1.0 Introduction
The purpose of this article is to outline the necessary steps for configuring the connection between Fortanix Key Insight on Amazon Web Service (AWS) and PingOne as an Open ID Connect (OIDC) identity provider (IdP).
Federated authentication in AWS refers to the process of enabling users to access AWS resources using their existing credentials from an external IdP, such as PingOne, Microsoft Entra ID, and so on.
Configuring PingOne as an Open ID Connect IdP in AWS involves the following steps:
Register a client application with your identity provider.
Configure the redirect Uniform Resource Locator (URL) on the client application.
Gather the Client ID, a unique identifier for your registered application.
Gather the OpenID configuration document (well-known) URL specific to your IdP tenant or account.
Set up IdP on your cloud account.
Set up the necessary permissions for AWS single account onboarding.
Set up the necessary permissions for AWS organization onboarding.
2.0 Register a Client Application with PingOne
Perform the following steps to register a client application with PingOne:
Perform the following steps to set up an OIDC web application in PingOne:
Navigate to the Applications section in the PingOne console and click the '+' icon next to the Applications title.
Enter the Application Name, Description, and Icon fields as required.
Select OIDC Web App as the Application Type.
Save the application.
For more details, refer to Adding an Application.
Edit the Configuration section of the OIDC application created in the previous step to include the following:
Response Type:
Code, Token, ID TokenGrant Type:
Authorization Code, Implicit, Refresh TokenRedirect URIs:
https://armor.fortanix.com/system/discovery/oauth/callbackToken Endpoint Authentication Method:
None
Figure 1: Application Configuration
Edit the Resource section of the OIDC application created in Step 1 to include the following:
Allowed Scopes:
opened(default),profile, email
Figure 2: Configure Resource Section
For more details, refer to Editing an application - OIDC.
3.0 Configure the Redirect URL on the Client Application
The redirect URL is the address to which PingOne forwards the OIDC response after authentication.
You can retrieve the redirect URL after registering your application with PingOne, as explained in Step 2 of Section 2.0: Register a Client Application with PingOne.
4.0 Gather the Client ID
A Client ID is a unique identifier for the registered client application. It allows you to validate the security tokens you receive from the IdP.
To retrieve the Client ID, copy the Client ID from the Configuration section of the OIDC application created in Step 1 of Section 2.0: Register a Client Application with PingOne.
NOTE
Ensure to record the
Client IDvalue as it is necessary for the identity provider configuration when setting up the AWS cloud connection in the Fortanix Key Insight user interface (UI).
5.0 Gather the OpenID Configuration Document (Well-Known) URL
An OpenID Connect (OIDC) provider provides a standard well-known URL that your client application can use to discover information about the provider's configuration dynamically.
This URL is specific to your IdP tenant or account.
To retrieve this value, copy the OIDC Discovery Endpoint from the Configuration → URLs section of the OIDC application created in Step 1 of Section 2.0: Register a Client Application with PingOne.
NOTE
Ensure to record the well-known URL value as it is necessary for the identity provider configuration when setting up the AWS cloud connection in the Fortanix Key Insight user interface (UI).
6.0 Setup an IdP on Your Cloud Account
Perform the following steps to set up IdP on your cloud account:
Configure the PingOne (OIDC IdP) in AWS using the issuer and client ID:
Sign in to the AWS Management Console and open the IAM console.
In the left navigation menu, select Identity providers.
Click Add provider to add a new IdP.
On the Configure Provider page, for Provider type, select OpenID Connect.
For Provider URL, enter
https://auth.pingone.com/{environment_id}/as/authorize. Ensure{environment_id}is replaced with your actual Environment ID from the Configuration section as explained in Step 2 of Section 2.0: Register a Client Application with PingOne.For the Audience, enter the Application ID (
Client ID) from PingOne registered application.Click Add provider to complete the setup.
Figure 3: Add an Identity Provider in AWS
Verify the details of the identity provider created in AWS using the following steps:
Navigate to the IAM console in AWS.
Click your OIDC identity provider.
Ensure the Provider URL is correctly set to
https://auth.pingone.com/{environment_id}/as/authorize.Ensure the Audience matches the Application (client) ID from PingOne.
(Optional) Ensure the thumbprint in the Thumbprints section is correct and matches the one you obtained.
Figure 4: Verify the IdP in AWS
For more details, refer to Create an OpenID Connect (OIDC) identity provider in IAM.
7.0 AWS Single Account - Onboarding Setup
7.1 Create an IAM Role for the Web Identity Federation
Perform the following steps to create an IAM role:
On the IAM page, select Roles.
Select Create role.
Select Web Identity as the trusted entity type.
Select the identity provider created in Section 6.0: Set up an IdP on your Cloud Account.
