Users can access the AWS connection Overview page after adding an AWS cloud account. The Overview page summarizes AWS keys, certificates, and services based on the applied Fortanix Key Insight policy.
You can click any numerical value on the Overview page to view the list of corresponding AWS keys, certificates, and services.
If you added any external key source (Fortanix DSM SaaS or On-Premises) during the AWS cloud connection onboarding, the Overview page will display the total key count, reflecting the correlated keys from the external key source after a successful scan.
The Overview page helps users get a summary of the AWS keys, certificates, and services, as described in the following sections:
3.1 Cloud Discovery Accounts
This section summarizes the count of all the parameters for a CSP organization. It shows the count of:
Total number of accounts within the cloud organization
Total number of regions under all the cloud accounts
Total number of certificates in all the cloud regions
Total number of keys in all the cloud regions
Total number of services in all the cloud regions
Clicking the Keys, Certificates and Services labels in the Cloud Discovery Accounts section takes you to their list view.
3.2 Assessment Report
This section allows the user to view the assessment report on the Assessment page. The report allows you to assess your key’s security posture to ensure the safety of your data.
Click ASSESSMENT REPORT to go to the Assessment page.
This section gives you a quick overview of the AWS Services map that shows the top accounts whose services are vulnerable due to either using shared keys or they are not encrypted.
Click the services map to go to the detailed view of the services graph.
3.4 Top Accounts by Key and Status
This section lists, in descending order, the top five accounts with the greatest number of keys since the last key scan operation. The count for each account includes both enabled and disabled keys. Blue color indicators denote enabled keys, while orange color indicators denote disabled keys in each account.
Click the account ID to go to the list view of the account that shows all the keys in the account.
3.5 Protected Services
This section presents a summary of the number of encrypted cloud services compared to the number of unencrypted services.
Clicking the Encrypted label takes you to the Services table, which shows all the encrypted services.
Clicking the Unencrypted label takes you to the Services table, which shows all the services that are not encrypted.
3.6 Keys by Type
This section provides a count of the key specifications in the cloud accounts. For AWS CSP, it shows the total number of keys that are configured in all the AWS cloud accounts based on the applied Key Insight policy.
You can click each key type to access its corresponding list view.
3.7 Keys by Status
This section provides a summary of the status of the cloud keys across all the cloud accounts in an organization. It provides a count of the enabled keys and the count of the disabled keys. Click the Keys by Status label to go to the list view of the keys.
3.8 Key Source
This section summarizes the source of all the cloud keys. For AWS CSP, it provides a count of the following:
AWS KMS: count of all the keys that were directly created in AWS KMS.
Bring Your Own Key (BYOK): count of all the keys that were imported into AWS using an external source, for example: Fortanix DSM using the Bring Your Own Key (BYOK) concept, where the key material of the key is imported into AWS KMS.
External Key Store (XKS): count of all the keys that are stored in an external key store, for example: a key store created by connecting AWS XKS with Fortanix DSM to encrypt or decrypt the customer’s data in AWS.
NOTE
If you added an external key source (Fortanix DSM SaaS or On-Premises) during AWS cloud connection onboarding, the BYOK key source label will be replaced with “Fortanix”, displaying the count of the BYOK key source. This indicates that the BYOK keys are now correlated from the external key source, “Fortanix”.
Clicking the key source labels will take you to the tabular view of the keys for the selected key source.
3.9 Certificates by Status
This section summarizes the status of scanned AWS certificates, showing the number of issued certificates, validation pending, and expired certificates. Click any label or count to navigate to a filtered list view of the corresponding certificates.
3.10 Certificates by Algorithm Type
This section provides a summary of certificate distribution by key algorithm type (For example, RSA 2048). For AWS certificates, it displays the total count of each key algorithm used across all scanned certificates.
Click any key algorithm type to view a filtered list of certificates using that algorithm.
4.0 AWS Connection - Assessments
Users can access the Fortanix Key Insight Assessment page after adding a cloud account.
The Assessment page shows:
How good or bad the key security posture is for the cloud accounts.
Violations that must be remediated to improve the security status.
Remediation advice to improve the security status.
Figure 2: AWS assessment report
NOTE
You can click any numerical value on the Assessment page to view the list of corresponding AWS keys, certificates, and services.
