Skip to content
Logo
Menu
  • Product
    • Compliance
    • Visualizer
    • Drift and Guardrails
    • Policy as Code
    • Integrations
  • Docs
    • Docs
    • API
    • GitHub
  • Pricing
  • Customers
  • Resources
    • Cloud Security
      • Cloud Security Posture Management
      • AWS Cloud Security
      • Azure Cloud Security
      • Cloud Security for Google Cloud Platform
      • DevSecOps
    • Cloud Compliance
      • CIS AWS Foundations Benchmark
      • CIS Azure Foundations Benchmark
      • Fugue Best Practices
      • GDPR
      • HIPAA
      • ISO 27001
      • NIST 800-53
      • PCI
      • SOC 2 Cloud Compliance
    • Resource Library
      • Case Studies
      • Datasheets
      • ebooks
      • Videos
      • Webinars
      • White Papers & Reports
      • Infographics
  • Company
    • Blog
    • About
    • Team
    • Investors
    • Security
    • Careers
    • Press
  • Login
  • Try Free
Version

Fugue v2021.01.21

  • Home
  • Getting Started
    • Contents
      • Setup - AWS & AWS GovCloud
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Region & Resources, IAM Role)
        • Step 3: Compliance
        • Step 4: Review
        • What’s Next?
      • Setup - Azure & Azure Government
        • Sign Up for Fugue
        • Step 1: Setup (Name, Provider)
        • Step 2: Settings (Credentials, Resource Groups)
        • Step 3: Select Compliance Libraries
        • Step 4: Review Environment Details
        • What’s Next?
      • Google Cloud Support
      • Fugue 101
        • Concepts
        • Navigating Fugue
      • Use Cases
        • AWS Scanning Compliance
        • Drift
        • Enforcement
    • Get Started in 5 Minutes
      • Sign up for Fugue
      • Step 1: Environment Setup
      • Step 2: Environment Settings
        • AWS and AWS GovCloud
        • Azure and Azure Government
      • Step 3: Select Compliance Standards
      • Step 4: Review
        • AWS and AWS GovCloud
        • Azure and Azure Government
      • Further Reading
  • Examples
    • Contents
      • Tutorial: Hello World AWS, API (curl)
        • Getting started
        • Sign up for Fugue
        • Create API Client ID and Secret
        • Set Environment Variables
        • Select Resource Types
        • Generate IAM Policy
        • Create Role via AWS CLI
        • Assemble Request Body
        • Send Request to Create Environment
        • What’s Next?
      • Tutorial: Hello World AWS, API (Postman)
        • Getting started
        • Sign up for Fugue
        • Create API Client ID and Secret
        • Configure Collection
        • Select Resource Types
        • Generate IAM Policy
        • Create Role via AWS CLI
        • Assemble Request Body
        • Send Request to Create Environment
        • What’s Next?
      • How To: Create a Fugue IAM Role
        • What’s Going to Happen?
        • Let’s Go!
        • How do I see the role permissions before creating the role?
        • What’s Next?
      • How To: Manually Create a Fugue IAM Role
        • Create a New Role
      • How To: Update the Fugue IAM Role
        • Update Role to Enable Enforcement
        • Update IAM Role Trust Policy
      • How To: Add or Remove Azure Resource Groups
        • Updating Selected Resource Groups with curl
        • Updating Selected Resource Groups with Postman
      • How To: Set a Baseline (UI)
        • What’s a Baseline?
        • Setting Your First Baseline
        • Setting or Updating a Baseline with the Actions button
        • What’s Next?
      • How To: Set a Baseline (CLI)
        • What’s a Baseline?
        • Setting a baseline via the CLI
        • What’s Next?
      • How To: Set a Baseline (API)
        • What’s a Baseline?
        • Setting a baseline with curl
        • Setting a baseline with Postman
        • What’s Next?
      • How To: Waive a Rule
        • Let’s Go!
        • What’s Next?
      • Example: Scan, Detect Drift, Enforce
        • Prerequisites
        • What We’ll Do In This Example
        • Let’s Go!
        • What’s Next?
