1.0 Introduction
This article describes the Fortanix Key Insight concepts for Amazon Web Services (AWS). Fortanix Key Insight enables you to apply uniform key lifecycle management policies and processes to cryptographic key management systems across multiple clouds.
2.0 Terminology References
2.1 AWS Terminology
CONCEPT | DESCRIPTION |
|---|---|
AWS Organization | An entity created to consolidate all AWS accounts and administer them as a single unit. An organization has one management account and zero or more member accounts. The accounts in an organization can be arranged in a hierarchical tree-like structure with the “root” at the top and the “organizational unit” and “account” nested under the “root”. Fortanix Key Insight scans an AWS organization and all the accounts within that organization. |
AWS Accounts | A container for your AWS resources. You create and manage your AWS resources in an AWS account. Fortanix Key Insight scans all the regions within an AWS account in an AWS organization. |
AWS Role | AWS Identity and Access Management (IAM) roles are entities you create and assign specific permissions to that allow trusted identities, such as workforce identities and applications, to perform actions in AWS. Fortanix Key Insight requires an AWS IAM user to have permission to access the AWS Management Account and Member Account. |
AWS Services
| AWS Services allows users to set up their IT infrastructure online. The most popular AWS services include Elastic Compute Cloud (EC2), AWS Relational Database Service (RDS), AWS Simple Storage Service (S3), Elastic Block Store (EBS), and Virtual Private Cloud.
|
AWS KMS Keys | AWS KMS keys are the primary resource in AWS KMS, which are logical representations of cryptographic keys. AWS assigns an Amazon Resource Name (ARN) to each KMS key, which includes a unique key identifier, or key ID. Fortanix Key Insight scans all the AWS accounts within an AWS organization and identifies the key compliance status across multiple AWS cloud regions. |
AWS AWS Certificate Manager (ACM) | AWS ACM is a fully managed service that allows you to provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. Fortanix Key Insight scans AWS accounts within an organization to identify ACM-managed certificates, assess their compliance across regions, and analyze cryptographic metadata such as algorithms and key sizes. |
AWS Scan | The act of connecting with the AWS KMS and obtaining information about services of interest for Fortanix Key Insight. |
AWS Sync | The act of synchronizing cryptographic key information and state between the cloud scanner and Fortanix-Data-Security-Manager (DSM) so that the state and contents of DSM reflect the state and content of the cloud key manager(s). |
3.0 Fortanix Key Insight Features - AWS Connection
The Fortanix Key Insight AWS connection has the following features:
It allows users to scan all AWS regions across all accounts within an AWS Organization. For each region, it identifies cryptographic assets such as KMS keys, ACM certificates, and encryption configurations for AWS services including S3, RDS, DynamoDB, Redshift, EKS, EFS, and EBS. The scan determines which services and resources are encrypted, which keys were used for encryption, and the status of those keys and certificates.
Generates reports on AWS KMS non-compliant keys, AWS certificates, and services. For each region, the report shows:
The risk score
Cryptographic key sources
Top security issues
Service violations
Post Quantum Cryptography (PQC) readiness of keys
Provides a dashboard view of cryptographic key and ACM certificate compliance status across multiple AWS regions..
The dashboard shows information:
Scanned AWS accounts, regions, certificates, keys and services
Assessment report
Top five accounts with the most keys
Protected services
Key types
Key status
Key source
Certificate by status
Certificate by algorithm types
For every AWS key in a region,
Provides a tabular view that shows the key details such as identifier, key source, key state, key type, AWS account ID, last rotation date, next rotation date, and so on.
Provides a map of the key compliance statuses.
Detects non-compliant keys based on the applied policy and issues vulnerability alerts according to NIST standards.
Provides essential information such as key properties, key owner(s), rotation, service mapping, and related violations.
For each AWS service in a region,
Displays a comprehensive overview that allows you to filter services by type, violations, account, and region. You can click on each service to view a detailed list of associated vulnerabilities, if applicable.
Offers a tabular view showing key information such as the service name, service type, region, encryption status, AWS account ID, and other relevant details.
Provides detailed insights into service configurations and any violations associated with each service, helping you to understand potential issues and compliance gaps.
For every AWS certificate in a region,
Provides a tabular view that shows the certificate details such as identifier, status, serial number, issues, signature algorithm, creation date, and so on. You can filter the specific certificates based on the requirement.
Provides a map of the certificate compliance statuses.
Detects non-compliant certificates based on the applied policy and issues vulnerability alerts according to NIST standards.
Provides essential information such as certificate properties, domainname and Subject Alternative Name (SAN), service mapping, and related violations.
Allows users to export all scanned key, certificate, and service data in comma-separated values (CSV) format and provides the ability to track export activities.
Enables users to optionally select pre-configured Fortanix DSM (On-Premises or SaaS) application credentials for key correlation during the onboarding of an AWS connection. This allows Fortanix Key Insight to identify whether the scanned keys originate from a Fortanix DSM SaaS or on-premises environment after the scan is initiated.
Enables users to automatically retrieve the crypto policies configured in Fortanix DSM and apply them to scans and assessments, ensuring that Fortanix Key Insight remains aligned with any updates in Fortanix DSM.
Provides an assessment report that identifies vulnerabilities by providing a snapshot of your data security posture, and risk score, highlighting areas of strength, and pinpointing opportunities for improvement.
Provides a dashboard for assessing AWS connection Post-Quantum Cryptography (PQC) readiness, featuring a sunburst chart layout that simplifies the visualization of key data points and includes drill-down capabilities for deeper insights.