If you added any external key source during the AWS cloud connection onboarding, the Assessment page will display the total key count, reflecting the correlated keys from the external key source after a successful scan.
These are described in detail in the following sections:
4.1 Risk Score
This section provides the overall risk score of the CSP keys, cetificates, and services. There are three types of risks:
High – A high score signifies the total number of shared keys, shared certificates, overly permissive (usage) keys, overly permissive certificate (keys usage), or non-compliant keys in use.
Critical – A critical risk score indicates the total number of deleted keys, expired certificates, non-compliant certificates by algorithm, and unencrypted cloud services detected that need attention.
Medium – A medium risk score indicates the total number of CSP-generated and overly permissive (management) keys in use.
The priority of the overall risk score is based on the count of risks in the following order:
Critical
High
Medium
4.2 Top Security Issues
This section provides the following information about the keys and certificates:
Shared keys: This section shows the total number of keys in the AWS connection that are shared by two or more services for encrypting the services. This information will help you determine which keys are at risk so that you can use unique encryption keys for better security.
Shared certificates: This section shows the total number of certificates in the AWS connection that are shared across two or more services. Identifying these shared certificates helps you assess potential exposure risks and take action by using unique encryption certificates for enhanced security.
Cryptography policy: This section shows the total number of keys in the cloud account that are violating the cryptographic policy that is set for a Fortanix Key Insight account. This information will help you determine which keys are non-compliant with the Key Insight Cryptographic policy so that you can generate new keys to encrypt the AWS services.
Any key that utilizes the following algorithm and key size combinations is considered Non-Compliant in Fortanix Key Insight, according to the National Institute of Standards and Technology (NIST) 800-57 standard:
AES: Any key size less than 192 bits.
3DES: Keys with size 112 bits and 168 bits.
DES: Keys with size 56 bits.
RSA: Keys with size less than 2048 bits.
DSA: Keys with size less than 2048 bits.
ECC: Keys with size less than 224 bits.
The non-compliant keys increase the data security risk. They will be flagged as vulnerabilities on the Keys page.
Fortanix Key Insight recommends using stronger key algorithms and ensuring that the key strength aligns with your defined policies and NIST standards.
Quantum-vulnerable keys: For AWS CSP, this is the total number of keys in the AWS cloud account that utilizes Quantum-vulnerable algorithms. These are symmetric keys such as RSA, EC, and so on. This information will help you determine which services are encrypted using Quantum-vulnerable keys so that you can select to re-encrypt the services using a symmetric key such as AES 256.
Unused keys: This section shows the total number of AWS keys that remain unused for encryption in the scanned data and supported services. You can use this information to identify unused keys and remove them for enhanced security.
NOTE
Fortanix Key Insight recommends removing any unused keys from your cloud as a best practice.
Overly permissive keys [Usage]: This section displays the total number of AWS KMS keys with excessive usage permissions. Such keys can result in service violations and are assigned a high-risk score. This information helps analyze key usage to improve security. The overly permissive keys (usage) check examines Key Policies and Grants to determine if an AWS service principal is allowed to execute cryptographic operations without utilizing EncryptionContext or aws:SourceArn condition keys. Additionally, it identifies wildcard entries in the Principal field of policy statements that grant broad permissions for cryptographic operations on AWS KMS.
Overly permissive keys [Management]: This section displays the total number of AWS KMS keys with excessive management permissions. Keys with overly permissive management permissions can lead to service violations and are assigned a medium risk score. This information helps analyze key usage to improve security. The overly permissive keys (management) check specifically examines Key Policies to identify policy statements that allow actions to modify keys where the Principal field contains wildcard entries. These wildcards (for example, users/*) can grant broad permissions and may expose the keys to unauthorized modifications.
Overly permissive certificates [Key usage]: This section displays the total number of AWS certificates with excessive key usage permissions. The certificates with overly permissive key usage permissions can lead to service violations and are assigned a high risk score. Key usages are assigned based on specific roles such as,
TLS Web Server Authentication
TLS Web Client Authentication
Code Signing
Email Protection
Timestamping
OCSP Signing
IPSec End System
IPSec Tunnel
IPSec User
Certificates are flagged as violated if they include multiple key usages beyond acceptable combinations, with three exceptions:
A single key usage type.
A combination of Web Server and Web Client Authentication.
An empty or undefined key usage.
