Fugue

Menu
  • Product
    • Overview
    • Visualizer
    • Baselines
    • API
  • Docs
  • GitHub
  • Pricing
  • Customers
  • Blog
  • Company
    • About
    • Leadership
    • Investors
    • Security
    • Careers
    • Press
  • Log In
  • Start Free Trial
Viewing Docs For

Fugue v2020.06.05

  • Home
  • Getting Started
    • Contents
      • Setup - AWS & AWS GovCloud
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Region & Resources, IAM Role)
        • Step 3: Compliance
        • Step 4: Review
        • What’s Next?
      • Setup - Azure
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Credentials, Resource Groups)
        • Step 3: Select Compliance Libraries
        • Step 4: Review Environment Details
        • What’s Next?
      • Google Cloud Support
      • Fugue 101
        • Concepts
        • Navigating Fugue
      • Use Cases
        • AWS Scanning Compliance
        • Drift
        • Enforcement
    • Get Started in 5 Minutes
      • Sign up for Fugue
      • Step 1: Environment Setup
      • Step 2: Environment Settings
        • AWS and AWS GovCloud
        • Azure
      • Step 3: Select Compliance Standards
      • Step 4: Review
        • AWS and AWS GovCloud
        • Azure
      • Further Reading
  • Examples
    • Contents
      • Tutorial: Hello World AWS, API (curl)
        • Getting started
        • Sign up for Fugue
        • Create API Client ID and Secret
        • Set Environment Variables
        • Select Resource Types
        • Generate IAM Policy
        • Create Role via AWS CLI
        • Assemble Request Body
        • Send Request to Create Environment
        • What’s Next?
      • Tutorial: Hello World AWS, API (Postman)
        • Getting started
        • Sign up for Fugue
        • Create API Client ID and Secret
        • Configure Collection
        • Select Resource Types
        • Generate IAM Policy
        • Create Role via AWS CLI
        • Assemble Request Body
        • Send Request to Create Environment
        • What’s Next?
      • How To: Create a Fugue IAM Role
        • What’s Going to Happen?
        • Let’s Go!
        • How do I see the role permissions before creating the role?
        • What’s Next?
      • How To: Manually Create a Fugue IAM Role
        • Create a New Role
      • How To: Update the Fugue IAM Role
        • Update Role to Enable Enforcement
        • Update IAM Role Trust Policy
      • How To: Add or Remove Azure Resource Groups
        • Updating Selected Resource Groups with curl
        • Updating Selected Resource Groups with Postman
      • How To: Set a Baseline (UI)
        • What’s a Baseline?
        • Setting Your First Baseline
        • Setting or Updating a Baseline with the Actions button
        • What’s Next?
      • How To: Set a Baseline (CLI)
        • What’s a Baseline?
        • Setting a baseline via the CLI
        • What’s Next?
      • How To: Set a Baseline (API)
        • What’s a Baseline?
        • Setting a baseline with curl
        • Setting a baseline with Postman
        • What’s Next?
      • Example: Scan, Detect Drift, Enforce
        • Prerequisites
        • What We’ll Do In This Example
        • Let’s Go!
        • What’s Next?
      • Example: Fugue Notifications in Slack
        • Prerequisite: Create Fugue Notification
        • Step 1: Create Slack Incoming Webhook
        • Step 2: Create Lambda Function
        • Step 3: Subscribe Lambda Function to FugueSNSTopic
        • Step 4: Test the Integration
        • Lambda Function Code
      • Example: Fugue CI/CD with Terraform, GitHub, CircleCI
        • Get Started
        • Quick Start
        • List of files in the example
        • How to create a new CircleCI project
        • Line-by-line explanation of configuration
        • Further reading
      • Example: Fugue CI/CD with Regula Pre-deployment Checks
        • Get Started
        • Further reading
    • Open Source Tool Examples
  • Fugue Plans
    • 30-Day Enterprise Trial (Free)
    • Fugue Enterprise (Paid)
    • Fugue Team (Paid)
    • Fugue Developer (Free)
    • Plan Comparison
    • More Information
    • Account Overview Page
  • Environment Configuration
    • Configuring an Environment
      • Configurable Settings for Environments
      • Updating Scanned or Enforced Resources
      • Updating Region(s)
      • Removing an Environment
    • Setting or Updating a Baseline
      • Setting a Baseline to an Earlier Scan
      • Viewing Baseline Resources
      • Disabling a Baseline & Drift Detection
        • Suppressing Drift Events for Individual Resources
      • How to Tell if a Baseline Is Established
    • Drift Detection
      • Disabling Drift Detection
      • Enabling or Disabling Enforcement
    • Triggering a Scan
  • Compliance
    • Browsing the Data
      • Filtering Results
    • Compliance Concepts
      • What is a rule?
      • What is a control?
      • How do rules relate to controls?
      • What is a rule result?
      • What is a resource evaluation?
        • Resource evaluation values
      • What is a control evaluation?
        • Control evaluation values
    • Fugue Best Practices
    • Further Reading
  • Custom Rules
    • What are Custom Rules?
    • General Custom Rules Workflow
    • Writing Custom Rules
      • Simple Custom Rules
        • Step 1: Determine resource attributes (simple)
        • Step 2: Define pass or fail conditions for the resource (simple)
        • allow rules
        • deny rules
        • Multiple queries
      • Advanced Custom Rules
        • Advanced Custom Rule with a Single Resource Type
        • Advanced Rule Functions
        • Expanding an Advanced Custom Rule
        • Advanced Custom Rules with Multiple Resource Types
      • Custom Rules Cheat Sheet
    • Creating and Managing Custom Rules - UI
      • Creating Custom Rules - UI
      • Modifying and Deleting Custom Rules - UI
      • Viewing Compliance Results - UI
        • Compliance by Control - UI
        • Compliance by Resource Type - UI
        • Compliance by Resource - UI
    • Creating, Testing, and Managing Custom Rules - API
      • Creating Custom Rules - API
        • Creating a Rule via API - Get Input for Test
        • Creating a Rule via API - Test the Rule
        • Creating a Rule via API - Add the Rule
      • Modifying and Deleting Custom Rules - API
