Fugue Compliance Suite

Note

To see the full list of Compliance Suite validations and the compliance standards they map to, install the Fugue Client Tools and view the Ludwig modules locally:

  • /opt/fugue/lib on macOS and Linux
  • C:\Program Files\Fugue\lib\ on Windows

What is the Fugue Compliance Suite?

The Fugue Compliance Suite is a group of validation libraries created for use with Fugue. Fugue offers compliance in the form of validations, Ludwig functions that are triggered automatically to verify a set of resources for compliance. To learn more about validations, take a look through our documentation here.

The Compliance Suite includes validations for the following industry standards:

How does it work?

A validation is a type of function that tests a property of your code, and if any portion of the code fails that test, it will not compile and cannot be executed. The validations in the Compliance Suite are designed to enforce the security and regulatory policies of compliance standards such as NIST 800-53 or GDPR.

Applying a validation or validation library corresponding to a compliance standard is as simple as importing the library in a composition (at design-time) or uploading it to the Conductor (at runtime).

For example, if you upload the Fugue.Compliance.GDPR library to the Conductor as a runtime validation, then run a composition declaring a VPC without flow logs enabled, compilation fails and the Conductor prevents the noncompliant infrastructure from being provisioned.

Fugue also returns a detailed error message. The message lists why the composition failed validation, which lines of code were noncompliant, what compliance control was violated, and what validation was applied:

[ ERROR ] ludwig (validation error):
  Validation failed:

  VPC Flow Logs must be enabled for packet "Rejects" for VPCs.

  - GDPR_30-(1):

    10| helloWorldVpc: EC2.Vpc.new {
    11|   cidrBlock: "10.0.0.0/16",
    12|   tags: [helloWorldTag],
    13|   region: AWS.Us-west-2,
    14| }

  In call to new at "/tmp/258039258/composition/src/GDPRHelloWorld.lw" (line 10, column 16)

  (from Fugue.AWS.EC2.Compliance.vpcLoggingEnabled)

All this is how Fugue’s Conductor and the Compliance Suite ensure your infrastructure configuration is compliant before you provision it, and ensure it stays that way once it’s instantiated.

Design-time Vs. Runtime

Reasons you might apply validations at design-time:

  • You want to test a composition for compliance during development
  • You want the validation to apply to infrastructure in a single process

Reasons you might apply validations at runtime:

  • You want the validation to apply to infrastructure in all processes
  • You want to protect against accidental or malicious removal of compliance validations

You can also do both. You can apply the validation at design-time during development, then apply it at runtime when your composition is ready for production.

How to Use It

Install the Fugue Client Tools

The Compliance Suite is included in the Fugue Client Tools. For information on installing Fugue, refer to our Quick Setup.

Apply as Design-time Validation

To apply a compliance library at design-time, add this line at the beginning of your composition, right after the composition keyword:

import Fugue.Compliance.NIST

Anytime you compile your composition with lwc, Fugue will check its compliance with the given standard:

lwc MyComposition.lw

If the composition is not compliant, it will fail compilation and return a detailed error message.

For a detailed example, see Use Case: Applying the HIPAA Library at Runtime.

Apply as Runtime Validation

To apply a compliance library at runtime, we recommend that you copy the desired compliance library from /opt/fugue/lib to your present working directory:

cp /opt/fugue/lib/Fugue/Compliance/HIPAA.lw AcmeCorpHIPAA.lw

Then, just upload the new library to the Conductor:

fugue policy validation-add AcmeCorpHIPAA.lw --name AcmeCorpHIPAA

The Conductor automatically applies the validation to all current and future processes. If a composition is not compliant, it will fail compilation and cannot be run.

For a detailed example, see Use Case: Applying the NIST.Account Module at Design-Time.

Customize a Compliance Library

In many cases, users may want to take a compliance library and change which validations are applied. In that case, we recommend starting from one of the Fugue.Compliance standards and customizing it to your needs.

Copy the desired compliance library from /opt/fugue/lib to your present working directory:

cp /opt/fugue/lib/Fugue/Compliance/HIPAA.lw AcmeCorpHIPAA.lw

Or, in a Windows environment:

copy C:\Program Files\Fugue\lib\Fugue\Compliance\HIPAA.lw AcmeCorpHIPAA.lw

Now you can add and remove validations at will. To comment out a line, prepend a #.

If you want to copy a validation from a different compliance standard, make sure to include both the import line and the validation registration line, like so:

import Fugue.AWS.EC2.Compliance

validate Fugue.AWS.EC2.Compliance.noIngressFromAnywhereToPort3389 {
  references: ["CIS_4-2"],
}

You can change the string in the references argument to whatever you like, e.g., "AcmeCorpPolicy1". It’s there for your benefit.