      • Example: Fugue Notifications in Slack
        • Prerequisite: Create Fugue Notification
        • Step 1: Create Slack Incoming Webhook
        • Step 2: Create Lambda Function
        • Step 3: Subscribe Lambda Function to FugueSNSTopic
        • Step 4: Test the Integration
        • Lambda Function Code
      • Example: Fugue CI/CD with Terraform, GitHub, CircleCI
        • Get Started
        • Quick Start
        • List of files in the example
        • How to create a new CircleCI project
        • Line-by-line explanation of configuration
        • Further reading
      • Example: Fugue CI/CD with Regula Pre-deployment Checks
        • Get Started
        • Further reading
    • Open Source Tool Examples
  • Fugue Plans
    • 30-Day Enterprise Trial (Free)
    • Fugue Enterprise (Paid)
    • Fugue Team (Paid)
    • Fugue Developer (Free)
    • Plan Comparison
    • Account Overview Page
  • Environment Configuration
    • Configuring an Environment
      • Configurable Settings for Environments
      • Updating Scanned or Enforced Resources
        • AWS
        • Azure
      • Updating Region(s) (AWS & AWS GovCloud)
      • Updating Resource Groups (Azure & Azure Government)
      • Removing an Environment
    • Setting or Updating a Baseline
      • Setting a Baseline to an Earlier Scan
      • Viewing Baseline Resources
      • Disabling a Baseline & Drift Detection
        • Suppressing Drift Events for Individual Resources
      • How to Tell if a Baseline Is Established
    • Drift Detection
      • Disabling Drift Detection
      • Enabling or Disabling Enforcement (AWS & AWS GovCloud)
    • Triggering a Scan
  • Compliance
    • Browsing the Data
      • The Environment Summary
      • The Compliance Tabs
        • 5. Compliance by Resource
        • 6. Compliance by Resource Type
        • 7. Compliance by Control
      • Filtering Results
      • Changing the Number of Rows
    • Compliance Concepts
      • What is a rule?
      • What is a control?
      • How do rules relate to controls?
      • What is a rule result?
      • What is a resource evaluation?
        • Resource evaluation values
      • What is a control evaluation?
        • Control evaluation values
    • Rule Severity Definitions
    • Fugue Best Practices
    • Further Reading
  • Rules
    • Contents
      • Disabling and Enabling Rules
        • How to Enable or Disable a Rule
        • Effects on Compliance in an Environment
      • Rule Waivers
        • What is a Rule Waiver?
        • How Rule Waivers Appear in the UI
        • How to Waive a Rule
        • How to View All Waivers
        • How to Edit a Rule Waiver
        • How to Delete a Rule Waiver
        • When Do Rule Waivers Go Into Effect?
        • Further Reading
      • Writing Custom Rules
        • What are Custom Rules?
        • General Custom Rules Workflow
        • How to Write Custom Rules
        • Example Rules
        • Managing Rules in the UI and API
        • Learning Rego
      • Managing Custom Rules - UI
        • Viewing Custom Rules
        • Creating Custom Rules - UI
        • Modifying and Deleting Custom Rules - UI
        • Viewing Compliance Results - UI
        • Waiving Custom Rules - UI
        • Disabling and Enabling Custom Rules - UI
      • Managing Custom Rules - API
        • Creating, Testing, and Managing Custom Rules - API
        • Example Rules
    • Navigating the Rules Page
      • Searching for Rules
      • Sorting and Pagination
      • Filtering
  • Visualizer
    • Visualization Components
      • Security Group Connections Between Resources
    • Visualizing Resource Compliance State
    • Viewing Groupings
      • Grouped resources
      • Collections
      • Networks
      • Regions
      • How to expand and collapse groupings
      • Nested groups/collections
      • How collapsed groupings show compliance
    • Viewing Resource Details
    • Searching
    • Panning, Zooming, and Viewing in Full Screen
    • Which Resources Are Visualized?