        • Modifying Custom Rules - API
        • Deleting Custom Rules - API
      • Viewing Compliance Results - API
        • Compliance by Control - API
        • Compliance by Resource Type - API
        • Compliance by Resource - API
      • Custom Rules API - Things to Know
    • Example Rules
    • Learning Rego
  • Visualizer
    • Visualization Components
      • Security Group Connections Between Resources
    • Visualizing Resource Compliance State
    • Viewing Resource Groups and Collections
      • Resource groups
      • Collections
      • How to expand and collapse groups/collections
      • Nested groups/collections
      • How collapsed groups and collections show compliance
    • Viewing Resource Details
    • Panning, Zooming, and Viewing in Full Screen
    • Which Resources Are Visualized?
      • Supported AWS & AWS GovCloud Resources
        • VPC Attributes
        • AWS & AWS GovCloud Resources Supporting Compliance State Visualization
        • Implicit Resources
      • Supported Azure Resources
        • VNet Attributes
        • Azure Resources Supporting Compliance State Visualization
    • Visualizing Previous Scans
    • View Options
      • Exporting a Diagram
    • Supported Browsers
      • WebGL is Required
  • Organization
    • Contents
      • User Management
        • User Setup
        • Single Sign-on (SSO)
        • Multi-Factor Authentication (MFA)
      • Role-Based Access Control (RBAC)
        • RBAC Overview
        • Groups, Policies, Users
        • Getting Started with RBAC
        • More About User Management
  • Reports and Notifications
    • Contents
      • Notifications
        • The Notifications Tab
        • Setting Up Notifications
        • Editing or Deleting a Notification
        • Types of Notification Events
        • Example Notifications
        • Notifications FAQ
      • Compliance Report Email
        • Setting up the Compliance Report Email
    • Export Data
      • Steps
      • Data
  • API
    • Contents
      • API User Guide
        • What is the Fugue API?
        • API Functions
        • Use Cases
        • How to Use the API
        • OpenAPI 2.0 Spec
        • Authentication
        • Making API Requests
        • Deep Dives
        • API Tools
        • Further Reading
      • API Request Examples
        • Listing Details for All Environments
        • Creating an Environment
        • Retrieving Details for a Single Environment
        • Updating an Environment
        • Deleting an Environment
        • Listing Scans for an Environment
        • Triggering a New Scan
        • Retrieving Details for a Scan
        • Listing Compliance Results by Control for a Scan
        • Listing Compliance Results by Resource Type for a Scan
        • Listing Compliance/Drift/Baseline Enforcement Events for an Environment
        • Returning Fugue’s OpenAPI 2.0 Specification
        • Listing IAM Permissions Required to Scan/Enforce Resources
        • Listing Supported Resource Types
        • Listing Details for All Notifications
        • Creating a Notification
        • Updating a Notification
        • Listing Details for All Notifications
        • Deleting a Notification
        • Creating a Custom Rule
        • Listing Custom Rules
        • Retrieving Details for a Rule
        • Updating a Custom Rule
        • Deleting a Custom Rule
        • Testing a Custom Rule
        • Getting Input for a Custom Rule Test
        • Further Reading
      • API Reference
  • CLI
    • Commands
      • create - Create subcommands
        • create
        • Output Attributes
        • Examples
      • delete - Delete subcommands
        • delete
        • Examples
      • get - Get subcommands
        • get
        • Output Attributes
        • Examples
      • help - Help about any command
        • help
        • Examples
      • list - List subcommands
        • list
        • Output Attributes
        • Examples
      • scan - Trigger a scan
        • scan
        • Output Attributes
        • Examples
      • sync - Sync files to your account
        • sync
        • Examples
      • update - Update subcommands
        • update
        • Output Attributes
        • Examples
    • Usage
    • Installation
      • macOS installation
      • Windows installation
    • Environment Variables
    • Accepted Parameter Values
      • How to format fugue flags
      • How to look up fugue arguments
    • Tips
      • env alias
      • Help for any command
    • Installation Error Message
  • Service Coverage
    • Contents
      • Service Coverage - AWS & AWS GovCloud
        • AWS Standard Regions
        • Recommended Resource Types: AWS
        • Supported Services: AWS GovCloud
        • Recommended Resource Types: AWS GovCloud
        • Resources Not Included In Fugue-Recommended List
      • Service Coverage - Azure
        • Automation (beta)
        • CDN (beta)
        • Compute
        • Container (beta)
        • Databricks (beta)
        • KeyVault (beta)
        • MySQL (beta)
        • Network
        • PostgreSQL (beta)
        • SQL
        • Storage
    • Regions and Resources: Things to Know
      • Supported AWS and AWS GovCloud Regions
      • Changing AWS Region
      • Changing Resource Selection
      • Resources Under Management
      • Resource Types That Don’t Report Drift
  • AWS IAM Policy Permissions
    • SecurityAudit read-only (scan) permissions
    • Supplemental read-only (scan) permissions
    • Supplemental write (enforce) permissions
  • FAQ
    • General
      • How do I contact support?
      • Where can I sign up for Fugue?
      • How do I change my Fugue user password?
      • What browsers are supported?
      • What are some use cases for Fugue?
    • Plans
      • What plans are offered?
      • What’s the difference between Enterprise Trial, Enterprise, and Developer?
      • How do I upgrade my Fugue account?
      • How do I find out what my plan is?
      • How is scanning limited in Fugue Developer and Fugue Team?
      • How much does it cost?
      • Where can I find more information?
    • Environments
      • How many environments can Fugue store?
      • Does Fugue support AWS GovCloud?
      • What AWS and AWS GovCloud regions does Fugue support?
      • How can I change my environment’s region(s)?
      • Does Fugue support Microsoft Azure?
