Environment Configuration

Note

This guide is for configuring existing Fugue environments. If you’re looking for info on setting up a new environment, including configuring role permissions and selecting resource types or resource groups, see Setup - AWS or Setup - Azure.

Permissions

Fugue requires read-only access to all services you want Fugue to scan for compliance or drift and read and write access to all services you want Fugue to enforce. This access is controlled through your associated AWS IAM role or Azure service principal. You can see the list of AWS and AWS GovCloud IAM permissions here. For Azure information, see Setup - Azure.

If you have further questions, reach out to support@fugue.co.

Environments

An environment represents cloud infrastructure in a provider account and includes resource configuration, compliance state, and more. Fugue uses the environment as a “unit” to manage security and compliance assessments as well as baseline configuration drift and enforcement.

In the top right corner of your browser, the “Environments” link brings you to the All Environments landing page:

_images/all-envs-page.png

On the All Environments page, you can do the following:

You can also edit the settings for your current environment by selecting the Actions button on the environment dashboard, then selecting cog Edit Environment from the drop-down menu:

_images/actions-edit-env.gif

This opens the panel with the environment details for the active environment.

Removing an Environment

There are two methods you can use to remove an environment:

  • Click on the Actions button on the environment dashboard, select cog Edit Environment to access the Settings page, and then click the “Remove Environment” button under the environment name.

_images/remove-env-button.png
  • Alternatively, you can select the Environments link on the environment dashboard, select the ellipsis next to the target environment, and click “Remove Environment.”

_images/RiskManager_Remove_Environment_2.png

Setting or Updating a Baseline

In order to enable drift detection, you must establish a baseline. A baseline is a snapshot of a “known-good” configuration of cloud infrastructure. It is a complete picture of a cloud environment and defines every resource with all of its attributes. A baseline acts as a “contract” between different stakeholders such as DevOps and Security, and provides the context for determining drift and enforcing resources. When the baseline is set, drift detection is automatically enabled.

There are several ways to set or update a baseline:

Setting a Baseline to an Earlier Scan

To set your baseline to an earlier scan in the UI, use the date picker.

To set your baseline to an earlier scan via the CLI or API, find the desired scan ID and use it to set the baseline as you normally would:

Viewing Baseline Resources

You can view the resources recorded in your baseline at any time by navigating to the Baseline page through the link at the top right of the screen.

_images/BaselinePageLink.png

The Baseline page lists the resource ID, resource type, tags, and detected date of each resource recorded in your baseline.

_images/BaselinePageListofResources.png

Disabling a Baseline & Drift Detection

To disable a baseline (and drift detection at an environment level), use the API to update the environment with this request body:

{
  "baseline_id": ""
}

See How To: Set a Baseline (API) for a tutorial. See also the API User Guide for more information about enabling and disabling baselines via the API.

Suppressing Drift Events for Individual Resources

You can also suppress drift events at a resource level by tagging the resource with the key fugue:transient and value true in AWS or Azure.

Once the resource is tagged, drift events are not generated for changes to that resource. This is useful in situations where resources are created and destroyed dynamically.

AWS:

_images/transient-tag.png

Azure:

_images/transient-tag-azure.png

For a list of resource types that by design do not report drift, see Service Coverage.

How to Tell if a Baseline Is Established

If you’re not sure whether you’ve established a baseline for an environment yet, you can check its status above the “Establish Baseline” button. When a baseline has not been established, the status says “Not Established & Disabled.”

_images/RiskManager_BaselineDisabled.png

When a baseline has been established, it says “Established & Enabled.”

_images/RiskManager_BaselineEstablished.png

Drift Detection

Drift is any change made to the configuration of a resource, or the deletion of existing resources or the creation of new resources, that deviate from a baseline. Drift is typically an inadvertent change made outside of official change control process and can cause security or operational issues. Drift detection is a feature in which Fugue detects any configuration changes that deviate from the baseline.

After a baseline is established, future scans populate the Events page with data about any changes to your infrastructure, including resource additions, deletions, and modifications.

_images/RiskManager_DriftReport.png

Above, you can see a sample drift report listing resources that have been added, removed, or modified from the baseline state. The report contains the following data:

  • Resource ID: The AWS ID of a resource that changed. Example: risk-manager-demo-123

  • Resource type: The type of resource that changed. Example: AWS.S3.Bucket

  • Change: The type of drift. Either Added, Removed, or Modified

  • Event type: The type of event. Either Drift or Remediation

  • Result: Whether or not a resource was enforced. Either Reverted or blank

  • Detected date: When the drift was detected. Example: 11/16/18, 11:02 PM

Disabling Drift Detection

To disable drift detection at an environment level, you can unset the baseline. See Updating a Baseline. To suppress drift events at a resource level, see Suppressing Drift Events for Individual Resources.

Enabling Enforcement

Note

For best practices surrounding baseline enforcement, including a list of recommended AWS resources to enforce, see the FAQ.

Baseline enforcement is an action taken without human intervention by Fugue to revert any configuration drift back to the established baseline without the need for external remediation scripts or “bots.”

To enable enforcement, you must first establish a baseline (which automatically enables drift detection). Once a baseline is established, you can reach the Enforcement Settings tab in two ways:

  • Through the cog (cog) Edit Environment option in the Actions button

_images/actions-edit-env.png
  • Through the “Disabled” or “Enabled” link below Baseline Enforcement

_images/enable-enforcement-gif.gif

The Settings page has an Enforcement tab containing a checkbox that allows you to enable baseline enforcement. To enable enforcement, simply check the box. To disable it, uncheck the box.

_images/RiskManager_EditEnforcementSettings.png

You can change this setting at any time, and your changes will go into effect in the next scan.

Once the baseline enforcement feature is enabled, Fugue will automatically remediate modifications made to your cloud infrastructure that diverge from your baseline. The Events page lists all baseline enforcement events in addition to drift events.

Note

When baseline enforcement is enabled Fugue will only remediate modified resources. Resources that remain unchanged, were added, or were removed, will be left as-is. Contact support@fugue.co for additional details.

If you’re not sure whether enforcement has been enabled, you can check its status above the “Establish Baseline” button. When enforcement is enabled, the status says “Enabled.”

_images/RiskManager_EnforcementStatus.png

When enforcement is not enabled, it says “Disabled.”

_images/RiskManager_EnforcementStatusDisabled.png

Triggering a Scan

You can manually kick off an environment scan through the UI or the API.

To trigger a scan via the UI, select the Actions button in the top right, then select Start New Scan from the drop-down menu:

_images/start-env-scan.gif

You’ll see a banner showing that the scan is in progress. When the banner indicates that the scan has finished, you can refresh the page for results.

To trigger a scan via the API, see the API User Guide.