      • Supported AWS & AWS GovCloud Resources
        • VPC Attributes
        • Implicit Resources
      • Supported Azure & Azure Government Resources
        • VNet Attributes
    • Visualizing Previous Scans
    • View Options
      • Exporting a Diagram
    • Supported Browsers
      • WebGL is Required
  • Organization
    • Contents
      • User Management
        • User Setup
        • Single Sign-on (SSO)
        • Multi-Factor Authentication (MFA)
      • Role-Based Access Control (RBAC)
        • RBAC Overview
        • Groups, Policies, Users
        • Types of Policies
        • Permissions for Users in Multiple Groups
        • Getting Started with RBAC
        • More About User Management
  • Reports and Notifications
    • Contents
      • Notifications
        • The Notifications Tab
        • Setting Up Notifications
        • Editing or Deleting a Notification
        • Types of Notification Events
        • Example Notifications
        • Notifications FAQ
      • Reports & Dashboards
        • Compliance Posture Dashboard
        • Current Rule Violations
        • Resources Dashboard
        • Resources Report
        • Compliance Family Dashboards
        • How to Filter a Report or Dashboard
        • How to Create an Alert
        • How to Download a Report
        • How to Send a Report by Email
        • How to Schedule a Report by Email
        • How to Drill Down Into a Report
      • Compliance Report Email (Single Environment)
        • Setting up the Compliance Report Email for an environment
    • Export Data
      • Steps
      • Data
  • API
    • Contents
      • API User Guide
        • What is the Fugue API?
        • API Functions
        • Use Cases
        • How to Use the API
        • OpenAPI 2.0 Spec
        • Authentication
        • Making API Requests
        • Deep Dives
        • API Tools
        • Further Reading
      • API Request Examples
        • Listing Details for All Environments
        • Creating an Environment
        • Retrieving Details for a Single Environment
        • Updating an Environment
        • Deleting an Environment
        • Listing Scans for an Environment
        • Triggering a New Scan
        • Retrieving Details for a Scan
        • Listing Compliance Results by Control for a Scan
        • Listing Compliance Results by Resource Type for a Scan
        • Listing Compliance/Drift/Baseline Enforcement Events for an Environment
        • Returning Fugue’s OpenAPI 2.0 Specification
        • Listing IAM Permissions Required to Scan/Enforce Resources
        • Listing Supported Resource Types
        • Listing Details for All Notifications
        • Creating a Notification
        • Updating a Notification
        • Listing Details for All Notifications
        • Deleting a Notification
        • Creating a Custom Rule
        • Listing Custom Rules
        • Retrieving Details for a Rule
        • Updating a Custom Rule
        • Deleting a Custom Rule
        • Testing a Custom Rule
        • Getting Input for a Custom Rule Test
        • Getting a List of Details for All Invites
        • Creating a New Invite
        • Fetching an Invite by ID
        • Getting a List of Groups
        • Creating a New Group
        • Editing a List of Users’ Group Assignments
        • Getting a List of Details for All Users
        • Getting a User by ID
        • Further Reading
      • API Reference
  • CLI
    • Commands
      • create - Create subcommands
        • create
        • Output Attributes
        • Examples
      • delete - Delete subcommands
        • delete
        • Examples
      • get - Get subcommands
        • get
        • Output Attributes
        • Examples
      • help - Help about any command
        • help
        • Examples
      • list - List subcommands
        • list
        • Output Attributes
        • Examples
      • scan - Trigger a scan
        • scan
        • Output Attributes
        • Examples
      • sync - Sync files to your account
        • sync
        • Examples
      • update - Update subcommands
        • update
        • Output Attributes
        • Examples
    • Usage
    • Installation
      • macOS installation
      • Linux installation
      • Windows installation
    • Environment Variables
    • Accepted Parameter Values
      • How to format fugue flags
      • How to look up fugue arguments
    • Tips
      • env alias
      • Help for any command
      • Debugging
    • macOS Installation Error Message
  • Service Coverage
    • Contents
      • Service Coverage - AWS & AWS GovCloud
        • AWS Standard Regions
        • Recommended Resource Types: AWS
        • Supported Services: AWS GovCloud
        • Recommended Resource Types: AWS GovCloud
        • Resources Not Included In Fugue-Recommended List
      • Service Coverage - Azure & Azure Government
        • Application Insights
        • Authorization (RBAC)
        • Automation
        • CDN (Content Delivery Network)
        • Compute
        • Container
        • Cosmos DB
        • Databricks
        • Data Lake
        • Key Vault
        • Kubernetes
        • Monitor
        • MySQL
        • Network
        • PostgreSQL
        • Redis
        • Security Center
        • SQL
        • Storage
        • Web
    • Regions and Resources: Things to Know
      • Supported AWS and AWS GovCloud Regions
      • Changing AWS Region
      • Changing Resource Selection
      • Resources Under Management
      • Resource Types That Don’t Report Drift
  • AWS IAM Policy Permissions
    • SecurityAudit read-only (scan) permissions
    • Supplemental read-only (scan) permissions
    • Supplemental write (enforce) permissions
  • FAQ
    • General
      • How do I contact support?
