Fugue

Menu
  • Product
    • Overview
    • Visualizer
    • Baselines
    • API
  • Docs
  • GitHub
  • Pricing
  • Customers
  • Blog
  • Company
    • About
    • Leadership
    • Investors
    • Security
    • Careers
    • Press
  • Log In
  • Start Free Trial
Viewing Docs For

Fugue v2020.03.17

  • Home
  • Getting Started
    • Contents
      • Setup - AWS & AWS GovCloud
        • Step 1: Define your AWS environment
        • Step 2: Set Region, Resource Types, IAM Role
        • Step 3: Select Compliance Libraries
        • Step 4: Review Environment Details
        • What is supported?
        • IAM Policy Permissions
      • Setup - Azure
        • Step 1: Define your Azure environment
        • Step 2: Connect to Azure and Select Resource Groups
        • Step 3: Select Compliance Libraries
        • Step 4: Review Environment Details
        • Updating Selected Resource Groups
        • Supported Azure Services
      • Azure Support
        • Setup
        • Service Coverage
        • Compliance Report Emails
        • Azure and the Fugue API
      • Google Cloud Support
    • Get Started in 5 Minutes
      • Step 1: Sign up for Fugue
      • Step 2: Define Environment
      • Step 3: Configure Environment
        • AWS and AWS GovCloud
        • Azure
      • Step 4: Select Compliance Standards
        • AWS & AWS GovCloud
        • Azure
      • Step 5: Review Settings
        • AWS and AWS GovCloud
        • Azure
      • Further Reading
  • Examples
    • Contents
      • Tutorial: Hello World AWS
        • Getting started
        • Sign up for Fugue
        • Name environment
        • Select region and resource types
        • What’s Next?
      • How To: Create a Fugue IAM Role
        • What’s Going to Happen?
        • Let’s Go!
        • How do I see the role permissions before creating the role?
        • What’s Next?
      • How To: Set a Baseline (UI)
        • What’s a Baseline?
        • Setting Your First Baseline
        • Setting or Updating a Baseline with the Actions button
        • What’s Next?
      • How To: Set a Baseline (CLI)
        • What’s a Baseline?
        • Setting a baseline via the CLI
        • What’s Next?
      • How To: Set a Baseline (API)
        • What’s a Baseline?
        • Setting a baseline with curl
        • Setting a baseline with Postman
        • What’s Next?
      • Example: Scan, Detect Drift, Enforce
        • Overview
        • Prerequisites
        • What We’ll Do In This Example
        • Let’s Go!
      • Example: Fugue Notifications in Slack
        • Prerequisite: Create Fugue Notification
        • Step 1: Create Slack Incoming Webhook
        • Step 2: Create Lambda Function
        • Step 3: Subscribe Lambda Function to FugueSNSTopic
        • Step 4: Test the Integration
        • Lambda Function Code
      • Example: Fugue CI/CD with Terraform, GitHub, CircleCI
        • Get Started
        • Quick Start
        • List of files in the example
        • How to create a new CircleCI project
        • Line-by-line explanation of configuration
        • Further reading
      • Example: Fugue CI/CD with Regula Pre-deployment Checks
        • Get Started
        • Further reading
  • Fugue Plans
    • 30-Day Enterprise Trial (Free)
    • Fugue Enterprise (Paid)
    • Fugue Team (Paid)
    • Fugue Developer (Free)
    • Plan Comparison
    • More Information
    • Account Overview Page
  • Environment Configuration
    • Permissions
    • Environments
      • Removing an Environment
    • Setting or Updating a Baseline
      • Setting a Baseline to an Earlier Scan
      • Viewing Baseline Resources
      • Disabling a Baseline & Drift Detection
        • Suppressing Drift Events for Individual Resources
      • How to Tell if a Baseline Is Established
    • Drift Detection
      • Disabling Drift Detection
      • Enabling Enforcement
    • Triggering a Scan
  • Compliance
    • Compliance State Details
    • Browsing the Data
    • Fugue Best Practices
    • Further Reading
  • Custom Rules
    • What are Custom Rules?