Any other combination is considered overly permissive and potentially vulnerable.
NOTE
Fortanix Key Insight recommends reviewing and revalidating the AWS key and certificate policies as a best practice to avoid overly permissions.
Click each top security issue to access its corresponding list view.
4.3 Service Violations
For an AWS CSP, this section provides insights into service violations across your AWS cloud environment.
You can view the total number of cloud accounts and their associated services, along with specific violations tied to each service. These violations may result from the use of shared, deleted, or soon-to-be-deleted keys, excessive permissions, non-compliant configurations, or unencrypted keys. This data will help you identify which services are at risk, enabling you to implement unique, compliant, and encrypted keys for enhanced security.
Also,
You can view risk levels for each service that are color-coded for easy identification.
Select VIEW ALL to navigate to the Services page and explore individual key violations for each service.
NOTE
For S3, RDS, and EBS the count of Non-Compliant keys will always be 0 since all keys are compliant by default.
You can click any service to view a detailed list of the top 10 key violations associated with it, sorted by severity. Click each violation type to navigate to the corresponding list view.
Click BACK to navigate to the service violations card view.
4.4 Certificate Expiry by Issuers
This section provides insights into monitoring and managing the expiration status of certificates in AWS Certificate Manager (ACM), organized by issuer (For example, Amazon, DigiCert, Let's Encrypt, and so on), if any.
This section gives you the visibility of certificate lifecycle risks and helps ensure continuous compliance and availability across AWS environments.
This section contains two sub sections:
4.4.1 About to Expire in 30 Days
This section displays the total number of ACM certificates that are scheduled to expire within the next 30 days, grouped by certificate issuer, if any. Each issuer is represented using a distinct color for easy identification.
Click the count associated with a specific issuer or the overall total to navigate to a filtered list view displaying the corresponding certificates.
4.4.2 Expired Certificates
This section displays the total number of ACM certificates that have already expired, grouped by certificate issuer, if any. Each issuer is represented using a distinct color for easy identification.
This data helps to identify misconfigurations, overlooked assets, or potential security risks from expired certificates.
Click the count associated with a specific issuer or the overall total to navigate to a filtered list view displaying the corresponding certificates.
4.5 Certificate by Violation Type
This section displays the total number of non-compliant ACM certificates categorized by specific violation types (For example, shared certificates), helping you take targeted action to address security or policy gaps.
NOTE
Fortanix Key Insight currently does not support the Non-compliant Certificates (Signature Algorithm) violation type in the Policy Center; therefore, its count will always be 0.
Click the count for a specific violation type or the overall total to navigate to a filtered list view of the affected certificates.
4.6 Key Count by Sources
For AWS CSP, this section provides information about the security and risk assessment of the natively managed keys (key source is AWS KMS or AWS Cloud HSM) and externally managed keys (key source is External or External Key Store). The various circles show the total key count in the cloud account.
4.6.1 Cloud Generated
This section displays the details of natively managed keys (the key source is AWS KMS or AWS Cloud HSM). It is represented as a blue circle.
KMS: The KMS represents the total number of keys directly generated in AWS KMS. These keys increase the risk of unauthorized access to encrypted data. For better security, you can use the Fortanix Data Security Manager. Click the circle or the warning icon to go to the list view of the KMS keys.
Cloud HSM: These keys in Fortanix refer to cryptographic keys that are stored and managed within Fortanix using their Hardware Security Module (HSM) services.
4.6.2 External
This section displays the details on externally managed keys (the key source is External or External Key Store). It is represented as a green circle.
BYOK: The circle represents the total number of keys that were imported into AWS using an external source. Refer to the Fortanix DSM using the Bring Your Own Key (BYOK) guide, where the key material of the key is imported into AWS KMS. Users bringing their keys must ensure that their key storage mechanisms are secure, preventing unauthorized access or key exposure. Click the circle or the warning icon to go to the list view of the BYOK keys.
External Key Store (XKS): The XKS circle represents the count of all the keys that are stored in an external key store, for example: a key store created by connecting AWS XKS with Fortanix DSM to encrypt or decrypt the customer’s data in AWS. Keys present in an External Key Store are more secure than BYOK or KMS keys.
Fortanix: This key source refers to the external key source configured during AWS connection onboarding. The key count represents the number of keys correlated with Fortanix Key Insight from Fortanix DSM SaaS or On-Premises.