      • Where can I sign up for Fugue?
      • How can I get started with my first environment?
      • How do I change my Fugue user password?
      • What browsers are supported?
      • What are some use cases for Fugue?
    • Plans
      • What plans are offered?
      • What’s the difference between Enterprise Trial, Enterprise, and Developer?
      • How do I upgrade my Fugue account?
      • How do I find out what my plan is?
      • How is scanning limited in Fugue Developer and Fugue Team?
      • How much does it cost?
      • Where can I find more information?
    • Environments
      • How many environments can Fugue store?
      • Does Fugue support AWS GovCloud?
      • What AWS and AWS GovCloud regions does Fugue support?
      • How can I change my environment’s region(s)?
      • Does Fugue support Microsoft Azure and/or Azure Government?
      • How can I quickly create multiple environments?
    • Scanning
      • How can I trigger a scan?
      • Where do I view my scan results?
      • How can I change the resources that Fugue scans in my AWS standard or GovCloud environment?
      • How can I change the resource groups Fugue scans in my Azure environment?
      • Can I scan ElastiCache clusters within a replication group?
    • Compliance
      • What compliance families are supported?
      • Can I change the compliance standards Fugue uses to evaluate my infrastructure?
      • Can I waive a rule or “ignore” a noncompliant resource?
      • Can I disable a rule for all environments?
      • How do I waive a rule?
      • Will changing my compliance standards and saving them automatically trigger a new scan?
      • How can I output a CSV or Excel file of compliance results for my Fugue account?
    • Drift Detection & Enforcement
      • How do I set or update a baseline?
      • Can I turn off drift detection?
      • How do I enable enforcement? (AWS & AWS GovCloud)
      • How do I disable enforcement? (AWS & AWS GovCloud)
      • How can I change the AWS or AWS GovCloud resources that Fugue enforces?
      • What kind of drift does Fugue enforce?
      • When a resource is enforced, does Fugue simply modify it, or does it destroy the resource and recreate it?
    • AWS Identity & Access Management (IAM) Permissions
      • What kind of AWS IAM permissions does Fugue need?
        • SecurityAudit read-only policy
      • Can I give Fugue enforce access (write permissions) without enabling baseline enforcement?
      • What permissions are needed for compliance scanning, drift detection, and baseline enforcement?
      • How do I update the Fugue IAM role trust policy?
      • What’s the SecurityAudit policy and why is it attached?
      • What if I don’t want to use the SecurityAudit policy?
      • Why does Fugue use inline policies instead of managed policies?
    • Azure Service Principal Role
      • What type of RBAC role does Fugue require to scan my Azure infrastructure?
    • Service Coverage
      • What cloud provider services does Fugue support?
    • Organization
      • How do I manage users?
      • How do I use RBAC to manage users?
      • How do I enable SSO?
      • How do I enable MFA?
    • Visualizer
      • How can I visualize the resources in my environment?
      • What resource types are visualized?
      • What do the characters next to subnet and security group names mean?
      • Which cloud providers are supported?
      • Does the visualizer support keyboard shortcuts?
    • Notifications
      • What if I have a question about notifications?
    • Best Practices
      • AWS Regions and Environments
      • Recommended AWS Resource Types to Scan
      • Recommended AWS Resource Types to Enforce
        • Read permissions
        • Write permissions
      • Avoid Enforcing AWS Auto Scaled Resources
      • Enable Multi-Factor Authentication (MFA)
    • Known Issues
      • Maximum of 1,000 SQS Queues
      • Notification of Newly Compliant Resources When Transitioning to Fugue Developer
    • Additional Resources about Cloud Security
    • Other
      • What if I have other questions?
