Welcome to the Fugue Docs!¶
Fugue ensures cloud infrastructure stays in continuous compliance with enterprise security policies. Learn more on our product page.
Getting Started Quickly create a Fugue environment.
Examples Walkthroughs and tutorials.
FAQ At-a-glance information.
Release Notes The latest Fugue updates.
Service Coverage Supported AWS, AWS GovCloud, and Azure services.
Popular Links¶
Visualizer – Explore an interactive diagram of your cloud infrastructure
API User Guide – Fugue API instructions and examples
API Reference – Swagger specification
Fugue 101 – Core concepts for using Fugue
Sign up for Fugue – Register for a free account
Table of Contents¶
- Home
- Getting Started
- Examples
- Contents
- Tutorial: Hello World AWS, API (curl)
- Tutorial: Hello World AWS, API (Postman)
- How To: Create a Fugue IAM Role
- How To: Manually Create a Fugue IAM Role
- How To: Update the Fugue IAM Role
- How To: Add or Remove Azure Resource Groups
- How To: Set a Baseline (UI)
- How To: Set a Baseline (CLI)
- How To: Set a Baseline (API)
- How To: Waive a Rule
- Example: Scan, Detect Drift, Enforce
- Example: Fugue Notifications in Slack
- Example: Fugue CI/CD with Terraform, GitHub, CircleCI
- Example: Fugue CI/CD with Regula Pre-deployment Checks
- Open Source Tool Examples
- Contents
- Fugue Plans
- Environment Configuration
- Compliance
- Rules
- Visualizer
- Organization
- Reports and Notifications
- API
- CLI
- Service Coverage
- AWS IAM Policy Permissions
- FAQ
- General
- Plans
- Environments
- Scanning
- Compliance
- What compliance families are supported?
- Can I change the compliance standards Fugue uses to evaluate my infrastructure?
- Can I waive a rule or “ignore” a noncompliant resource?
- Can I disable a rule for all environments?
- How do I waive a rule?
- Will changing my compliance standards and saving them automatically trigger a new scan?
- How can I output a CSV or Excel file of compliance results for my Fugue account?
- How are compliance controls and families displayed in the UI?
- Drift Detection & Enforcement
- How do I set or update a baseline?
- Can I turn off drift detection?
- How do I enable enforcement? (AWS & AWS GovCloud)
- How do I disable enforcement? (AWS & AWS GovCloud)
- How can I change the AWS or AWS GovCloud resources that Fugue enforces?
- What kind of drift does Fugue enforce?
- When a resource is enforced, does Fugue simply modify it, or does it destroy the resource and recreate it?
- AWS Identity & Access Management (IAM) Permissions
- What kind of AWS IAM permissions does Fugue need?
- Can I give Fugue enforce access (write permissions) without enabling baseline enforcement?
- What permissions are needed for compliance scanning, drift detection, and baseline enforcement?
- How do I update the Fugue IAM role trust policy?
- What’s the SecurityAudit policy and why is it attached?
- What if I don’t want to use the SecurityAudit policy?
- Why does Fugue use inline policies instead of managed policies?
- Azure Service Principal Role
- Service Coverage
- Organization
- Visualizer
- Notifications
- Best Practices
- Known Issues
- Additional Resources about Cloud Security
- Other
- Open Source Projects
- Glossary
- Release Notes
- 2021.03.04
- 2021.02.18
- 2021.02.04
- 2021.01.21
- 2021.01.05
- 2020.12.09
- 2020.12.01
- 2020.11.10
- 2020.10.27
- 2020.10.13
- 2020.09.23
- 2020.09.09
- 2020.08.17
- 2020.08.04
- Deprecating TLS 1.0 and TLS 1.1
- 2020.07.30
- 2020.07.21
- 2020.07.08
- 2020.06.05
- 2020.06.04
- 2020.05.29
- 2020.05.12
- 2020.04.29
- 2020.04.16
- 2020.04.07
- 2020.03.17
- 2020.03.03
- 2020.02.14
- 2020.01.31
- 2020.01.13
- 2019.12.23
- 2019.11.21
- 2019.10.31
- 2019.10.17
- 2019.10.03
- 2019.09.13
- 2019.08.23
- 2019.08.07
- 2019.07.08
- 2019.07.03
- 2019.06.26
- 2019.06.10
- 2019.05.29
- 2019.05.09
- 2019.04.25
- 2019.03.28
- 2019.03.15
- 2019.02.25
- 2019.02.12
- 2019.01.28
- 2018.11.26
- Fugue Support
- Rule Remediation Steps
- IAM root user should not be used
- IAM password policies should prevent reuse of previously used passwords
- IAM password policies should expire passwords within 90 days
- IAM root user access key should not exist
- IAM should have MFA enabled for the root account
- IAM should have hardware MFA enabled for the root account
- IAM policies should not be attached to users
- Ensure a support role has been created to manage incidents with AWS Support
- CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
- CloudFront viewer protocol policy should be set to https-only or redirect-to-https
- ELBv1 listener protocol should not be set to http
- Auto Scaling groups should span two or more availability zones
- EBS volume encryption should be enabled
- CloudFront distributions should have geo-restrictions specified
- AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
- IAM user access keys should be rotated every 90 days or less
- IAM password policies should require at least one uppercase character
- IAM password policies should require at least one lowercase character
- IAM password policies should require at least one symbol
- IAM password policies should require at least one number
- IAM password policies should require a minimum length of 14
- CloudTrail should be enabled in all regions
- CloudTrail log file validation should be enabled
- S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
- CloudTrail trails should have CloudWatch log integration enabled
- AWS Config should be enabled in all regions
