Welcome to the Fugue Docs!¶
Fugue ensures cloud infrastructure stays in continuous compliance with enterprise security policies. Learn more on our product page.
Getting Started Quickly create a Fugue environment.
Examples Walkthroughs and tutorials.
FAQ At-a-glance information.
Release Notes The latest Fugue updates.
Service Coverage Supported AWS, AWS GovCloud, and Azure services.
Popular Links¶
Visualizer – Explore an interactive diagram of your cloud infrastructure
API User Guide – Fugue API instructions and examples
API Reference – Swagger specification
Sign up for Fugue – Register for a free account
Table of Contents¶
- Home
- Getting Started
- Examples
- Fugue Plans
- Environment Configuration
- Compliance
- Custom Rules
- Visualizer
- Organization
- Reports and Notifications
- API
- CLI
- Service Coverage
- AWS Standard Regions
- AWS Certificate Manager (ACM)
- ACM Private Certificate Authority (ACM PCA) – beta
- API Gateway
- AutoScaling
- CloudFront
- CloudTrail
- CloudWatch
- Cognito
- Config
- Directory Service – beta
- DynamoDB
- EC2
- ECR
- ECS
- EFS – beta
- EKS
- ELB
- ELBv2
- ElastiCache
- Glacier – beta
- GuardDuty
- IAM
- Inspector – beta
- KMS
- Kinesis – beta
- Lambda
- Macie
- MediaStore
- Organizations – beta
- RDS
- Redshift
- Route 53
- S3
- Step Functions (SFN)
- SNS
- SQS
- Systems Manager (SSM) – beta
- Secrets Manager
- WAF
- Supported Services: AWS GovCloud
- AWS Certificate Manager (ACM)
- ACM Private Certificate Authority (ACM PCA) – beta
- API Gateway
- AutoScaling
- CloudTrail
- CloudWatch
- Config
- Directory Service – beta
- DynamoDB
- EC2
- ECR
- ECS
- ELB
- ELBv2
- ElastiCache
- Glacier – beta
- IAM
- Inspector – beta
- KMS
- Kinesis – beta
- Lambda
- Organizations – beta
- RDS
- Redshift
- S3
- Step Functions (SFN)
- SNS
- SQS
- Systems Manager (SSM) – beta
- Supported Services: Microsoft Azure
- Changing Resource Selection
- AWS Standard Regions
- FAQ
- General
- Plans
- Environments
- Scanning
- How can I trigger a scan?
- Where do I view my scan results?
- What compliance families are supported?
- Can I change the compliance standards Fugue uses to evaluate my infrastructure?
- Will changing my compliance standards and saving them automatically trigger a new scan?
- How can I change the resources that Fugue scans in my AWS standard or GovCloud environment?
- How can I change the resource groups Fugue scans in my Azure environment?
- Can I scan ElastiCache clusters within a replication group?
- Drift Detection & Enforcement
- Can I turn off drift detection?
- Can I change my baseline?
- Can I turn off enforcement?
- How can I change the AWS or AWS GovCloud resources that Fugue enforces?
- Can Fugue enforce the resource groups in my Azure environment?
- What kind of drift does Fugue remediate?
- When a resource is remediated, does Fugue simply modify it, or does it destroy the resource and recreate it?
- AWS IAM Permissions
- What kind of AWS IAM permissions does Fugue need?
- Can I give Fugue enforce access (write permissions) without enabling automatic remediation?
- What permissions are needed for compliance scanning, drift detection, and remediation?
- How do I update the Fugue IAM role trust policy?
- What’s the SecurityAudit policy and why is it attached?
- What if I don’t want to use the SecurityAudit policy?
- Why does Fugue use inline policies instead of managed policies?