  • Open Source Projects
    • Fregot
    • Regula
    • credstash
    • s3fc
  • Glossary
  • Release Notes
    • 2021.01.21
      • New Rules Page
      • Enable/Disable Rules for your Organization
      • API Support for Users and Groups
      • Visualizer: Expanded AWS Service Coverage
      • Updated Fugue Rules
    • 2021.01.05
      • Enable or Disable a Rule for Your Entire Organization: Beta
      • Improvements to Visualizer
    • 2020.12.09
      • Reporting Updates
      • Rules Updates
      • Azure Subscription Onboarding
      • Expanded Service Coverage: Azure
      • API Updates: Events
    • 2020.12.01
      • Visualizer: Expanded AWS and Azure Service Coverage
      • Bug Fixes
    • 2020.11.10
      • Added Advanced Reporting Capabilities - Beta
      • Expanded Default Compliance Standard Library- CSA CCM
    • 2020.10.27
      • UX Improvements to the Environment Overview Page
      • UX Improvements to Tables
      • Expanded Azure Service Coverage - Beta
      • Visualizer - Azure Service Coverage
      • Bug Fixes
    • 2020.10.13
      • UX Improvements to the Environment Compliance Summary
      • Create a Waiver on a Missing Resource
      • Scheduled Report Improvements
      • Deprecated Support for TLS 1.0 and TLS 1.1
    • 2020.09.23
      • RBAC Improvements
      • Deprecating TLS 1.0 and TLS 1.1
      • Enhancements to Scanning of S3 Resources
      • Bug Fixes
    • 2020.09.09
      • New Azure Rules
      • Expanded Service Coverage for Azure - Beta
      • Expanded Service Coverage for AWS - Beta
      • Visualizer - Azure Service Coverage
      • UX Improvements to the Group and Notification Pages
    • 2020.08.17
      • New Azure Rules
      • Custom Rule Severity
      • Waiver Improvements
      • Azure Government Support
      • Expanded Azure Service Coverage- Beta
      • Visualizer Updates
      • UX Improvements
      • Bug Fixes
    • 2020.08.04
      • Enhancements to the All Environments Landing Page
      • Visualizer
      • Extended Service Coverage Support for Azure
    • Deprecating TLS 1.0 and TLS 1.1
    • 2020.07.30
    • 2020.07.21
      • Environment Search Capability
      • Compliance Family
      • Updates to Data Export
      • Bug Fixes
    • 2020.07.08
      • Rule Waivers
      • Rule Severity on the Compliance by Resource Page
      • Two New RBAC Policies
      • UX Update to the Top Navigation
      • Bug Fixes
    • 2020.06.05
      • Ability to export compliance data via the UI
    • 2020.06.04
      • Extended Azure Service Coverage Beta
      • Visualizer Updates
      • Updates to Compliance Rules
    • 2020.05.29
      • Visualizer Updates
      • Expanded AWS Service Coverage
      • Bug Fixes
    • 2020.05.12
      • Support for CIS Controls 7.1
      • Visualizer Updates
      • Updates to Compliance Terminology
    • 2020.04.29
      • Scoping Environments to Multiple Regions
      • Responsive Registration Page and More
      • Visualizer Updates
    • 2020.04.16
      • Role Based Access Control (RBAC)
      • Cloud Resource Visualization
    • 2020.04.07
      • UX Improvements
      • Rule Engine Upgrade
      • New IAM Permissions Required
      • Compliance Event Notifications
      • Bug Fixes
    • 2020.03.17
    • 2020.03.03
      • On-Demand Scan via the UI
      • Cloud Resource Visualization – View Resource Details
      • UX Improvements to Settings and Setting a Baseline
      • Bug Fixes
      • Removed Obsolete VPC Flow Logs Rule
    • 2020.02.14
      • Cloud Resource Visualization – Collections & Additional Resource Support
      • Rule Updates
    • 2020.01.31
      • Additional AWS Resources - Beta
      • Bug Fixes
    • 2020.01.13
      • Cloud Resource Visualization – Keyboard Shortcuts
      • Multi-Factor Authentication Support (MFA)
    • 2019.12.23
      • Cloud Resource Visualization - Export Functionality
      • Cloud Resource Visualization - VPC Peering
      • Search By Environment
    • 2019.11.21
      • Rule Remediation Steps in Documentation
      • Exporting Visualizer Diagrams and Customizing Your Visualizer View
      • Ability to Delete User Groups
      • Fugue Developer and Fugue Enterprise
      • New Account Overview Page
    • 2019.10.31
      • Single Sign-On (Beta)
      • Additional Compliance Family Support for Azure
      • Fugue Best Practices
    • 2019.10.17
      • Expanded AWS Service Coverage
      • Updates to the Visualizer
    • 2019.10.03
      • Custom Rules
      • CLI
      • Visualizer
    • 2019.09.13
      • Visualizer updates
      • IAM role generation updates
    • 2019.08.23
    • 2019.08.07
    • 2019.07.08
    • 2019.07.03
      • Features
    • 2019.06.26
      • Features
    • 2019.06.10
      • Features
    • 2019.05.29
      • Features
    • 2019.05.09
      • Features
      • Bug Fixes and Improvements
    • 2019.04.25
      • Features
      • Bug Fixes
    • 2019.03.28
      • Features
    • 2019.03.15
      • Features
      • Bug Fixes
    • 2019.02.25
    • 2019.02.12
    • 2019.01.28
    • 2018.11.26
      • Features
        • Scan cloud environments for risks and generate risk reports
        • Scan cloud environments for drift based on the declared baseline
        • Enable baseline enforcement on resources in cloud environments
  • Fugue Support
    • Contact Support
    • Self-Service
      • How do I…
      • Selected FAQs
  • Rule Remediation Steps
    • IAM root user should not be used
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should prevent reuse of previously used passwords
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should expire passwords within 90 days
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM root user access key should not exist
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have hardware MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not be attached to users
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Ensure a support role has been created to manage incidents with AWS Support
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront viewer protocol policy should be set to https-only or redirect-to-https
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 listener protocol should not be set to http
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Auto Scaling groups should span two or more availability zones
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • EBS volume encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distributions should have geo-restrictions specified
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM user access keys should be rotated every 90 days or less
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one uppercase character
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one lowercase character
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one symbol
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one number