Enter the Audience value as the Application (Client) ID from PingOne registered application. Click Next.
Attach the necessary policies to the role as explained in Section 7.2: Access Control Permissions to Scan AWS.
Verify the details and complete the role creation.
Figure 5: Create an IAM Role
7.2 Access Control Permissions to Scan AWS
This section describes the general requirements for AWS access permissions.
The following read-only permissions are required for scanning the AWS KMS, S3, EBS, EKS, EFS, DynamoDB, Redshift, and RDS services. These permissions will be added manually for single account on-boarding setup and will be propagated automatically by the CloudFormation Template (CFT) in the AWS organization on-boarding setup.
KMS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:ListKeys", "tag:GetResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "kms:GetKeyRotationStatus", "kms:GetKeyPolicy", "kms:DescribeKey", "kms:ListGrants", "kms:ListResourceTags", "kms:ListKeyRotations" ], "Resource": "arn:aws:kms:*:*:key/*" } ] }RDS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:DescribeDBInstances", "Resource": "*" } ] }EBS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeVolumes", "Resource": "*" } ] }S3
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetEncryptionConfiguration", "s3:GetBucketLocation" ], "Resource": "*" } ] }
DynamoDB
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:ListTables", "dynamodb:DescribeTable", "dynamodb:ListStreams", "dynamodb:DescribeStream" ], "Resource": "*" } ] }
EKS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" } ] }
EFS
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "elasticfilesystem:DescribeFileSystems", "Resource": "*" } ] }
Redshift
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "redshift:DescribeClusters" ], "Resource": "*" } ] }
8.0 AWS Organization - Onboarding Setup
8.1 Create an IAM Role for the Web Identity Federation
For steps to set up an IAM role for the Web Identity Federation with the necessary permissions for an AWS organization, refer to Section 9.1: Set up an IAM Role with the Necessary Permissions – AWS Organization.
8.2 Deploy the CFT
This section outlines the steps for deploying the CloudFormation Template (CFT) through StackSets to create roles that the IAM role, created in Section 8.1: Create an IAM Role for the Web Identity Federation, can assume.
To deploy the CFT for role creation from a root or user account, the account must have the following permissions policy (if there are no other attached policies covering these permissions already).
NOTE
To attach the following permission policy, the IAM role needs the corresponding IAM service read or write permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FortanixCFTPermissions",
"Effect": "Allow",
"Action": [
"cloudformation:*",
"organizations:*",
"s3:*"
],
"Resource": "*"
}
]
}
NOTE
Refer to Activate trusted access with AWS organizations - AWS CloudFormation for details.
This will create a
AWSServiceRoleForCloudFormationStackSetsOrgAdminrole in the management account and aAWSServiceRoleForCloudFormationStackSetsOrgMemberrole in member accounts. These roles allow AWS CloudFormation Stacksets to perform supported operations within the organization's accounts.
Create the JSON file for the CFT. Refer to Section 9.2: Create a JSON file for CFT to create the CFT.
Go to your AWS account from which the CFT will be deployed. Activate trusted access with AWS Organization as described in the beginning of this section.
Go to your AWS console CloudFormation → StackSets page.
Figure 6: CloudFormation StackSets Page
Create StackSets and upload the CFT template JSON file that you created in Step 1 above.
Figure 7: Choose CFT Template
After you upload the CFT template, you will see the JSON file uploaded in the template field.
Figure 8: JSON File Uploaded
Enter the StackSet name (and optionally the StackSet description). Enter AWSAccountID and AWSRoleName of the role that initializes the scan.
NOTE
The AWSAccountID and AWSRoleName must be created in advance as described in Section 9.1: Set Up an IAM Role With the Necessary Permissions - AWS Organization.
.png?sv=2022-11-02&spr=https&st=2025-04-04T20%3A04%3A16Z&se=2025-04-04T20%3A26%3A16Z&sr=c&sp=r&sig=FtkE6GvQzJCpnh4NxzJYiBviTKZ7uiLLsOT3xZvDRKM%3D)
Figure 9: StackSet Details
9.0 Appendix
9.1 Set up an IAM Role with the Necessary Permissions - AWS Organization
Create an IAM role as described in Section 7.1: Create an IAM Role for the Web Identity Federation in AWS and attach the following permissions policy to list accounts and assume roles:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FortanixFkiScannerPermissions",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent"
],
"Resource": "*"
},
{
"Sid": "FortanixFkiScannerPermissionsRole",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/FortanixOrganizationAccessRoleForOIDC"
}
]
}
NOTE
The above IAM role must be created using one of the two options:
From the AWS management account.
From an AWS member account, where the IAM role is then assigned as a delegated administrator for AWS organizations. Refer to Delegated Administrator for AWS Organizations for details.