- Azure Service Principal Role
- Service Coverage
- Visualizer
- Notifications
- Best Practices
- Known Issues
- Other
- Glossary
- Release Notes
- Fugue Support
- Rule Remediation Steps
- IAM root user should not be used
- IAM password policies should prevent reuse of previously used passwords
- IAM password policies should expire passwords within 90 days
- IAM root user access key should not exist
- IAM should have virtual MFA enabled for the root account
- IAM should have hardware MFA enabled for the root account
- IAM policies should not be attached to users
- Ensure a support role has been created to manage incidents with AWS Support
- CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
- CloudFront viewer protocol policy should be set to https-only
- ELBv1 listener protocol should not be set to http
- EC2 instances should have autoscaling groups with two or more availability zones
- EBS volume encryption should be enabled
- CloudFront distributions should have geo-restrictions specified
- AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
- IAM user access keys should be rotated every 90 days or less
- IAM password policies should require at least one uppercase character
- IAM password policies should require at least one lowercase character
- IAM password policies should require at least one symbol
- IAM password policies should require at least one number
- IAM password policies should require a minimum length of 14
- CloudTrail should be enabled in all regions
- CloudTrail log file validation should be enabled
- S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
- CloudTrail trails should have CloudWatch log integration enabled
- AWS Config should be enabled in all regions
- S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
- CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
- Alarm for denied connections in CloudFront logs should be configured
- CloudTrail log files should be encrypted using KMS CMKs
- KMS CMK rotation should be enabled
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
- ELBv1 load balancer cross zone load balancing should be enabled
- VPC security group inbound rules should not permit ingress from any address to all ports and protocols
- VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
- VPC flow logs should be sent to CloudWatch logs
- SQS access policies should not have global “.” access
- SNS subscriptions should deny access via HTTP
- VPC flow logging should be enabled
- CloudWatch log metric filter and alarm for unauthorized API calls should be configured
- CloudWatch log metric filter and alarm for VPC security group changes should be configured
- CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
- CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
- CloudWatch log metric filter and alarm for VPC route table changes should be configured
- CloudWatch log metric filter and alarm for VPC changes should be configured
- CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
- CloudWatch log metric filter and alarm for usage of root account should be configured
- CloudWatch log metric filter and alarm for IAM policy changes should be configured
- CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
- CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
- ELBv1 load balancer access logging should be enabled
- CloudFront access logging should be enabled
- CloudWatch log groups should be encrypted with KMS CMKs
- DynamoDB tables should be encrypted with KMS CMKs
- SQS queue server-side encryption should be enabled (AWS-managed keys)
- CloudFront distributions should be protected by WAFs
- CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured
- CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
- CloudWatch log metric filter and alarm should be set for Config configuration changes
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
- IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
- IAM password policies should prevent reuse of the four previously used passwords
- VPC default security group should restrict all traffic
- IAM policies should not have full “
*:*” administrative privileges - RDS instances should be encrypted (AWS-managed keys or KMS CMKs)
- RDS instances should have FedRAMP approved database engines
- RDS instances should be encrypted with KMS CMKs
- S3 bucket server-side encryption should be enabled
- S3 bucket policies should only allow requests that use HTTPS
- S3 bucket versioning and lifecycle policies should be enabled
- ELB listener security groups should not be set to TCP all
- VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
- VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
- ElastiCache transport encryption should be enabled
- DynamoDB tables Point in Time Recovery should be enabled
- RDS instances should have backup retention periods configured
- IAM multi-factor authentication should be enabled for all IAM users that have a console password
- Storage Accounts ‘Secure transfer required’ should be enabled
- Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
- Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
- Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
- Virtual Network Network Watcher should be enabled
- Virtual Machines data disks (non-boot volumes) should be encrypted
- Virtual Machines unattached disks should be encrypted
- RDS Aurora cluster multi-AZ should be enabled
- S3 bucket policies should not allow all actions for all principals
- S3 bucket policies should not allow list actions for all principals
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
- VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
- IAM policies should not allow broad list actions on S3 buckets
- IAM role trust policies should not allow all principals to assume the role
- IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
- SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0