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require a minimum length of 14
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log file validation should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should have CloudWatch log integration enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS Config should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Alarm for denied connections in CloudFront logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log files should be encrypted using KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • KMS CMK rotation should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 load balancer cross zone load balancing should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group inbound rules should not permit ingress from any address to all ports and protocols
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC flow logs should be sent to CloudWatch logs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQS access policies should not have global “.” access
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SNS subscriptions should deny access via HTTP
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC flow logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for unauthorized API calls should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC security group changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC route table changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for usage of root account should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for IAM policy changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 load balancer access logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront access logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log groups should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • DynamoDB tables should be encrypted with AWS or customer managed KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQS queue server-side encryption should be enabled (AWS-managed keys)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distributions should be protected by WAFs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for Config configuration changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should prevent reuse of the four previously used passwords
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC default security group should restrict all traffic
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not have full “*:*” administrative privileges
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should be encrypted (AWS-managed or customer-managed KMS CMKs)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should have FedRAMP approved database engines
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket server-side encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should only allow requests that use HTTPS
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket versioning and lifecycle policies should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELB listener security groups should not be set to TCP all
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ElastiCache transport encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • DynamoDB tables Point in Time Recovery should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should have backup retention periods configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM multi-factor authentication should be enabled for all IAM users that have a console password
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Storage Accounts ‘Secure transfer required’ should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network Network Watcher should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Machines data disks (non-boot volumes) should be encrypted
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Machines unattached disks should be encrypted
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • RDS Aurora cluster multi-AZ should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should not allow all actions for all IAM principals and public users
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should not allow list actions for all IAM principals and public users
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not allow broad list actions on S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM role trust policies should not allow all principals to assume the role
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Ensure Azure Application Gateway Web application firewall (WAF) is enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • MySQL Database server “enforce SSL connection” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database server “enforce SSL connection” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Key Vault ‘Enable Soft Delete’ and ‘Enable Purge Protection’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 buckets should have all “block public access” options enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should be configured to log data events for S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Exactly one CloudTrail trail should monitor global services
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should be configured to log management events
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail should have at least one CloudTrail trail set to a multi-region trail
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should not be associated with missing SNS topics
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS CloudWatch alarms should have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/ port 1433 (MSSQL Server)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • Require Multi Availability Zones turned on for RDS Instances
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • KMS master keys should not be publicly accessible
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • EC2 instances should use IAM roles and instance profiles instead of IAM access keys to perform requests
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM roles used for trust relationships should have MFA or external IDs
      • Description
      • Console Remediation Steps to Enable MFA
      • Console Remediation Steps to Add an External ID
      • CLI Remediation Steps for to Enable MFA via the CLI
      • CLI Remediation Steps to Add an External ID
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps for TCP
      • CLI Remediation Steps for UDP
      • Documentation Links
    • Redshift cluster ‘Publicly Accessible’ should not be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • EC2 instances should not have a public IP association (IPv4)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM users should be members of at least one group
