Interested in pre-deployment compliance checks? Our open source tool Regula evaluates Terraform for security and compliance prior to deployment.
For instructions on manually bringing noncompliant resources back into compliance, see the Rule Remediation Steps.
Fugue can check the cloud resources in your environment for compliance with the compliance standards you select:
Fugue also supports custom compliance rules. The custom rules compliance family cannot be turned off unless you delete all of the custom rules.
Otherwise, you may select any combination of compliance families, including none if you prefer.
Your overall compliance state for all environments is shown on the All Environments page shown when you log in:
Overall and detailed compliance state for a given environment is displayed when you view the environment.
The Compliance view, highlighted above, shows the detailed compliance state of the environment. It appears below the compliance summary. From anywhere in the environment dashboard, you can access the Compliance view by selecting the “Compliance” tab in the header near the top of the page. There are three Compliance views showing different perspectives of your compliance state (see Browsing the Data).
Fugue can email you a daily or weekly compliance report. See Compliance Report Email for details.
Compliance State Details¶
After Fugue completes a scan, you can review your resource compliance state through a number of filters. The main elements include:
Scanned resources: the total number of resources that were scanned
Compliant resources: the total number of resources that are compliant based on the standards you’ve selected
Noncompliant resources: the number of resources that are noncompliant based on the standards you’ve selected
Individual breakdowns for compliant vs. noncompliant resources are displayed below the summary, indicating the number of resources that are noncompliant for each standard you applied to the scan.
Browsing the Data¶
Data displayed as part of the compliance view can be viewed on a number of tabbed displays and sorted with categorical filtering.
There are three Compliance pages, accessible through tabs on the Compliance page:
Compliance by Rule
Compliance by Resource Type
Compliance by Resource
Filtering is available based on the tab selected and varies along with the way the data is organized and displayed.
Fugue Best Practices¶
Fugue offers its own compliance family, Fugue Best Practices. The Fugue Best Practices Framework complements the CIS Benchmarks by providing guidance and recommendations to secure cloud resources against advanced misconfiguration exploits. To learn how to enable Fugue Best Practices (and other compliance families), see the FAQ.
FBP includes the following rules. Click the rule ID to see rule remediation steps:
- FBP R001
IAM policies should not allow broad list actions on S3 buckets
- FBP R002
S3 buckets should have all block public access options enabled
- FBP R003
IAM role trust policies should not allow all principals to assume the role
- FBP R004
IAM roles attached to EC2 instance profiles should not allow broad list actions for S3
- FBP R005
S3 bucket policies should not allow all actions for all principals
- FBP R006
S3 bucket policies should not allow list actions for all principals
- FBP R007
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
- FBP R008
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
- FBP R009
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
- FBP R010
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
- FBP R011
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
- FBP R012
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
To learn how to receive daily or weekly emails containing a summary of your compliance state, see Compliance Report Email.
While Fugue can be viewed as an essential component for maintaining your infrastructure compliance, we cannot provide an explicit guarantee or official certification for any compliance standard(s) or benchmark included in the product. We recommend working with an approved auditor to obtain any official compliance certifications.