FAQ

General

Where can I sign up for Fugue?

Sign up for Fugue here.

How do I change my Fugue user password?

To change your Fugue user password, follow these steps:

  1. Select the “Forgot Password” link on the login page or access the Forgot Password page directly.

_images/ForgotPasswordLink.png

2. Enter your email address in the “Forgot Your Password?” form.

_images/ForgotPasswordForm.png

3. After you submit the form, you’ll see a message that the password reset email was sent. Check your inbox for an email from Fugue and click the “Reset Password” button in it.

4. Next, enter and confirm your new password in the “Reset Password” form. Your password must be at least 8 characters long.

_images/EnterNewPassword.png

5. Finally, after you submit the form, you’ll see a message that your password has successfully been reset, and you can log into your account using the new password.

Environments

How many environments can Fugue store?

There is currently no specific limit on the number of environments you can create.

Does Fugue support AWS GovCloud?

Yes. All activities that are supported in standard AWS regions are supported in AWS GovCloud regions. To learn more about setting up a GovCloud environment, see Setup - AWS & AWS GovCloud.

To see a list of services and resources supported in AWS GovCloud, see Service Coverage.

For details on the differences between standard AWS regions and the GovCloud AWS regions, refer to Amazon’s documentation about service-specific differences and general differences.

What AWS and AWS GovCloud regions does Fugue support?

Fugue supports the following regions:

  • US East (N. Virginia) - us-east-1

  • US East (Ohio) - us-east-2

  • US West (N. California) - us-west-1

  • US West (Oregon) - us-west-2

  • Asia Pacific (Mumbai) - ap-south-1

  • Asia Pacific (Seoul) - ap-northeast-2

  • Asia Pacific (Singapore) - ap-southeast-1

  • Asia Pacific (Sydney) - ap-southeast-2

  • Asia Pacific (Tokyo) - ap-northeast-1

  • Canada (Central) - ca-central-1

  • EU (Frankfurt) - eu-central-1

  • EU (Ireland) - eu-west-1

  • EU (London) - eu-west-2

  • EU (Paris) - eu-west-3

  • South America (São Paulo) - sa-east-1

  • AWS GovCloud (US-East) - us-gov-east-1

  • AWS GovCloud (US) - us-gov-west-1

Does Fugue support Microsoft Azure?

Yes, Fugue supports Microsoft Azure. You can use Fugue to scan resource groups in your Azure subscription for compliance assessment, drift detection, and enforcement (auto-remediation).

For general information about using Fugue with Azure, see Azure. For service coverage, see Service Coverage. For setup instructions, see Setup - Azure. If you have any other questions about Fugue and Azure, reach out to support@fugue.co.

Scanning

Where do I view my scan results?

Once your environment is established, your scan results will display on the environment dashboard.

What compliance families are supported?

Currently, Fugue supports the following compliance families:

Can I change the compliance standards Fugue uses to evaluate my infrastructure?

Yes. You can change them at any time by selecting the Settings cog cog and accessing the Compliance tab. Simply check or uncheck the desired compliance standard boxes and select Save Changes when you’re done. The next scan evaluates your resources using the new compliance standard(s). You can manually trigger a scan using the API.

Will changing my compliance standards and saving them automatically trigger a new scan?

No, the next scan will still run at its scheduled time. However, you can manually trigger a scan or change the scan interval using the API.

How can I change the resources that Fugue scans in my AWS standard or GovCloud environment?

Changing the AWS resources Fugue scans is a two-step process:

  1. Access the environment settings menu through the Settings cog cog and select/deselect resources you want to include or exclude from scanning (“scan access”). See Service Coverage for a list of supported resources.

  2. Update the IAM policy for the Fugue role. For instructions, see Setup.

The next scan includes the updated resource types. You can manually trigger a scan using the API.

Warning

After updating the permissions in Fugue, you must update its IAM role in AWS or scans will fail. For instructions, see Setup. You can also reach out to support@fugue.co.

How can I change the resource groups Fugue scans in my Azure environment?

You can remove resource groups by editing the environment settings, as long as at least one resource group remains selected. However, to add resource groups after the environment has been created, you must use the Fugue API. See Updating Selected Resource Groups for details.

You can access environment settings through the Settings cog cog. The next scan includes the updated resource groups. You can manually trigger a scan using the API.

Can I scan ElastiCache clusters within a replication group?

When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually.

In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.

Drift Detection & Enforcement

Can I turn off drift detection?

To disable a baseline and drift detection, use the API to update the environment with this request body:

{
  "baseline_id": ""
}

Can I change my baseline?

Yes. The dropdown menu to the left of the Establish Baseline button contains a list of recent scans. By default, the results of the most recent scan are used as the baseline, but you can select an earlier scan to establish the baseline using an earlier state of your infrastructure.

Can I turn off enforcement?

Yes. You can enable or disable enforcement at any time once you’ve established a baseline. There are two ways to access enforcement settings:

  • Through the Settings cog cog

  • Through the Disabled or Enabled link below Baseline Enforcement

The Enforcement Settings tab contains a checkbox that allows you to enable baseline enforcement. To enable enforcement, simply check the box. To disable it, uncheck the box. The next scan reflects the changes. You can manually trigger a scan using the API.

You can also enable and disable enforcement through the API.

How can I change the AWS resources that Fugue enforces?

Changing the AWS resources Fugue enforces is a two-step process:

  1. Access the environment settings menu through the Settings cog cog and select/deselect resources you want to include or exclude from remediation (“enforce access”). See Service Coverage for a list of supported resources.

  2. Update the IAM policy for the Fugue role. For instructions, see Setup.

The next scan enforces the updated resource types. You can manually trigger a scan using the API.