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM users should have MFA (virtual or hardware) enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket access logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket replication (cross-region or same-region) should be enabled
      • Description
      • Console Remediation
      • CLI Remediation Steps
      • Documentation Links
    • Lambda function policies should not allow global access
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 buckets should not be publicly readable
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instance ‘Publicly Accessible’ should not be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies and ACLs should not be configured for public read access
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instance ‘Deletion Protection’ should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQL Server auditing should be enabled
      • Description
      • Portal Remediation Steps
      • PowerShell Remediation Steps
      • Documentation Links
    • SQL Server auditing retention should be greater than 90 days
      • Description
      • Portal Remediation Steps
      • PowerShell Remediation Steps
      • Documentation Links
    • Virtual Network security group flow log retention period should be set to 90 days or greater
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Active Directory custom subscription owner roles should not be created
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center pricing tier should be set to ‘Standard’
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor System Updates’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor OS Vulnerabilities’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Endpoint Protection’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Disk Encryption’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Network Security Groups’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Web Application Firewall’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Enable Next Generation Firewall (NGFW) Monitoring’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting ‘Monitor Vulnerability Assessment’ should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor Storage Blob Encryption” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor JIT Network Access” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor Adaptive Application Whitelisting” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor SQL Auditing” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center default policy setting “Monitor SQL Encryption” should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Security Center contact emails should be set
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_checkpoints’ should be on
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_connections’ should be on
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create Policy Assignment
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Network Security Group
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Network Security Group
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Network Security Group Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Network Security Group Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update Security Solution
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Delete Security Solution
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Create or Update or Delete SQL Server Firewall Rule
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor Activity Log Alert should exist for Update Security Policy
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Azure Kubernetes Service instances should have RBAC enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_disconnections’ should be on
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_duration’ should be on
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘connection_throttling’ should be on
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • PostgreSQL Database configuration ‘log_retention days’ should be greater than 3
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor log profile should be created
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor ‘Activity Log Retention’ should be 365 days or greater
      • Description
      • Portal Remediation Steps
      • PowerShell Remediation Steps
      • Documentation Links
    • Monitor audit profile should log all activities
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Monitor log profile should have activity logs for global services and all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Key Vault logging should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • App Service web app authentication should be enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • App Service web apps should have ‘HTTPS only’ enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • App Service web apps should have ‘Minimum TLS Version’ set to ‘1.2’
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • App Service web apps should have ‘Incoming client certificates’ enabled
      • Description
      • Portal Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution viewer certificate should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution custom origins should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELB HTTPS listeners should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv2 HTTPS listeners should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • API Gateway classic custom domains should use secure TLS protocol versions (1.2 and above)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
  • Home
  • Examples

Examples¶

Contents¶

  • Tutorial: Hello World AWS, API (curl)
  • Tutorial: Hello World AWS, API (Postman)
  • How To: Create a Fugue IAM Role
  • How To: Manually Create a Fugue IAM Role
  • How To: Update the Fugue IAM Role
  • How To: Add or Remove Azure Resource Groups
  • How To: Set a Baseline (UI)
  • How To: Set a Baseline (CLI)
  • How To: Set a Baseline (API)
  • How To: Waive a Rule
  • Example: Scan, Detect Drift, Enforce
  • Example: Fugue Notifications in Slack
  • Example: Fugue CI/CD with Terraform, GitHub, CircleCI
  • Example: Fugue CI/CD with Regula Pre-deployment Checks

Open Source Tool Examples¶

For walkthroughs of our open source tools, see:

  • Regula – a tool to check Terraform for compliance pre-deployment. This example demonstrates Regula in CI/CD with GitHub Actions.

  • Fregot – a tool to easily evaluate, debug, and test Rego policies. This example debugs a policy written to evaluate Terraform.

Previous Page

Use Cases
Next Page

Tutorial: Hello World AWS, API (curl)
Fugue Wordmark
LinkedIn icon LinkedIn Twitter icon Twitter Facebook icon Facebook GitHub icon GitHub
GET DEMO CONTACT US
© Fugue, Inc. 2020
Gartner Cool Vendor 2017 AWS Partner Network: Advanced Technology Partner