4.7 Download Report
Click DOWNLOAD REPORT on the top-right corner of the Assessment page to view the Data Security Assessment Report for the CSP account in PDF format.
Figure 3: Download the assessment report
5.0 Rescan an AWS Connection
Click RESCAN on the Overview page to perform a rescan and verify if any keys have been added, deleted, or updated in the CSP organization.
NOTE
The RESCAN option is accessible only to users with the Account Administrator and Group Administrator roles.
Figure 4: Scan again
If you click RESCAN and start the scan, you can monitor the progress bar while the scan is running.
After the scan is completed successfully,
The Last scanned label will be updated with the date and time of the completion.
The Overview page will reflect the new state of the AWS CSP keys, certificates, and services.
You can also click RESCAN on the Assessment page to perform the rescan. After the scan is completed, the Assessment page will reflect the new state of the CSP keys, certificates, and services.
6.0 Keys
After onboarding the AWS organization, click Keys in the Fortanix Key Insight left navigation panel.
Clicking Keys will take you to the Keys page that shows a map of all the AWS KMS accounts grouped by key source (KMS, Cloud HSM, BYOK, XKS, and others) as described in Section 3.8: Key Source.
On the Keys page, you can toggle between the GRAPH and LIST views using on the top left corner. The GRAPH view is set as the default.
6.1 Keys Graph View
The graph view shows the following information:
For every key source, it shows the account names, and for each account, it shows the map of all the keys in that account that are used to encrypt the AWS services.
If the AWS cloud connection is linked to an external key source, you can also view the details of the correlated key and the associated service mapping.
Each key displays all the services encrypted by it.
If a key is used by more than one AWS service, is non-compliant, and has overly usage or management permissions, it shows a vulnerability warning, and Key Insight recommends proceeding with the appropriate action items to minimize those warnings.
The keys display the non-compliance vulnerabilities based on the configured key sizes and types, following the NIST standards specified in the applied Key Insight policy,
Figure 5: Key vulnerability
Figure 6: Shared key and overly permissive vulnerability
Based on the configured key sizes and types, non-compliance vulnerabilities will be displayed following the NIST standards specified in the applied Key Insight policy.
You can click various points in the keymap to go to the tabular view of that entity.
Figure 7: Clickable points in the map
For example, click the account icon for the AWS KMS key source to go to the tabular view of the keys for that account.
6.1.1 Filter Keys - Graph View
In the key graph view, you can filter the keys by Key Sources, Accounts, Key ID, Vulnerabilities, and Services on the key map.
For example, to apply the filter on the key map using the key source:
Click the Key Source drop down to select or search keys by key source. For AWS the key sources are KMS, Cloud HSM, BYOK, XKS, and Fortanix.
Click SEARCH.
Figure 8: Filter keys by service type
You will see that the key map displays only the keys for the KMS key source.
You can further filter the keys by selecting the following other filter options:
Accounts: Filter the keys by the selected account.
Key ID: Filter the keys by the key ID entered.
Vulnerabilities: Filter the keys by the vulnerability types - Non-compliant keys, Shared keys, and Overly permissive keys.
Services: Filter the keys by the AWS services - S3, RDS, EBS, DynamoDB, EKS,Redshift, and EFS.
6.2 Keys List View
The keys list view displays all keys in a table, along with details such as key ID, state, violations, region, owners, usage description, AWS account ID, key creation date, last rotation date, next rotation date, auto-rotation status, key specification, and key source.
To modify the Keys or Certificates table column display in the list view:
Click .
On the Customize Columns dialog box, select a maximum of Six columns that you want to display in the table.
Click APPLY to view only those columns on the table.
Click RESET TO DEFAULT to display the default columns if needed.
Figure 10: Customize keys table
6.2.4 Add Key Details
After an AWS connection is onboarded to Fortanix Key Insight, you can assign owners to the scanned keys to enhance key management, simplify tracking, and improve remediation workflows.
To add the key(s) details,
Select key(s) in the list.
Click ADD DETAILS on the top right corner.
NOTE
If your AWS connection was last scanned before the KI 25.03 release and a new scan was not performed, clicking the ADD DETAILS option will show a Rescan Required to Add Details dialog box. To ensure your key details are correctly added, you must rescan the AWS connection and then add the key details.