    • General Custom Rules Workflow
    • Writing Custom Rules
      • Simple Custom Rules
        • Step 1: Determine resource attributes (simple)
        • Step 2: Define pass or fail conditions for the resource (simple)
        • allow rules
        • deny rules
        • Multiple queries
      • Advanced Custom Rules
        • Advanced Custom Rule with a Single Resource Type
        • Advanced Rule Functions
        • Expanding an Advanced Custom Rule
        • Advanced Custom Rules with Multiple Resource Types
      • Custom Rules Cheat Sheet
    • Creating and Managing Custom Rules - UI
      • Creating Custom Rules - UI
      • Modifying and Deleting Custom Rules - UI
      • Viewing Compliance Results - UI
        • Compliance by Rule - UI
        • Compliance by Resource Type - UI
        • Compliance by Resource - UI
    • Creating, Testing, and Managing Custom Rules - API
      • Creating Custom Rules - API
        • Creating a Rule via API - Get Input for Test
        • Creating a Rule via API - Test the Rule
        • Creating a Rule via API - Add the Rule
      • Modifying and Deleting Custom Rules - API
        • Modifying Custom Rules - API
        • Deleting Custom Rules - API
      • Viewing Compliance Results - API
        • Compliance by Rule - API
        • Compliance by Resource Type - API
        • Compliance by Resource - API
      • Custom Rules API - Things to Know
    • Example Rules
    • Learning Rego
  • Visualizer
    • Visualization Components
      • Security Group Connections Between Resources
    • Visualizing Resource Compliance State
    • Viewing Resource Groups and Collections
      • Resource groups
      • Collections
      • How to expand and collapse groups/collections
      • Nested groups/collections
      • How collapsed groups and collections show compliance
    • Viewing Resource Details
    • Panning, Zooming, and Viewing in Full Screen
    • Which Resources Are Visualized?
      • Supported AWS & AWS GovCloud Resources
        • VPC Attributes
        • AWS & AWS GovCloud Resources Supporting Compliance State Visualization
        • Implicit Resources
      • Supported Azure Resources
        • VNet Attributes
        • Azure Resources Supporting Compliance State Visualization
    • Visualizing Previous Scans
    • View Options
      • Exporting a Diagram
    • Supported Browsers
      • WebGL is Required
  • Organization
    • Contents
      • User Management
        • User Setup
        • Single Sign-on (SSO)
        • Multi-Factor Authentication (MFA)
      • Role-Based Access Control (RBAC)
        • RBAC Overview
        • Groups, Policies, Users
        • Getting Started with RBAC
        • More About User Management
  • Reports and Notifications
    • Contents
      • Notifications
        • The Notifications Tab
        • Setting Up Notifications
        • Editing or Deleting a Notification
        • Types of Notification Events
        • Example Notifications
        • Notifications FAQ
      • Compliance Report
        • Setting up the Compliance Report Email
  • API
    • Contents
      • API User Guide
        • What is the Fugue API?