For a detailed example, see Use Case: Excluding or Including Specific Validations From a Library.

Tips for Using the Compliance Suite

Account-level validations

Validations within the Compliance Suite are applied to a single composition, which also means they are applied to a single process. When a runtime validation is uploaded to the Conductor, each process is individually checked against each validation. This means that a validation can only see what’s in a single composition – it cannot look at the account as a whole. This is problematic for validations that require certain resources to be present at the account level: for example, CIS requires CloudTrail to be enabled in all regions.

Imagine a scenario in which a company is running multiple processes in the same account, e.g.:

  1. A process managing the required CloudTrail, some IAM roles, etc.
  2. A process managing a staging environment
  3. A process managing a production environment

The company is CIS-compliant since the CloudTrail trail is present. However, processes (2) and (3) would fail the runtime compliance check since these do not have the required CloudTrail trail.

To address this issue, the Compliance Suite provides Account versions of the standards (e.g., Fugue.Compliance.CIS.Account) which have the “required infrastructure in account” validations in addition to the regular compliance standard validations.

These Account validations can only be used at design-time for the reasons explained above:

Some Validations Require Additional Parameters

Some compliance libraries contain validations that need additional parameters. In those cases, the documentation will provide the specifics for each validation.

For example, the Fugue.Compliance.GDPR library contains a validation that points to Fugue.AWS.RDS.Compliance.requireEngineForInstance. This validation checks whether an RDS DB instance has a DB engine that satisfies a particular predicate, such as the function Fugue.AWS.RDS.Compliance.isFedrampCompliantEngine. Before you can apply that validation, you’ll need to supply the predicate, which you can do like so:

import Fugue.AWS.RDS.Compliance

validate Fugue.AWS.RDS.Compliance.requireEngineForInstance {
  predicate: Fugue.AWS.RDS.Compliance.isFedrampCompliantEngine
}

These lines both register the validation and set the predicate. Now you can copy them into a custom library to apply the validation.

The best way to find additional information about validations like this one is to look at the comments in the Ludwig files in the Fugue Standard Library. These files are in the /opt/fugue/lib directory on macOS and Linux machines and C:\Program Files\Fugue\lib\ on Windows.

As usual, if you have questions or concerns reach out to us at support@fugue.co.

Compliance Suite Architecture

The Compliance Suite supports four major compliance standards (CIS, GDPR, HIPAA, NIST) and is organized in the Fugue Standard Library according to these paths:

Note: For the sake of clarity we refer to the CIS AWS Foundations Benchmark generically as a “standard.” This enables us to reference compliance standards more broadly (NIST, HIPAA, etc.) and simplify the terminology when we’re talking about functionality that may apply to the CIS Benchmark or other compliance standards.

Fugue.Compliance.[STANDARD] - Compliance library

At its highest level, the Compliance Suite consists of four libraries that each correspond to a different compliance standard:

Each library is a collection of validations that enforce the standard’s security and compliance controls. These libraries don’t contain the actual validations themselves, but when you apply a library at design-time or runtime, the library imports and activates the validations by registering them.

These are the libraries you should use if you want to apply all of a standard’s validations to your infrastructure (except for account-level validations; see details here).

Note

The Fugue.Compliance.Internal library also appears at the top level of the Compliance Suite, but it consists of internal utilities and can be ignored. The same is true for the Fugue.Compliance.Internal.NodeStream module.

Fugue.Compliance.[STANDARD].Account - Account-level module

Within each top-level compliance library is an Account module. Fugue.Compliance.[STANDARD].Account modules have all the same validations as the Fugue.Compliance.[STANDARD] libraries but additionally include account-level validations.

An account-level validation is applied globally to a user’s account and validates resources such as CloudTrail regions or IAM roles.

Account-level modules should only be applied at design-time. For more details, see Account-level validations.

Fugue.AWS.[SERVICE].Compliance - Standard-specific validations

The Fugue.AWS.[SERVICE].Compliance modules contain the actual validation functions of the Compliance Suite. Each module is organized by service and can contain validations from different compliance standards. For example, Fugue.AWS.IAM.Compliance contains the validation function noPoliciesAttachedToUsers, which appears in Fugue.Compliance.CIS, Fugue.Compliance.HIPAA and Fugue.Compliance.NIST.

Fugue.Generic.Compliance - Generic validations

The Compliance Suite also contains all-purpose validations not tied to a specific standard. These validations are stored in Fugue.Generic.Compliance. For example, Fugue.Generic.Compliance.blacklistResources lets you define a blacklist of prohibited resources and raises an error if a composition contains any.