When creating an IAM role as a delegated organization administrator, use the delegation policy listed below in the organization management account to register the IAM role as a delegated administrator. This IAM role also needs sts:AssumeRole permission in their account to assume the Fortanix access role in member accounts.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{REPLACE_WITH_ACCOUNT_NUMBER_OF_CREATED_IAM_ROLE}:role/FortanixKeyInsightScanner"
},
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:ListAccountsForParent",
"organizations:ListChildren",
"organizations:ListOrganizationalUnitsForParent",
]
"Resource": "*"
}
]
}
9.2 Create a JSON File for CFT
The CFT to be deployed in the StackSets for the whole AWS organization is attached as follows:
Here, the account ID and the IAM rolename as created in Section 9.1: Set Up an IAM Role with the Necessary Permissions - AWS Organization needs to be entered.
{
"Description": "Create IAM roles and policies to grant read-only access to Fortanix Key Insight. Version 1.0",
"Parameters": {
"AwsAccountId": {
"Type": "Number",
"Description": "Enter the AWS account ID from which the data security scan will be performed. The access key and secret key associated with the user of this account are used by Fortanix data security assessment for scanning."
},
"AwsUserName": {
"Type": "String",
"Description": "Enter the AWS user name associated with the AwsAccountId. The access key and secret key associated with this user of the account are used by Fortanix data security assessment for scanning."
}
},
"Resources": {
"FortanixOrganizationAccessRoleForCredentials": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "FortanixOrganizationAccessRoleForCredentials",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:aws:iam::${AwsAccountId}:user/${AwsUserName}"
}
},
"Action": "sts:AssumeRole"
}
]
}
}
},
"FortanixKmsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixKmsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"tag:GetResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:GetKeyRotationStatus",
"kms:GetKeyPolicy",
"kms:DescribeKey",
"kms:ListGrants",
"kms:ListResourceTags",
"kms:ListKeyRotations"
],
"Resource": "arn:aws:kms:*:*:key/*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixS3ReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixS3ReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixRdsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixRdsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:DescribeDBInstances",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixEbsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixEbsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeVolumes",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixEfsReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixEfsReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "elasticfilesystem:DescribeFileSystems",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixRedshiftReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixRedshiftReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixDynamodbReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixDynamodbReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:ListTables",
"dynamodb:DescribeTable",
"dynamodb:ListStreams",
"dynamodb:DescribeStream"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixEksReadOnlyPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixEksReadOnlyPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
},
"FortanixListRegionsPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "FortanixListRegionsPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "account:ListRegions",
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
]
}
}
},
"Outputs": {
"RoleId": {
"Description": "The ID of the IAM role",
"Value": {
"Ref": "FortanixOrganizationAccessRoleForCredentials"
}
},
"RoleArn": {
"Description": "The ARN of the IAM role",
"Value": {
"Fn::GetAtt": [
"FortanixOrganizationAccessRoleForCredentials",
"Arn"
]
}
},
"KmsPolicyId": {
"Description": "The ID of the IAM policy for AWS KMS ReadOnly permission",
"Value": {
"Ref": "FortanixKmsReadOnlyPolicy"
}
},
"S3PolicyId": {
"Description": "The ID of the IAM policy for AWS S3 ReadOnly permission",
"Value": {
"Ref": "FortanixS3ReadOnlyPolicy"
}
},
"RdsPolicyId": {
"Description": "The ID of the IAM policy for AWS RDS ReadOnly permission",
"Value": {
"Ref": "FortanixRdsReadOnlyPolicy"
}
},
"EbsPolicyId": {
"Description": "The ID of the IAM policy for AWS EBS ReadOnly permission",
"Value": {
"Ref": "FortanixEbsReadOnlyPolicy"
}
},
"EfsPolicyId": {
"Description": "The ID of the IAM policy for AWS EFS ReadOnly permission",
"Value": {
"Ref": "FortanixEfsReadOnlyPolicy"
}
},
"RedshiftPolicyId": {
"Description": "The ID of the IAM policy for AWS Redshift ReadOnly permission",
"Value": {
"Ref": "FortanixRedshiftReadOnlyPolicy"
}
},
"EksPolicyId": {
"Description": "The ID of the IAM policy for AWS EKS ReadOnly permission",
"Value": {
"Ref": "FortanixEksReadOnlyPolicy"
}
},
"DynamodbPolicyId": {
"Description": "The ID of the IAM policy for AWS DynamoDB ReadOnly permission",
"Value": {
"Ref": "FortanixDynamodbReadOnlyPolicy"
}
},
"AccountPolicyId": {
"Description": "The ID of the IAM policy for AWS Account ListRegions permission",
"Value": {
"Ref": "FortanixListRegionsPolicy"
}
}
}
}