        • API Functions
        • Use Cases
        • How to Use the API
        • OpenAPI 2.0 Spec
        • Authentication
        • Making API Requests
        • Deep Dives
        • API Tools
        • Examples
        • Further Reading
      • API Reference
  • CLI
    • Commands
      • create - Create subcommands
        • create
        • Output Attributes
        • Examples
      • delete - Delete subcommands
        • delete
        • Examples
      • get - Get subcommands
        • get
        • Output Attributes
        • Examples
      • help - Help about any command
        • help
        • Examples
      • list - List subcommands
        • list
        • Output Attributes
        • Examples
      • scan - Trigger a scan
        • scan
        • Output Attributes
        • Examples
      • sync - Sync files to your account
        • sync
        • Examples
      • update - Update subcommands
        • update
        • Output Attributes
        • Examples
    • Usage
    • Installation
    • Environment Variables
    • Accepted Parameter Values
      • How to format fugue flags
      • How to look up fugue arguments
    • Tips
      • env alias
      • Help for any command
    • Installation Error Message
  • Service Coverage
    • AWS Standard Regions
      • AWS Certificate Manager (ACM)
      • ACM Private Certificate Authority (ACM PCA) – beta
      • API Gateway
      • AutoScaling
      • CloudFront
      • CloudTrail
      • CloudWatch
      • Cognito
      • Config
      • Directory Service – beta
      • DynamoDB
      • EC2
      • ECR
      • ECS
      • EFS – beta
      • EKS
      • ELB
      • ELBv2
      • ElastiCache
      • Glacier – beta
      • GuardDuty
      • IAM
      • Inspector – beta
      • KMS
      • Kinesis – beta
      • Lambda
      • Macie
      • MediaStore
      • Organizations – beta
      • RDS
      • Redshift
      • Route 53
      • S3
      • Step Functions (SFN)
      • SNS
      • SQS
      • Systems Manager (SSM) – beta
      • Secrets Manager
      • WAF
    • Supported Services: AWS GovCloud
      • AWS Certificate Manager (ACM)
      • ACM Private Certificate Authority (ACM PCA) – beta
      • API Gateway
      • AutoScaling
      • CloudTrail
      • CloudWatch
      • Config
      • Directory Service – beta
      • DynamoDB
      • EC2
      • ECR
      • ECS
      • ELB
      • ELBv2
      • ElastiCache
      • Glacier – beta
      • IAM
      • Inspector – beta
      • KMS
      • Kinesis – beta
      • Lambda
      • Organizations – beta
      • RDS
      • Redshift
      • S3
      • Step Functions (SFN)
      • SNS
      • SQS
      • Systems Manager (SSM) – beta
    • Supported Services: Microsoft Azure
      • Compute
      • Network
      • SQL
      • Storage
    • Changing Resource Selection
      • New Environments
      • Existing Environments
    • Resources Under Management
    • Supported AWS and AWS GovCloud regions
    • Resource Types That Don’t Report Drift
  • FAQ
    • General
      • How do I contact support?
      • Where can I sign up for Fugue?
      • How do I change my Fugue user password?
      • What browsers are supported?
    • Plans
      • What plans are offered?
      • What’s the difference between Enterprise Trial, Enterprise, and Developer?
      • How do I upgrade my Fugue account?
      • How do I find out what my plan is?
      • How is scanning limited in Fugue Developer and Fugue Team?
      • How much does it cost?
      • Where can I find more information?
    • Environments
      • How many environments can Fugue store?
      • Does Fugue support AWS GovCloud?
      • What AWS and AWS GovCloud regions does Fugue support?
      • Does Fugue support Microsoft Azure?
      • How can I quickly create multiple environments?
    • Scanning
      • How can I trigger a scan?
      • Where do I view my scan results?
      • How can I change the resources that Fugue scans in my AWS standard or GovCloud environment?
      • How can I change the resource groups Fugue scans in my Azure environment?
      • Can I scan ElastiCache clusters within a replication group?
    • Compliance
      • What compliance families are supported?
      • Can I change the compliance standards Fugue uses to evaluate my infrastructure?
      • Will changing my compliance standards and saving them automatically trigger a new scan?
      • How can I output a CSV of compliance results for my Fugue account?
    • Drift Detection & Enforcement
      • How do I set or update a baseline?
      • Can I turn off drift detection?
      • Can I turn off enforcement?
      • How can I change the AWS or AWS GovCloud resources that Fugue enforces?
      • Can Fugue enforce the resource groups in my Azure environment?
      • What kind of drift does Fugue enforce?
      • When a resource is enforced, does Fugue simply modify it, or does it destroy the resource and recreate it?
    • AWS IAM Permissions
      • What kind of AWS IAM permissions does Fugue need?
        • SecurityAudit read-only policy
      • Can I give Fugue enforce access (write permissions) without enabling baseline enforcement?
      • What permissions are needed for compliance scanning, drift detection, and baseline enforcement?
      • How do I update the Fugue IAM role trust policy?
      • What’s the SecurityAudit policy and why is it attached?
      • What if I don’t want to use the SecurityAudit policy?
      • Why does Fugue use inline policies instead of managed policies?
