Example: Scan, Detect Drift, Enforce¶
Fugue scans your cloud infrastructure and identifies compliance violations according to the compliance families you choose. You may optionally set a baseline and Fugue will detect when resources drift from that baseline. You can also choose to enable enforcement, and Fugue will remediate drift, automatically reverting changes and returning infrastructure back to the known-good state of your baseline.
This example explains how to use Fugue to scan your existing cloud infrastructure, set up a baseline, and enable baseline enforcement.
What We’ll Do In This Example¶
Scan the existing infrastructure in your cloud provider account
Set a baseline so Fugue can detect drift
Enable baseline enforcement so Fugue can revert drift
First, you’ll need to sign up for Fugue. Then, you can define an environment for Fugue to scan. An environment represents all of the cloud infrastructure in a particular region, along with configuration parameters such as compliance families and baseline settings.
Select the “Define Your Environment” button and enter an environment name, then select a cloud service provider.
We’ll call our environment Fugue Demo. If you selected AWS, you’ll pick a region and set up an IAM role next. If you selected Azure, you’ll register an Active Directory application so Fugue can connect to Azure.
Select the resources you want Fugue to scan, detect drift in, and enforce by checking the appropriate boxes.
Scan access gives Fugue permission to scan and detect drift in your environment. (Read access)
Enforce access gives Fugue permission to enforce resources in your environment by automatically remediating unauthorized changes. (Write access)
After you allow Fugue to connect to your cloud provider account, you can choose the compliance standards you’d like Fugue to use in evaluating your infrastructure:
Select as many or as few (even none) as you’d like – you can change them any time. Then, select “Continue.”
You’ll have a chance to review your environment settings before creating it. If everything looks good, select “Create Environment.”
Fugue begins scanning the designated AWS account or Azure subscription, and since it might take a little time, you have the option to continue the process in the background. When it’s done, you’ll see the compliance state of all the resources it scanned and whether they passed or failed compliance validation.
There are three different ways to view compliance state:
Compliance By Rule shows the results of the scan organized by compliance rule. You might see that CIS AWS 1-10, IAM Policy Prevent Password Reuse, failed due to 1 noncompliant resource. Or you might see that your infrastructure is compliant with CIS Azure 6.5, Ensure that Network Watcher is “Enabled.”
Compliance By Resource Type categorizes results by resource types and shows a ratio of compliant to noncompliant resources. You might see that you have 2 compliant S3 buckets and 4 noncompliant S3 buckets, or 3 compliant virtual networks and 5 noncompliant virtual machines.
Compliance by Resource shows you the pass/fail details for individual resources. You might see that security group
sg-07273b045b3123456is noncompliant. If you select its resource ID, you’ll see more detailed information. For example, you might see that the security group failed NIST SP 800-53 AC-4 because it allows ingress from 0.0.0.0/0 to port 22.
At this point, you can decide whether or not to manually bring any noncompliant resources into compliance. For example, say Fugue indicates that VPC
vpc-0b647e085f7e954d1 violates CIS AWS 2-9, which requires that each VPC must have a flow log associated with it. In this case, you can choose to enable a flow log for the VPC in order to set a known-good baseline, or you can leave it disabled.
Likewise, if you have an Azure storage account that has “Secure transfer required” disabled, you can opt to enable it or just leave it as is.
If you only want to view your infrastructure’s compliance state, feel free to stop here. But if you’d like to set a baseline to detect and optionally remediate drift, continue reading – there’s more to see!
Set a Baseline And Detect Drift¶
If you’ve reviewed the compliance status of your infrastructure and have finished making any modifications, you can set the baseline. At the top right of the page, click the Actions button, then select Establish Baseline from the drop-down menu.
You’ll be prompted to confirm your selection. After you select “Yes, Establish Baseline,” Fugue establishes the current snapshot of resource configuration as the source of truth. If a resource in the baseline is modified or deleted, or if a resource that is not in the baseline is created, Fugue will flag it for you.
To test out Fugue’s drift detection feature, use the AWS Management Console, AWS CLI, Azure Portal, or Azure CLI to change a resource in the baseline. Let’s start by modifying something small. You can decide what to do based on the infrastructure you have, but here are some ideas:
Change the port range in an AWS or Azure security group ingress rule
Change the public access level for Azure blob containers
Change a statement in an AWS IAM policy
After you’ve modified the resource, Fugue will detect the change during its next scan. If you don’t want to wait, you can manually trigger a scan via the UI or API.
Once the next scan is completed, results appear on the Events page, which lists each drift event (deviation from the baseline). You’ll see the following data:
Resource ID: The AWS ID of a resource that changed. Example:
Resource type: The type of resource that changed. Example:
Change: The type of drift. Either
Event type: The type of event. Either
Result: Whether or not a resource was enforced. Either
Detected date: When the drift was detected. Example:
7/13/19, 7:39 PM
Above, you can see several drift events. Each item above represents an addition, deletion, or modification to the baseline.
Now that you’ve seen Fugue’s drift report, you can stop here if you’re content with reviewing it and manually determining whether to revert resources. But if you’d like to explore Fugue’s baseline enforcement feature, keep reading!
Enable Baseline Enforcement¶
To enable baseline enforcement, select the Actions button at the top right of the page and find the Edit Environment option in the drop-down menu. This is where you can change your environment name, update your IAM role ARN or Azure credentials, select different compliance standards, and enable/disable enforcement.
In the dialog that pops up, select the Enforcement tab and check the box next to Enable Baseline Enforcement. Note that by doing so, you authorize Fugue to automatically remediate any changes made to your cloud infrastructure that diverges from your selected baseline resources.
Now that we’ve turned on baseline enforcement, let’s make a small modification for Fugue to revert.
Change the name of an AWS VPC
Enable or disable Network Watcher for an Azure region
Change the protocol of a security group egress rule
After you’ve modified the resource, Fugue will detect the change and remediate it during its next scan.
Once the next scan has completed, results again appear on the Events page. This time, however, you should see that the resource you changed has been changed back – it now has an event type of
Remediation and a result of
Reverted. You can verify the changes by checking the AWS Management Console or the Azure Portal. You’ll see that Fugue has returned your infrastructure to the known-good state of your baseline, and you didn’t have to lift a finger!
While Fugue can be viewed as an essential component for maintaining your infrastructure compliance, we cannot provide an explicit guarantee or official certification for any compliance standard(s) or benchmark included in the product. We recommend working with an approved auditor to obtain any official compliance certifications.