Compliance

Tip

Interested in pre-deployment compliance checks? Our open source tool Regula evaluates Terraform for security and compliance prior to deployment.

Note

For instructions on manually bringing noncompliant resources back into compliance, see the Rule Remediation Steps.

Fugue can check the cloud resources in your environment for compliance with the compliance standards you select:

Fugue also supports custom compliance rules. The custom rules compliance family cannot be turned off unless you delete all of the custom rules.

Otherwise, you may select any combination of compliance families, including none if you prefer.

Your overall compliance state for all environments is shown on the All Environments page shown when you log in:

_images/all-environments-page.png

Overall and detailed compliance state for a given environment is displayed when you view the environment.

_images/RiskManager_Compliance_Report.png

The Compliance view, highlighted above, shows the detailed compliance state of the environment. It appears below the compliance summary. From anywhere in the environment dashboard, you can access the Compliance view by selecting the “Compliance” tab in the header near the top of the page. There are three Compliance views showing different perspectives of your compliance state (see Browsing the Data).

Note

Fugue can email you a daily or weekly compliance report. See Compliance Report Email for details.

Compliance State Details

After Fugue completes a scan, you can review your resource compliance state through a number of filters. The main elements include:

  • Scanned resources: the total number of resources that were scanned

  • Compliant resources: the total number of resources that are compliant based on the standards you’ve selected

  • Noncompliant resources: the number of resources that are noncompliant based on the standards you’ve selected

Individual breakdowns for compliant vs. noncompliant resources are displayed below the summary, indicating the number of resources that are noncompliant for each standard you applied to the scan.

Browsing the Data

Data displayed as part of the compliance view can be viewed on a number of tabbed displays and sorted with categorical filtering.

There are three Compliance pages, accessible through tabs on the Compliance page:

  • Compliance by Rule

_images/compliance-by-rule-page.png
  • Compliance by Resource Type

_images/compliance-by-resource-type-page.png
  • Compliance by Resource

_images/compliance-by-resource-page.png

Filtering is available based on the tab selected and varies along with the way the data is organized and displayed.

Fugue Best Practices

Fugue offers its own compliance family, Fugue Best Practices. The Fugue Best Practices Framework complements the CIS Benchmarks by providing guidance and recommendations to secure cloud resources against advanced misconfiguration exploits. To learn how to enable Fugue Best Practices (and other compliance families), see the FAQ.

FBP includes the following rules. Click the rule ID to see rule remediation steps:

FBP R001

IAM policies should not allow broad list actions on S3 buckets

FBP R002

S3 buckets should have all block public access options enabled

FBP R003

IAM role trust policies should not allow all principals to assume the role

FBP R004

IAM roles attached to EC2 instance profiles should not allow broad list actions for S3

FBP R005

S3 bucket policies should not allow all actions for all principals

FBP R006

S3 bucket policies should not allow list actions for all principals

FBP R007

VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)

FBP R008

VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)

FBP R009

VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)

FBP R010

VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)

FBP R011

VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)

FBP R012

VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)

Further Reading

To learn how to receive daily or weekly emails containing a summary of your compliance state, see Compliance Report Email.

Note

While Fugue can be viewed as an essential component for maintaining your infrastructure compliance, we cannot provide an explicit guarantee or official certification for any compliance standard(s) or benchmark included in the product. We recommend working with an approved auditor to obtain any official compliance certifications.