      • How can I quickly create multiple environments?
    • Scanning
      • How can I trigger a scan?
      • Where do I view my scan results?
      • How can I change the resources that Fugue scans in my AWS standard or GovCloud environment?
      • How can I change the resource groups Fugue scans in my Azure environment?
      • Can I scan ElastiCache clusters within a replication group?
    • Compliance
      • What compliance families are supported?
      • Can I change the compliance standards Fugue uses to evaluate my infrastructure?
      • Will changing my compliance standards and saving them automatically trigger a new scan?
      • How can I output a CSV or Excel file of compliance results for my Fugue account?
    • Drift Detection & Enforcement
      • How do I set or update a baseline?
      • Can I turn off drift detection?
      • How do I enable enforcement?
      • How do I disable enforcement?
      • How can I change the AWS or AWS GovCloud resources that Fugue enforces?
      • Can Fugue enforce the resource groups in my Azure environment?
      • What kind of drift does Fugue enforce?
      • When a resource is enforced, does Fugue simply modify it, or does it destroy the resource and recreate it?
    • AWS IAM Permissions
      • What kind of AWS IAM permissions does Fugue need?
        • SecurityAudit read-only policy
      • Can I give Fugue enforce access (write permissions) without enabling baseline enforcement?
      • What permissions are needed for compliance scanning, drift detection, and baseline enforcement?
      • How do I update the Fugue IAM role trust policy?
      • What’s the SecurityAudit policy and why is it attached?
      • What if I don’t want to use the SecurityAudit policy?
      • Why does Fugue use inline policies instead of managed policies?
    • Azure Service Principal Role
      • What type of RBAC role does Fugue require to scan and enforce my Azure infrastructure?
    • Service Coverage
      • What cloud provider services does Fugue support?
    • Organization
      • How do I manage users?
      • How do I use RBAC to manage users?
      • How do I enable SSO?
      • How do I enable MFA?
    • Visualizer
      • How can I visualize the resources in my environment?
      • What resource types are visualized?
      • What do the characters next to subnet and security group names mean?
      • Which cloud providers are supported?
      • Does the visualizer support keyboard shortcuts?
    • Notifications
      • What if I have a question about notifications?
    • Best Practices
      • AWS Regions and Environments
      • Recommended AWS Resource Types to Scan
      • Recommended AWS Resource Types to Enforce
        • Read permissions
        • Write permissions
      • Avoid Enforcing AWS Autoscaled Resources
      • Enable Multi-Factor Authentication (MFA)
    • Known Issues
      • Maximum of 1,000 SQS Queues
      • Notification of Newly Compliant Resources When Transitioning to Fugue Developer
    • Other
      • What if I have other questions?
  • Open Source Projects
    • Fregot
    • Regula
    • credstash
    • s3fc
  • Glossary
  • Release Notes
    • 2020.06.05
      • Ability to export compliance data via the UI
    • 2020.06.04
      • Extended Azure Service Coverage Beta
      • Visualizer Updates
      • Updates to Compliance Rules
    • 2020.05.29
      • Visualizer Updates
      • Expanded AWS Service Coverage
      • Bug Fixes
    • 2020.05.12
      • Support for CIS Controls 7.1
      • Visualizer Updates
      • Updates to Compliance Terminology
    • 2020.04.29
      • Scoping Environments to Multiple Regions
      • Responsive Registration Page and More
      • Visualizer Updates
    • 2020.04.16
      • Role Based Access Control (RBAC)
      • Cloud Resource Visualization
    • 2020.04.07
      • UX Improvements
      • Rule Engine Upgrade
      • New IAM Permissions Required
      • Compliance Event Notifications
      • Bug Fixes
    • 2020.03.17
    • 2020.03.03
      • On-Demand Scan via the UI
      • Cloud Resource Visualization – View Resource Details
      • UX Improvements to Settings and Setting a Baseline
      • Bug Fixes
      • Removed Obsolete VPC Flow Logs Rule
    • 2020.02.14
      • Cloud Resource Visualization – Collections & Additional Resource Support
      • Rule Updates
    • 2020.01.31
      • Additional AWS Resources - Beta
      • Bug Fixes
    • 2020.01.13
      • Cloud Resource Visualization – Keyboard Shortcuts
      • Multi-Factor Authentication Support (MFA)
    • 2019.12.23
      • Cloud Resource Visualization - Export Functionality
      • Cloud Resource Visualization - VPC Peering
      • Search By Environment
    • 2019.11.21
      • Rule Remediation Steps in Documentation
      • Exporting Visualizer Diagrams and Customizing Your Visualizer View
      • Ability to Delete User Groups
      • Fugue Developer and Fugue Enterprise
      • New Account Overview Page
    • 2019.10.31
      • Single Sign-On (Beta)
      • Additional Compliance Family Support for Azure
      • Fugue Best Practices
    • 2019.10.17
      • Expanded AWS Service Coverage
      • Updates to the Visualizer
    • 2019.10.03
      • Custom Rules
      • CLI
      • Visualizer
    • 2019.09.13
      • Visualizer updates
      • IAM role generation updates
    • 2019.08.23
    • 2019.08.07
    • 2019.07.08
    • 2019.07.03
      • Features
    • 2019.06.26
      • Features
    • 2019.06.10
      • Features
    • 2019.05.29
      • Features
    • 2019.05.09
      • Features
      • Bug Fixes and Improvements
    • 2019.04.25
      • Features
      • Bug Fixes
    • 2019.03.28
      • Features
    • 2019.03.15
      • Features
      • Bug Fixes
    • 2019.02.25
    • 2019.02.12
    • 2019.01.28
    • 2018.11.26
      • Features
        • Scan cloud environments for risks and generate risk reports
        • Scan cloud environments for drift based on the declared baseline
        • Enable baseline enforcement on resources in cloud environments
  • Fugue Support
    • Contact Support
    • Self-Service
      • How do I…
      • Selected FAQs
  • Rule Remediation Steps
    • IAM root user should not be used
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should prevent reuse of previously used passwords
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should expire passwords within 90 days