    • Azure Service Principal Role
      • What type of RBAC role does Fugue require to scan and enforce my Azure infrastructure?
    • Service Coverage
      • What cloud provider services does Fugue support?
    • Organization
      • How do I manage users?
      • How do I use RBAC to manage users?
      • How do I enable SSO?
      • How do I enable MFA?
    • Visualizer
      • How can I visualize the resources in my environment?
      • What resource types are visualized?
      • What do the characters next to subnet and security group names mean?
      • Which cloud providers are supported?
      • Does the visualizer support keyboard shortcuts?
    • Notifications
      • What if I have a question about notifications?
    • Best Practices
      • AWS Regions and Environments
      • AWS Resource Selection
      • Recommended AWS Resource Types to Enforce
      • Recommended read permissions
      • Recommended write permissions
      • Avoid Enforcing AWS Autoscaled Resources
      • Enable Multi-Factor Authentication (MFA)
    • Known Issues
      • Maximum of 1,000 SQS Queues
      • Notification of Newly Compliant Resources When Transitioning to Fugue Developer
    • Other
      • What if I have other questions?
  • Glossary
  • Release Notes
    • 2020.03.17
    • 2020.03.03
      • On-Demand Scan via the UI
      • Cloud Resource Visualization – View Resource Details
      • UX Improvements to Settings and Setting a Baseline
      • Bug Fixes
      • Removed Obsolete VPC Flow Logs Rule
    • 2020.02.14
      • Cloud Resource Visualization – Collections & Additional Resource Support
      • Rule Updates
    • 2020.01.31
      • Additional AWS Resources - Beta
      • Bug Fixes
    • 2020.01.13
      • Cloud Resource Visualization – Keyboard Shortcuts
      • Multi-Factor Authentication Support (MFA)
    • 2019.12.23
      • Cloud Resource Visualization - Export Functionality
      • Cloud Resource Visualization - VPC Peering
      • Search By Environment
    • 2019.11.21
      • Rule Remediation Steps in Documentation
      • Exporting Visualizer Diagrams and Customizing Your Visualizer View
      • Ability to Delete User Groups
      • Fugue Developer and Fugue Enterprise
      • New Account Overview Page
    • 2019.10.31
      • Single Sign-On (Beta)
      • Additional Compliance Family Support for Azure
      • Fugue Best Practices
    • 2019.10.17
      • Expanded AWS Service Coverage
      • Updates to the Visualizer
    • 2019.10.03
      • Custom Rules
      • CLI
      • Visualizer
    • 2019.09.13
      • Visualizer updates
      • IAM role generation updates
    • 2019.08.23
    • 2019.08.07
    • 2019.07.08
    • 2019.07.03
      • Features
    • 2019.06.26
      • Features
    • 2019.06.10
      • Features
    • 2019.05.29
      • Features
    • 2019.05.09
      • Features
      • Bug Fixes and Improvements
    • 2019.04.25
      • Features
      • Bug Fixes
    • 2019.03.28
      • Features
    • 2019.03.15
      • Features
      • Bug Fixes
    • 2019.02.25
    • 2019.02.12
    • 2019.01.28
    • 2018.11.26
      • Features
        • Scan cloud environments for risks and generate risk reports
        • Scan cloud environments for drift based on the declared baseline
        • Enable baseline enforcement on resources in cloud environments
  • Fugue Support
    • Contact Support
    • Self-Service
      • How do I…
      • Selected FAQs
  • Rule Remediation Steps
    • IAM root user should not be used
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should prevent reuse of previously used passwords
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should expire passwords within 90 days
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM root user access key should not exist
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have virtual MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM should have hardware MFA enabled for the root account
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not be attached to users
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Ensure a support role has been created to manage incidents with AWS Support
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront viewer protocol policy should be set to https-only
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 listener protocol should not be set to http
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Auto Scaling groups should span two or more availability zones
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • EBS volume encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distributions should have geo-restrictions specified
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS credentials (IAM user name/passwords, IAM access keys) unused for 90 days or more should be disabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM user access keys should be rotated every 90 days or less
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one uppercase character
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one lowercase character
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one symbol
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require at least one number
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should require a minimum length of 14
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log file validation should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail trails should have CloudWatch log integration enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • AWS Config should be enabled in all regions
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket access logging should be enabled on S3 buckets that store CloudTrail log files
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for denied connections in VPC Flow Logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Alarm for denied connections in CloudFront logs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudTrail log files should be encrypted using KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • KMS CMK rotation should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 load balancer cross zone load balancing should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group inbound rules should not permit ingress from any address to all ports and protocols