On the Add Details dialog box, enter the following details:
Primary owner: Enter the primary owner’s name or employee ID.
Email ID: Enter the primary owner’s valid email ID.
Click ADD SECONDARY OWNER to add the secondary owner’s details, if required.
Description (Optional): Enter an optional description.
Click ADD to add the ownership details to the selected key(s).
NOTE
To add ownership details, specifying a primary owner is mandatory before adding a secondary owner.
On the Keys page, the primary and secondary owners’ name or employee ID and email address will appear in the OWNERS column, and the description will appear in the USAGEDESCRIPTION column.
Figure 11: Add key details
NOTE
Only users with Account Administrator permissions can add or edit key details.
6.2.5 Edit Key Details
You can modify the details of the selected key(s).
To edit the key(s) details,
Select key(s) in the list.
Click EDIT DETAILS on the top right corner.
On the Edit Details dialog box,
Update the primary owner’s name or employee ID and email ID.
Update the secondary owner’s name or employee ID and email ID.
Update the description if required.
Click UPDATE to save the details to the selected key(s).
You can also update the details while viewing the key details. For more details, refer to the Section 6.2.6: View Key Details.
6.2.6 View Key Details
Click any key in the Keys list to view the key's properties, rotation history, associated violations, and service mappings.
The KEY DETAILS tab includes the following:
Key Properties: This section displays key specifications, such as Amazon Resource Name (ARN), key ID, status, creation date, expiration date, usage, AWS account ID, region, key type, key source, and so on.
Ownership: This section is available if owner details have been added to the key. It displays the primary and secondary owner's name or employee ID, email ID, and description.
Automatic Key Rotation Policy: This section includes key rotation details, such as the rotation status, next rotation date, and last rotation date.
Figure 12: Access key details view
NOTE
The Key Correlation section is only visible if you have configured an external key source (Fortanix DSM SaaS or On-Premises) for the Fortanix Key Insight AWS cloud connection. For the selected correlated key, it displays details such as the key source, key source type, last correlated date, and source key ID. You can click Key Id to navigate to Fortanix DSM SaaS to view the key details.
You can filter these keys by Key Source is Fortanix to access the relevant details.
Figure 13: Access keys correlated data
The VIOLATIONS tab displays any violations linked to the key. These violations may include issues such as shared keys, overly usage or management permissions, key expiration, and so on.
Figure 14: View key violations
The SERVICE MAPPING tab displays the mapping between the key and AWS service(s), if any. You can view the details of the key and its associated services through Legends.
Figure 15: Key and service mapping
7.0 Services
After onboarding the AWS organization, click Services in the Fortanix Key Insight left navigation panel.
Clicking Services will take you to the Services page, which shows a map of all the AWS services (S3 BUCKET, RDS INSTANCE, EBS, DynamoDB, EKS, Redshift, and EFS services) grouped by AWS accounts.
On the Services page, you can toggle between the GRAPH and LIST views using on the top left corner. The GRAPH view is set as the default.
7.1 Services Graph View
In the services graph view, the services are grouped into the following categories, and you can also view the total counts for services, violations, regions, and accounts within each category:
Service Type: Selecting this category allows you to view all services grouped by typeand their corresponding risk levels. The color of each service indicates its associated risk level. This category is selected by default.
Figure 16: Access services graph view
Click any service to view the types of violations for that service and the count for each violation, sorted by severity, if applicable.
Clicking a specific violation in the list will take you to the corresponding service list view, filtered accordingly.
Figure 17: Select and view AWS service details
Violation Type: Selecting this category allows you to view all services grouped by violation type, along with their corresponding risk levels.
Figure 18: AWS services by violation types
Click any violation to view the types of services that share the violation and the count for each service type, if applicable.
Clicking a specific service type in the list will take you to the corresponding service list view, which will be filtered accordingly.
Figure 19: Select and view AWS service violations details
Accounts and Regions: Selecting this category allows you to view all services grouped by different accounts and regions, along with their associated risk levels.
Figure 20: AWS services by accounts and regions
Click any accounts and regions to view the types of services that share the same account and regions.
Click any service to view the types of violations and the count for each violation, sorted by severity, if applicable.
Clicking a specific service type in the list will take you to the corresponding service list view, filtered accordingly.