- S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
- CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
- Alarm for denied connections in CloudFront logs should be configured
- CloudTrail log files should be encrypted using KMS CMKs
- KMS CMK rotation should be enabled
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
- ELBv1 load balancer cross zone load balancing should be enabled
- VPC security group inbound rules should not permit ingress from any address to all ports and protocols
- VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
- VPC flow logs should be sent to CloudWatch logs
- SQS access policies should not have global “.” access
- SNS subscriptions should deny access via HTTP
- VPC flow logging should be enabled
- CloudWatch log metric filter and alarm for unauthorized API calls should be configured
- CloudWatch log metric filter and alarm for VPC security group changes should be configured
- CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
- CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
- CloudWatch log metric filter and alarm for VPC route table changes should be configured
- CloudWatch log metric filter and alarm for VPC changes should be configured
- CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
- CloudWatch log metric filter and alarm for usage of root account should be configured
- CloudWatch log metric filter and alarm for IAM policy changes should be configured
- CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
- CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
- Load balancer access logging should be enabled
- CloudFront access logging should be enabled
- CloudWatch log groups should be encrypted with KMS CMKs
- DynamoDB tables should be encrypted with AWS or customer managed KMS CMKs
- SQS queue server-side encryption should be enabled (AWS-managed keys)
- CloudFront distributions should be protected by WAFs
- CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured
- CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
- CloudWatch log metric filter and alarm should be set for Config configuration changes
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
- IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
- IAM password policies should prevent reuse of the four previously used passwords
- VPC default security group should restrict all traffic
- IAM policies should not have full “
*
:*
” administrative privileges - RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs)
- RDS instances should have FedRAMP approved database engines
- RDS instances should be encrypted with KMS CMKs
- S3 bucket server-side encryption should be enabled
- S3 bucket policies should only allow requests that use HTTPS
- S3 bucket versioning and lifecycle policies should be enabled
- ELB listener security groups should not be set to TCP all
- VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
- VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
- ElastiCache transport encryption should be enabled
- DynamoDB tables Point in Time Recovery should be enabled
- RDS instances should have backup retention periods configured
- IAM multi-factor authentication should be enabled for all IAM users that have a console password
- Storage Accounts ‘Secure transfer required’ should be enabled
- Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
- Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
- Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
- Virtual Network Network Watcher should be enabled
- Virtual Machines data disks (non-boot volumes) should be encrypted
- Virtual Machines unattached disks should be encrypted
- RDS Aurora cluster multi-AZ should be enabled
- S3 bucket policies should not allow all actions for all IAM principals and public users
- S3 bucket policies should not allow list actions for all IAM principals and public users
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
- IAM policies should not allow broad list actions on S3 buckets
- IAM role trust policies should not allow all principals to assume the role
- IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
- SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0
- MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
- PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
- Ensure Azure Application Gateway Web application firewall (WAF) is enabled
- MySQL Database server “enforce SSL connection” should be enabled
- PostgreSQL Database server “enforce SSL connection” should be enabled
- Key Vault ‘Enable Soft Delete’ and ‘Enable Purge Protection’ should be enabled
- S3 buckets should have all “block public access” options enabled
- VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)
- CloudTrail trails should be configured to log data events for S3 buckets
- Exactly one CloudTrail trail should monitor global services
- CloudTrail trails should be configured to log management events
- CloudTrail should have at least one CloudTrail trail set to a multi-region trail
- CloudTrail trails should not be associated with missing SNS topics
- AWS CloudWatch alarms should have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/ port 1433 (MSSQL Server)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin)
- Require Multi Availability Zones turned on for RDS Instances
- KMS master keys should not be publicly accessible
- EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests
- IAM roles used for trust relationships should have MFA or external IDs