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM root user access key should not exist
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have virtual MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have hardware MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not be attached to users
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Ensure a support role has been created to manage incidents with AWS Support
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront viewer protocol policy should be set to https-only
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 listener protocol should not be set to http
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Auto Scaling groups should span two or more availability zones
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • EBS volume encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distributions should have geo-restrictions specified
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM user access keys should be rotated every 90 days or less
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one uppercase character
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one lowercase character
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one symbol
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one number
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require a minimum length of 14
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log file validation should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should have CloudWatch log integration enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS Config should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Alarm for denied connections in CloudFront logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log files should be encrypted using KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • KMS CMK rotation should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 load balancer cross zone load balancing should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group inbound rules should not permit ingress from any address to all ports and protocols
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC flow logs should be sent to CloudWatch logs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQS access policies should not have global “.” access
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SNS subscriptions should deny access via HTTP
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC flow logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for unauthorized API calls should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC security group changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC route table changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for usage of root account should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for IAM policy changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 load balancer access logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront access logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log groups should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • DynamoDB tables should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQS queue server-side encryption should be enabled (AWS-managed keys)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distributions should be protected by WAFs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for Config configuration changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should prevent reuse of the four previously used passwords
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC default security group should restrict all traffic
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not have full “*:*” administrative privileges
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should be encrypted (AWS-managed keys or KMS CMKs)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should have FedRAMP approved database engines
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket server-side encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should only allow requests that use HTTPS
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket versioning and lifecycle policies should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELB listener security groups should not be set to TCP all
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ElastiCache transport encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • DynamoDB tables Point in Time Recovery should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should have backup retention periods configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM multi-factor authentication should be enabled for all IAM users that have a console password
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Storage Accounts ‘Secure transfer required’ should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network Network Watcher should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Machines data disks (non-boot volumes) should be encrypted
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Machines unattached disks should be encrypted
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • RDS Aurora cluster multi-AZ should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should not allow all actions for all principals
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should not allow list actions for all principals
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not allow broad list actions on S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM role trust policies should not allow all principals to assume the role
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Ensure Azure Application Gateway Web application firewall (WAF) is enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • MySQL Database server “enforce SSL connection” should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database server “enforce SSL connection” should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • S3 buckets should have all “block public access” options enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/ port 1433 (MSSQL Server)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
  • Home
  • Examples