Figure 21: View and select services by accounts and regions
7.1.1 Filter Services - Graph View
In the service graph view, you can filter the services by Account, Region, Vulnerability, and Service Type for each category explained in Section 7.1: Services Graph View.
For example, to filter services by Region,
Select the category. For example, Service Type.
Click the Region drop down to select the region. For example, us-east-1.
Click APPLY.
Figure 22: Filter AWS service by regions
The Services page will display only the services for the selected region. Additionally, the count for the total number of services, violations, regions, and accounts shown in the top bar will be updated accordingly.
You can further filter the services by selecting the following other filter options:
Service Type: Filter the services by the AWS services namely S3, RDS, EBS, DynamoDB, Redshift, EKS, and EFS.
Vulnerability: Filter the services by the vulnerability types – Unencrypted services, Using deleted keys, Using non-compliant keys, Using overly permissive usage keys, Using overly permissive management keys, Using shared keys, Using keys scheduled for deletion, Using quantum vulnerable keys, and Using expired keys.
Account: Filter the services by a selected account.
You can use a combination of the above filter options to display the service map with specific results.
Click RESET to clear all filters or select the All (Default) option from the dropdown in the desired filter to reset that specific filter.
7.2 Services List View
The services list view displays all services in a table, along with details such as name, type, encryption, violations, region, and AWS account ID.
Figure 23: AWS services list view
Click ENCRYPTION column values to check whether the service was encrypted. Clicking the label opens a dialog box that shows details such as the server-side encryption (SSE) algorithm, key state, origin, key manager, key specification, and key usage.
Click in the VIOLATIONS column to view detailed information about the associated vulnerabilities.
7.2.1 Filter Services - List View
In the list view, you can filter the keys using the Search field with the following criteria and available values:
Type: S3, RDS, EBS, DynamoDB, Redshift, EKS, and EFS.
Name
AWS Account ID
Encryption: Encrypted, Unencrypted
Region
Key Violation: Encrypted with deleted key, Encrypted with soft deleted key, Encrypted with shared key, Encrypted with overly permissive management key, Encrypted with overly permissive usage key, Encrypted with non-compliant key, Encrypted with quantum vulnerable key, Encrypted with expired key
Violation Type: All violations, No Violations
You can use a combination of the above filter options to display the services with specific results.
You can click any AWS service in the Services list to view its configuration details and associated violations.
The SERVICE DETAILS tab includes the following:
Service Configurations: This section displays service configurations such as service ID, type, encryption status, account region, account ID, and so on.
Key Data: This section provides details of the associated key, including the key ARN, ID, and origin for the encrypted service. If the service is not encrypted, if the encrypted service has a deleted key, or if the cryptographic key details are inaccessible, the appropriate messages will appear.
Figure 24: Access services details view
NOTE
The Key Correlation section is visible only when the selected service is encrypted and associated with a correlated key from an external key source connection. It displays details such as the key source, key source type, last correlated date, linked key ID, and source key ID.
You can click Key Id and Linked Key Id to navigate to Fortanix DSM (SaaS) to view the corresponding keys details.
Figure 25: Key correlation in service details
The VIOLATIONS tab displays any violations linked to the service. These violations may include issues such as shared keys, overly usage or management permissions, key expiration, and so on.
Figure 26: View service violations
8.0 Certificates
The Certificates feature provides a unified view that links AWS ACM certificates to their corresponding private keys and identifies the AWS services where these certificates are actively in use.
This mapping offers end-to-end visibility into certificate usage, enabling better management of encryption assets, risk assessment, and compliance monitoring across your AWS environment.
After onboarding the AWS organization, click Certificates in the Fortanix Key Insight left navigation panel.
Clicking Certificates opens a list view that displays a mapped overview of all AWS ACM certificates, along with their associated keys, and the AWS services using them.
8.1 Certificates List View
The certificate list view displays all certificates in a table, along with details such as certificate ID or ARN, status, violations, issuer, key algorithm, serial number, domain name, Subject Alternative Name (SAN), renewal status, in use by, not valid before, and creation and expiration timestamps.
Click any certificate in the Certificates list to view the certificate's properties, domain name details, associated violations, and service mappings.
The CERTIFICATE DETAILS tab includes the following:
Certificate Properties: This section displays certificate specifications, such as Amazon Resource Name (ARN), status, serial number, issuer, signature algorithm, key algorithm type, renewal status, creation date, and expiration date.
