Environment Configuration

Note

This guide is for configuring existing Fugue environments. If you’re looking for info on setting up a new environment, including configuring role permissions and selecting resource types or resource groups, see Setup - AWS or Setup - Azure.

Permissions

Fugue requires read-only access to all services you want Fugue to scan for compliance or drift and read and write access to all services you want Fugue to enforce (auto-remediate). This access is controlled through your associated AWS IAM role or Azure service principal. Details on setup are provided in Setup - AWS and Setup - Azure. If you have further questions, reach out to support@fugue.co.

Environments

An environment represents cloud infrastructure in a provider account and includes resource configuration, compliance state, and more. Fugue uses the environment as a “unit” to manage security and compliance assessments as well as baseline configuration drift/enforcement.

In the top right corner of your browser, the “Environments” link brings you to the Environments landing page, which allows you to do the following:

You can also edit the settings for your current environment by selecting the cog cog icon on the environment dashboard. It opens the same panel with the environment details for the active environment.

_images/settings-cog-location.png

Removing an Environment

There are two methods you can use to remove an environment:

  • Click on the cog cog on the environment dashboard to access the Settings page and then click the “Remove Environment” button under the environment name.

_images/remove-env-button.png
  • Alternatively, you can select the Environments link on the environment dashboard, select the ellipsis next to the target environment, and click “Remove Environment.”

_images/RiskManager_Remove_Environment_2.png

Setting a Baseline

Before you can enable drift detection, you must first establish a baseline. A baseline is a snapshot of a “known-good” configuration of cloud infrastructure. It is a complete picture of a cloud environment and defines every resource with all of its attributes. A baseline acts as a “contract” between different stakeholders such as DevOps and Security. It provides the context for determining drift and enforcing resources.

One way to set an initial baseline is by selecting the “Establish Baseline” button on the Compliance page.

_images/RiskManager_BaselineButton.png

To the left of the “Establish Baseline” button is a date picker that pops up a calendar view of previous scans. By default, the results of the most recent scan are used as the baseline, but you can select an earlier scan to establish the baseline using an earlier state of your infrastructure.

_images/RiskManager_PopupCalendar.png

Above, the current selection would establish the baseline using resources from a scan on August 22, 2019 at 9:09 AM.

You can also set your first baseline from the Events or Baseline pages. The “Establish Your First Baseline” dialog offers the choice of “Use Latest Scanned Resources” or “Select Past Scan.”

_images/RiskManager_EstablishFirstBaseline.png

Choosing the “Select Past Scan” button brings you to the Compliance page where you can select a past scan from the date picker.

Once you select a scan to use as a baseline, Fugue will prompt you to confirm your selection. Select “Yes, Establish Baseline” to continue.

_images/RiskManager_ConfirmBaseline.png

This will automatically enable drift detection as well.

You can view the resources recorded in your baseline at any time by navigating to the Baseline page through the link at the top right of the screen.

_images/BaselinePageLink.png

The Baseline page lists the resource ID, resource type, tags, and detected date of each resource recorded in your baseline.

_images/BaselinePageListofResources.png

Updating a Baseline

You may change the baseline at any time and the new baseline will go into effect with the next scan. To set a new baseline, use the date picker on the Compliance page to select the time and date of the scan you want to use as a baseline.

_images/RiskManager_PopupCalendar.png

Then, select the “Establish Baseline” button. A prompt will ask you to confirm your selection; select “Yes, Establish Baseline” to continue.

_images/RiskManager_BaselineButton.png

The next scan will use the updated baseline to detect drift or enforce resources. You can view the resources in a baseline by accessing the Baseline page through the link at the top right of the screen.

_images/BaselinePageLink.png

Disabling a Baseline & Drift Detection

To disable a baseline and drift detection, use the API to update the environment with this request body:

{
  "baseline_id": ""
}

How to Tell if a Baseline Is Established

If you’re not sure whether you’ve established a baseline for an environment yet, you can check its status above the “Establish Baseline” button. When a baseline has not been established, the status says “Not Established & Disabled.”

_images/RiskManager_BaselineDisabled.png

When a baseline has been established, it says “Established & Enabled.”

_images/RiskManager_BaselineEstablished.png

Drift Detection

Drift is any change made to the configuration of a resource, or the deletion of existing resources or the creation of new resources, that deviate from a baseline. Drift is typically an inadvertent change made outside of official change control process and can cause security or operational issues. Drift detection is a feature in which Fugue detects any configuration changes that deviate from the baseline.

After a baseline is established, future scans populate the Events page with data about any changes to your infrastructure, including resource additions, deletions, and modifications.

_images/RiskManager_DriftReport.png

Above, you can see a sample drift report listing resources that have been added, removed, or modified from the baseline state. The report contains the following data:

  • Resource ID: The AWS ID of a resource that changed. Example: risk-manager-demo-123

  • Resource type: The type of resource that changed. Example: AWS.S3.Bucket

  • Change: The type of drift. Either Added, Removed, or Modified

  • Event type: The type of event. Either Drift or Remediation

  • Result: Whether or not a resource was remediated. Either Reverted or blank

  • Detected date: When the drift was detected. Example: 11/16/18, 11:02 PM

To disable drift detection, see Updating a Baseline.

Enabling Enforcement

Baseline enforcement, also known as auto-remediation, is an action taken without human intervention by Fugue to revert any configuration drift back to the established baseline without the need for external remediation scripts or “bots.”

To enable enforcement, you must first establish a baseline and enable drift detection. Once a baseline is established, you can reach the Enforcement Settings tab in two ways:

  • Through the Settings button cog (cog)

  • Through the “Disabled” or “Enabled” link below Baseline Enforcement

_images/RiskManager_EnforcementSettings.png

The Settings page has an Enforcement tab containing a checkbox that allows you to enable baseline enforcement. To enable enforcement, simply check the box. To disable it, uncheck the box.

_images/RiskManager_EditEnforcementSettings.png

You can change this setting at any time, and your changes will go into effect in the next scan.

Once the baseline enforcement feature is enabled, Fugue will automatically remediate modifications made to your cloud infrastructure that diverge from your baseline. The Events page lists all remediation events in addition to drift events.

Note

When baseline enforcement is enabled Fugue will only remediate modified resources. Resources that remain unchanged, were added, or were removed, will be left as-is. Contact support@fugue.co for additional details.

If you’re not sure whether enforcement has been enabled, you can check its status above the “Establish Baseline” button. When enforcement is enabled, the status says “Enabled.”

_images/RiskManager_EnforcementStatus.png

When enforcement is not enabled, it says “Disabled.”

_images/RiskManager_EnforcementStatusDisabled.png