Examples¶

Contents¶

  • Tutorial: Hello World AWS, API (curl)
  • Tutorial: Hello World AWS, API (Postman)
  • How To: Create a Fugue IAM Role
  • How To: Manually Create a Fugue IAM Role
  • How To: Update the Fugue IAM Role
  • How To: Add or Remove Azure Resource Groups
  • How To: Set a Baseline (UI)
  • How To: Set a Baseline (CLI)
  • How To: Set a Baseline (API)
  • Example: Scan, Detect Drift, Enforce
  • Example: Fugue Notifications in Slack
  • Example: Fugue CI/CD with Terraform, GitHub, CircleCI
  • Example: Fugue CI/CD with Regula Pre-deployment Checks

Open Source Tool Examples¶

For walkthroughs of our open source tools, see:

  • Regula – a tool to check Terraform for compliance pre-deployment. This example demonstrates Regula in CI/CD with GitHub Actions.

  • Fregot – a tool to easily evaluate, debug, and test Rego policies. This example debugs a policy written to evaluate Terraform.

Previous Page

Use Cases
Next Page

Tutorial: Hello World AWS, API (curl)
  • Home
  • Events
  • Press
  • Contact
  • Schedule Demo
© Fugue, Inc. 2020 Privacy Policy Subscription Agreement
  • Twitter
  • Facebook
  • LinkedIn
AWS Partner Network: Advanced Technology Partner Gartner Cool Vendor 2017