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate)
- Redshift cluster ‘Publicly Accessible’ should not be enabled
- EC2 instances should not have a public IP association (IPv4)
- IAM users should be members of at least one group
- IAM users should have MFA (virtual or hardware) enabled
- S3 bucket access logging should be enabled
- S3 bucket replication (cross-region or same-region) should be enabled
- Lambda function policies should not allow global access
- S3 buckets should not be publicly readable
- RDS instance ‘Publicly Accessible’ should not be enabled
- S3 bucket policies and ACLs should not be configured for public read access
- RDS instance ‘Deletion Protection’ should be enabled
- SQL Server auditing should be enabled
- SQL Server auditing retention should be greater than 90 days
- Virtual Network security group flow log retention period should be set to 90 days or greater
- Active Directory custom subscription owner roles should not be created
- Security Center pricing tier should be set to ‘Standard’
- Security Center default policy setting ‘Monitor System Updates’ should be enabled
- Security Center default policy setting ‘Monitor OS Vulnerabilities’ should be enabled
- Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled
- Security Center default policy setting ‘Monitor Disk Encryption’ should be enabled
- Security Center default policy setting ‘Monitor Network Security Groups’ should be enabled
- Security Center default policy setting ‘Monitor Web Application Firewall’ should be enabled
- Security Center default policy setting ‘Enable Next Generation Firewall (NGFW) Monitoring’ should be enabled
- Security Center default policy setting ‘Monitor Vulnerability Assessment’ should be enabled
- Security Center default policy setting “Monitor Storage Blob Encryption” should be enabled
- Security Center default policy setting “Monitor JIT Network Access” should be enabled
- Security Center default policy setting “Monitor Adaptive Application Whitelisting” should be enabled
- Security Center default policy setting “Monitor SQL Auditing” should be enabled
- Security Center default policy setting “Monitor SQL Encryption” should be enabled
- Security Center contact emails should be set
- PostgreSQL Database configuration ‘log_checkpoints’ should be on
- PostgreSQL Database configuration ‘log_connections’ should be on
- Monitor Activity Log Alert should exist for Create Policy Assignment
- Monitor Activity Log Alert should exist for Create or Update Network Security Group
- Monitor Activity Log Alert should exist for Delete Network Security Group
- Monitor Activity Log Alert should exist for Create or Update Network Security Group Rule
- Monitor Activity Log Alert should exist for Delete Network Security Group Rule
- Monitor Activity Log Alert should exist for Create or Update Security Solution
- Monitor Activity Log Alert should exist for Delete Security Solution
- Monitor Activity Log Alert should exist for Create or Update or Delete SQL Server Firewall Rule
- Monitor Activity Log Alert should exist for Update Security Policy
- Azure Kubernetes Service instances should have RBAC enabled
- PostgreSQL Database configuration ‘log_disconnections’ should be on
- PostgreSQL Database configuration ‘log_duration’ should be on
- PostgreSQL Database configuration ‘connection_throttling’ should be on
- PostgreSQL Database configuration ‘log_retention days’ should be greater than 3
- Monitor log profile should be created
- Monitor ‘Activity Log Retention’ should be 365 days or greater
- Monitor audit profile should log all activities
- Monitor log profile should have activity logs for global services and all regions
- Key Vault logging should be enabled
- App Service web app authentication should be enabled
- App Service web apps should have ‘HTTPS only’ enabled
- App Service web apps should have ‘Minimum TLS Version’ set to ‘1.2’
- App Service web apps should have ‘Incoming client certificates’ enabled
- IAM users should only have one active access key available
- S3 bucket object-level logging for write events should be enabled
- S3 bucket object-level logging for read events should be enabled
- CloudWatch log metric filter and alarm for AWS Organizations changes should be configured for the master account
- VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 22
- VPC network ACLs should not allow ingress from 0.0.0.0/0 to TCP/UDP port 3389
- ECS task definitions should not use the root user
- ECS task definitions should be configured with a health check
- ECS task definitions should not add Linux capabilities beyond defaults and should drop ‘NET_RAW’
- ECS task definitions should not mount sensitive host system directories
- ECS task definitions should limit memory usage for containers
- ECS task definitions should set CPU limit for containers
- ECS task definitions should mount the container’s root filesystem as read-only
- ECS container definitions should not mount volumes with mount propagation set to shared
- ECS tasks should be configured with a health check
- CloudFront distribution viewer certificate should use secure TLS protocol versions (1.2 and above)
- CloudFront distribution custom origins should use secure TLS protocol versions (1.2 and above)
- ELB HTTPS listeners should use secure TLS protocol versions (1.2 and above)
- ELBv2 HTTPS listeners should use secure TLS protocol versions (1.2 and above)
- API Gateway classic custom domains should use secure TLS protocol versions (1.2 and above)