Fugue Documentation

Welcome to the Fugue Docs!

Fugue ensures cloud infrastructure stays in continuous compliance with enterprise security policies. Learn more on our product page.

1. Getting Started Quickly create a Fugue environment.

2. Examples Walkthroughs and tutorials.

3. Release Notes The latest Fugue updates.

4. FAQ At-a-glance information.

5. Service Coverage Supported AWS, AWS GovCloud, and Azure services.

Table of Contents

• Home
• Getting Started
  • Contents
    • Setup - AWS & AWS GovCloud
    • Setup - Azure
    • Azure Support
  • Getting Started: Tutorial
    • Step 1: Define Environment
    • Step 2: Configure Environment
    • Step 3: Select Compliance Standards
    • Step 4: Review Settings
    • Further Reading
• Examples
  • Contents
    • Example: Your First Environment
    • Example: Fugue Notifications in Slack
• Environment Configuration
  • Permissions
  • Environments
    • Removing an Environment
  • Setting a Baseline
    • Updating a Baseline
    • Disabling a Baseline & Drift Detection
    • How to Tell if a Baseline Is Established
  • Drift Detection
    • Enabling Enforcement
• Compliance
  • Compliance State Details
  • Browsing the Data
  • Further Reading
• Custom Rules
  • What are Custom Rules?
  • How to Create a Custom Rule
  • Writing Custom Rules
  • Simple Custom Rules
    • Step 1: Determine resource attributes (simple)
    • Step 2: Define pass or fail conditions for the resource (simple)
  • Advanced Custom Rules
    • Advanced Rule API
    • Expanding an Advanced Custom Rule
    • Advanced Custom Rules with Multiple Resource Types
  • Custom Rules Cheat Sheet
  • Adding Custom Rules
    • Getting Started
    • Adding Custom Rules – API
  • Modifying and Deleting Custom Rules
  • Viewing Compliance Results
    • Modifying and Deleting Custom Rules – API
    • Compliance by Rule
    • Compliance by Resource Type
    • Compliance by Resource
  • Example Rules
  • Learning Rego
• Visualizer
  • Visualization Components
    • Security Group Connections Between Resources
  • Visualizing Resource Compliance State
  • Panning, Zooming, and Viewing in Full Screen
  • Viewing Grouped Nodes
  • Which Resources Are Visualized?
    • Supported AWS & AWS GovCloud Resources
    • Supported Azure Resources
  • Visualizing Previous Scans
  • Saving a Diagram
  • Supported Browsers
    • WebGL is Required
• Organization
  • Contents
    • Notifications
    • User Management
• Reports and Notifications
  • Contents
    • Notifications
    • Compliance Report
• API
  • Contents
    • API User Guide
    • API Reference
• CLI
  • Commands
    • create - Create subcommands
    • delete - Delete subcommands
    • get - Get subcommands
    • help - Help about any command
    • list - List subcommands
    • scan - Trigger a scan
    • sync - Sync files to your account
    • update - Update subcommands
  • Usage
  • Installation
  • Environment Variables
  • Accepted Parameter Values
    • How to format fugue flags
    • How to look up fugue arguments
  • Tips
    • env alias
    • Help for any command
• Service Coverage
  • AWS Standard Regions
    • ACM
    • API Gateway
    • AutoScaling
    • CloudFront
    • CloudTrail
    • CloudWatch
    • Cognito
    • Config
    • DynamoDB
    • EC2
    • ECR
    • ECS
    • EKS
    • ELB
    • ELBv2
    • ElastiCache
    • GuardDuty
    • IAM
    • KMS
    • Lambda
    • Macie
    • MediaStore
    • RDS
    • Redshift
    • Route 53
    • S3
    • Step Functions (SFN)
    • SNS
    • SQS
    • Secrets Manager
    • WAF
  • Supported Services: AWS GovCloud
    • ACM
    • API Gateway
    • AutoScaling
    • CloudTrail
    • CloudWatch
    • Config
    • DynamoDB
    • EC2
    • ECR
    • ECS
    • ELB
    • ELBv2
    • ElastiCache
    • IAM
    • KMS
    • Lambda
    • RDS
    • Redshift
    • S3
    • Step Functions (SFN)
    • SNS
    • SQS
  • Supported Services: Microsoft Azure
    • Compute
    • Network
    • SQL
    • Storage
  • Changing Resource Selection
    • New Environments
    • Existing Environments
    • Resources Under Management
• FAQ
  • General
    • Where can I sign up for Fugue?
    • How do I change my Fugue user password?
  • Environments
    • How many environments can Fugue store?
    • Does Fugue support AWS GovCloud?
    • What AWS and AWS GovCloud regions does Fugue support?
    • Does Fugue support Microsoft Azure?
  • Scanning
    • Where do I view my scan results?
    • What compliance families are supported?
    • Can I change the compliance standards Fugue uses to evaluate my infrastructure?
    • Will changing my compliance standards and saving them automatically trigger a new scan?
    • How can I change the resources that Fugue scans in my AWS standard or GovCloud environment?
    • How can I change the resource groups Fugue scans in my Azure environment?
    • Can I scan ElastiCache clusters within a replication group?
  • Drift Detection & Enforcement
    • Can I turn off drift detection?
    • Can I change my baseline?
    • Can I turn off enforcement?
    • How can I change the AWS resources that Fugue enforces?
    • Can Fugue enforce the resource groups in my Azure environment?
    • What kind of drift does Fugue remediate?
    • When a resource is remediated, does Fugue simply modify it, or does it destroy the resource and recreate it?
  • AWS IAM Permissions
    • What kind of AWS IAM permissions does Fugue need?
    • Can I give Fugue enforce access (write permissions) without enabling automatic remediation?
    • What permissions are needed for compliance scanning, drift detection, and remediation?
    • How do I update the Fugue IAM role trust policy?
    • What’s the SecurityAudit policy and why is it attached?
    • What if I don’t want to use the SecurityAudit policy?
    • Why does Fugue use inline policies instead of managed policies?
  • Azure Service Principal Role
    • What type of RBAC role does Fugue require to scan and enforce my Azure infrastructure?
  • Service Coverage
    • What cloud provider services does Fugue support?
  • Visualizer
    • How can I visualize the resources in my environment?
    • What resource types are visualized?
    • What do the characters next to subnet and security group names mean?
    • Which cloud providers are supported?
  • Notifications
    • What if I have a question about notifications?
  • Best Practices
    • AWS Regions and Environments
    • AWS Resource Selection
    • Avoid Enforcing AWS Autoscaled Resources
  • Known Issues
    • Maximum of 1,000 SQS Queues
  • Other
    • What if I have other questions?
• Glossary
• Release Notes
  • 2019.10.17
    • Expanded AWS Service Coverage
    • Updates to the Visualizer
  • 2019.10.03
    • Custom Rules
    • CLI
    • Visualizer
  • 2019.09.13
    • Visualizer updates
    • IAM role generation updates
  • 2019.08.23
  • 2019.08.07
  • 2019.07.08
  • 2019.07.03
    • Features
  • 2019.06.26
    • Features
  • 2019.06.10
    • Features
  • 2019.05.29
    • Features
  • 2019.05.09
    • Features
    • Bug Fixes and Improvements
  • 2019.04.25
    • Features
    • Bug Fixes
  • 2019.03.28
    • Features
  • 2019.03.15
    • Features
    • Bug Fixes
  • 2019.02.25
  • 2019.02.12
  • 2019.01.28
  • 2018.11.26
    • Features