWS Redshift ReadOnly permission",
"Value": {
"Ref": "FortanixRedshiftReadOnlyPolicy"
}
},
"EksPolicyId": {
"Description": "The ID of the IAM policy for AWS EKS ReadOnly permission",
"Value": {
"Ref": "FortanixEksReadOnlyPolicy"
}
},
"DynamodbPolicyId": {
"Description": "The ID of the IAM policy for AWS DynamoDB ReadOnly permission",
"Value": {
"Ref": "FortanixDynamodbReadOnlyPolicy"
}
},
"AccountPolicyId": {
"Description": "The ID of the IAM policy for AWS Account ListRegions permission",
"Value": {
"Ref": "FortanixListRegionsPolicy"
}
}
}
}