Domain Name and Subject Alternative Names (SANs): This section includes certificate domain and SAN details, such as the domain name and SANs.
Figure 28: Access certificate details
The VIOLATIONS tab displays any violations linked to the certificate. These violations may include issues such as shared certificates, overly permissive certificate (key usage), and so on.
Figure 29: Certificate violations
The SERVICE MAPPING tab displays the mapping between the certificate and AWS service(s), if any. You can view the details of the certificate and its associated services through Legends.
Figure 30: Access certificate and service mapping
9.0 Scanned Data Export
This feature allows you to export the AWS scanned key and service-related data from Fortanix Key Insight in Comma-Separated Values (CSV) format. Also, it provides flexibility, enabling you to download data for detailed analysis, audits, or reporting, and to access real-time status.
In the AWS Keys, Certificates, and Services list view, you can click EXPORT to export the scanned data using any of the available options:
Figure 31: Access data export feature
Export current page: Use this option to export all column data from the current page in CSV format.
NOTE
You can download a maximum of 100 items at a time, based on the settings specified in the Items per page drop down.
Export all raw data: Use this option toexport all scanned data shown in the keys, certificates, and services tables in CSV format. If you select this option, you can read the details on the Export All Raw Data dialog box and click PROCEED to export all the data.
After the export process begins, you can track its progress. The export status will be logged with a message under the Activities tab in Fortanix Key Insight. For more details, refer to Section 9.1: Manage Export Activities.
Export selected rows: This option is disabled by default. You can select the required rows on the current page and then use this option to export them in CSV format.
NOTE
Users with the Account Administrator and Group Administrator roles can only perform the scanned data export.
Within the same account, you can have multiple exports running simultaneously from different cloud, on-premises, and external key source connections.
9.1 Manage Export Activities
After you initiate the export process using Export All Raw Data, you can track the export status in the Activities tab located in the left navigation panel of Fortanix Key Insight.
You can see the following details for each export:
Name of the activity. For example, the activity would be named Export_all_keys if you had exported all the AWS keys.
Name of the file. For example, Keys.csv.
Activity status: This indicates the current state of the data export. This can be,
Completed: The data export has been successful, and the CSV file will automatically download to the location specified on your local machine.
In Progress: The data export is in progress, and you can cancel it using if required.
Cancelled: The data export has been canceled due to switching accounts or manually canceling it while it was in progress.
Failed: The data export was not completed and failed due to errors.
Name of the connection
Export creation date and time
NOTE
If you switch to a different account during export, the export will be cancelled and logged in the Activities tab.
If you navigate to a different solution (for example, Identity and Access Management), the export will continue, but no logs will appear in the Activities tab. The export status will be confirmed using toast a message.
If you refresh the web page during the export, the confirmation dialog box will appear. If you refresh, the export will be cancelled, and all entries in the Activities tab will be removed. Therefore, it is recommended not to refresh the page during the export.
Fortanix Key Insight identifies encryption keys and data services across on-premises and hybrid multicloud environments, providing a unified dashboard for tracking key mappings and cryptographic security. It offers security and compliance teams data-driven insights to assess risks, align with best practices, and meet industry regulations. Iy also supports continuous risk mitigation and crypto-agility, adapting to evolving security needs, including preparation for the post-quantum era.
Fortanix DSM’s BYOK feature generates Linked or Copied virtual keys from a source key enabling backup and key replication to other CSP accounts/subscriptions, regional instances, key repositories, and, most importantly, to multiple cloud providers, including private clouds. This includes seamless movement between private clouds (on-premises) and public clouds. BYOK keys also allow tracking of key activities across multiple CSP repositories for easier restoration if keys are deleted or disabled.
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
to go to the list view of the KMS keys.
on the top left corner. The GRAPH view is set as the default..png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
in the VIOLATIONS column to view detailed information about the associated vulnerabilities.
..png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
on the top left corner. The GRAPH view is set as the default..png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
.png?sv=2022-11-02&spr=https&st=2025-04-28T09%3A07%3A01Z&se=2025-04-28T09%3A47%3A01Z&sr=c&sp=r&sig=yVy%2FW8ER2pTQ8zgffkcw6oyR%2FwI6RLWZiDW29CrwUcM%3D)
if required.