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group inbound rules should not permit ingress from ‘0.0.0.0/0’ to all ports and protocols
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC flow logs should be sent to CloudWatch logs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQS access policies should not have global “.” access
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SNS subscriptions should deny access via HTTP
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC flow logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for unauthorized API calls should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC security group changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC NACLs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for changes to VPC network gateways should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC route table changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for VPC changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console sign-in without MFA should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for usage of root account should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for IAM policy changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for CloudTrail configuration changes should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for Management Console authentication failures should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELBv1 load balancer access logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront access logging should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log groups should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • DynamoDB tables should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQS queue server-side encryption should be enabled (AWS-managed keys)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudFront distributions should be protected by WAFs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm for disabling or scheduled deletion of KMS CMKs should be configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for S3 bucket policy changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • CloudWatch log metric filter and alarm should be set for Config configuration changes
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should have a minimum length of 7 and include both alphabetic and numeric characters
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM password policies should prevent reuse of the four previously used passwords
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC default security group should restrict all traffic
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not have full “*:*” administrative privileges
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should be encrypted (AWS-managed keys or KMS CMKs)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should have FedRAMP approved database engines
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should be encrypted with KMS CMKs
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket server-side encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should only allow requests that use HTTPS
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket versioning and lifecycle policies should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ELB listener security groups should not be set to TCP all
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • ElastiCache transport encryption should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • DynamoDB tables Point in Time Recovery should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • RDS instances should have backup retention periods configured
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM multi-factor authentication should be enabled for all IAM users that have a console password
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • Storage Accounts ‘Secure transfer required’ should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 3389 (RDP)
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups should not permit ingress from ‘0.0.0.0/0’ to TCP port 22 (SSH)
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network security groups attached to SQL Server instances should not permit ingress from 0.0.0.0/0 to all ports and protocols
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Network Network Watcher should be enabled
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Machines data disks (non-boot volumes) should be encrypted
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • Virtual Machines unattached disks should be encrypted
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • RDS Aurora cluster multi-AZ should be enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should not allow all actions for all principals
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • S3 bucket policies should not allow list actions for all principals
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM policies should not allow broad list actions on S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM role trust policies should not allow all principals to assume the role
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
    • SQL Server firewall rules should not permit start and end IP addresses to be 0.0.0.0
      • Description
      • Portal Remediation Steps
      • Azure CLI Remediation Steps
      • Documentation Links
    • S3 buckets should have all “block public access” options enabled
      • Description
      • Console Remediation Steps
      • CLI Remediation Steps
      • Documentation Links
  • Home
  • Examples

Examples¶

Contents¶

  • Tutorial: Hello World AWS
  • How To: Create a Fugue IAM Role
  • How To: Set a Baseline (UI)
  • How To: Set a Baseline (CLI)
  • How To: Set a Baseline (API)
  • Example: Scan, Detect Drift, Enforce
  • Example: Fugue Notifications in Slack
  • Example: Fugue CI/CD with Terraform, GitHub, CircleCI
  • Example: Fugue CI/CD with Regula Pre-deployment Checks
Previous Page

Google Cloud Support
Next Page

Tutorial: Hello World AWS
  • Home
  • Events
  • Press
  • Contact
  • Schedule Demo
© Fugue, Inc. 2020 Privacy Policy Subscription Agreement
  • Twitter
  • Facebook
  • LinkedIn
AWS Partner Network: Advanced Technology Partner Gartner Cool Vendor 2017