Warning

After updating the permissions in Fugue, you must update its IAM role in AWS or scans will fail. For instructions, see Setup. You can also reach out to support@fugue.co.

Can Fugue enforce the resource groups in my Azure environment?

Yes, Fugue can enforce resource groups in an Azure environment.

What kind of drift does Fugue remediate?

Fugue only supports remediation of modified resources. It does not delete new resources that have been added or recreate existing resources that have been deleted.

When a resource is remediated, does Fugue simply modify it, or does it destroy the resource and recreate it?

Fugue performs mutable updates, which means it changes resource configuration without destroying and recreating the resource itself.

AWS IAM Permissions

What kind of AWS IAM permissions does Fugue need?

To scan your account and/or detect drift, Fugue requires certain read-only permissions (“scan access”). To automatically remediate changes to your baseline, Fugue requires certain write permissions (“enforce access”).

When you launch a CloudFormation stack to create the Fugue role, Fugue automatically attaches the AWS-managed SecurityAudit read-only policy. (For details, see the Security Auditor job function.)

You can customize which resources Fugue has scan access or enforce access to by ticking the appropriate checkboxes in the Edit Environment Settings dialog. (See note about scan permissions.)

You can then create the role by ensuring the “Create New AWS IAM Role” button is selected and then clicking the “Launch Stack in AWS Console” button. Find the role ARN in the “Outputs” tab in the CloudFormation console, then paste it in the AWS IAM Role ARN field in the Fugue dialog.

To view the exact permissions that will be associated with the role, select “Edit Existing AWS IAM Role.” The JSON IAM policy is displayed according to the resource permissions you selected. If you update permissions in Fugue, you must update the Fugue role policy in AWS. For instructions, see Setup.

Note

When you launch a CloudFormation stack to create the role, the SecurityAudit policy attached to the role grants read-only (scan) access to all supported resources. However, if you choose to manually create a role, you can create a policy that contains only the customized read (and write) permissions. To do so, check off the desired resource types, select “Edit Existing AWS IAM Role,” and copy the generated JSON to your role policy.

Can I give Fugue enforce access (write permissions) without enabling automatic remediation?

Yes, you can grant Fugue read/write permissions for a particular resource without enabling automatic remediation. This allows you to give Fugue’s IAM role ARN the correct permissions for drift and remediation protection without having to update the role on a later date.

What permissions are needed for compliance scanning, drift detection, and remediation?

For compliance scanning and drift detection, scan access (read permission) is needed. For Fugue to perform remediation, scan access and enforce access (write permission) are needed.

How do I update the Fugue IAM role trust policy?

In response to a security event, Fugue may require you to change the trusted entity that can assume the Fugue IAM role. For instructions, see Setup.

What’s the SecurityAudit policy and why is it attached?

SecurityAudit is an AWS-managed policy that grants read-only (scan) access to all supported resources. When you launch a CloudFormation stack to create the Fugue role, the policy is automatically attached. Fugue also creates an inline policy for any permissions not covered by the SecurityAudit policy, such as enforcement (write) permissions.

For more details, see the Security Auditor job function.

What if I don’t want to use the SecurityAudit policy?

If you don’t want the Fugue role to have read-only (scan) access to all supported resources, you may manually create a role and customize policy permissions. See Setup and this note for additional details.

Why does Fugue use inline policies instead of managed policies?

A customer-managed policy is a standalone policy that can be attached to multiple principals. An inline policy is embedded in a single principal and cannot be attached to others, so it can’t be used to escalate other principals’ privileges. Additionally, an inline role is deleted when its principal is deleted. For these reasons, Fugue uses inline policies. Learn more in the AWS docs.

Azure Service Principal Role

What type of RBAC role does Fugue require to scan and enforce my Azure infrastructure?

Fugue needs a Reader role in order to scan and enforce your Azure resource groups. For details, see Setup - Azure.

Service Coverage

What cloud provider services does Fugue support?

See Service Coverage for a list of currently supported services for each cloud provider.

Visualizer

How can I visualize the resources in my environment?

The cloud resource visualizer creates detailed, auto-generated, interactive diagrams of the infrastructure in your environment. To access the visualizer, select the Visualizer link in the header near the top of the page:

_images/viz-link.png

See the visualizer documentation for more information.

What resource types are visualized?

For the complete list, see Which Resources Are Visualized? in the visualizer documentation.

What do the characters next to subnet and security group names mean?

The two characters next to a subnet name or CIDR block or a security group represent the first two digits of the resource ID. For an example, see Which Resources Are Visualized? in the visualizer documentation.

Which cloud providers are supported?

The visualizer supports environments in AWS standard and GovCloud regions and Azure.

Notifications

What if I have a question about notifications?

For FAQs about notifications, see Notifications.

Best Practices

AWS Regions and Environments

To ensure compliance for a given compliance standard (e.g., CIS AWS, NIST SP 800-53, etc.) in AWS, the user will need to define an environment for each region that contains infrastructure they want Fugue to scan.

While Fugue allows you to create multiple environments per region, it is a recommended best practice to limit your Fugue configuration to a single environment per region to prevent reporting and remediation issues. For example, if you configure multiple environments and have global IAM, you will see duplicate notifications. In addition, enabling enforcement for more than one environment in the same region can introduce remediation conflicts.

In order to fully scan for compliance you must ensure that Fugue is set to scan each region in which you have infrastructure configured. This is specifically applicable to the following compliance standards: CIS AWS 2-5, HIPAA§164.308(a)(1)(ii)(D);HIPAA§164.308(a)(6)(i) ; HIPAA_§164.312(b), & GDPR_30-(1).

For more information about using Fugue refer to Setup - AWS and Configuration.

AWS Resource Selection

In general, it’s a good practice to include all resources in Fugue scan access (default setting). The read-only IAM role ensures that all infrastructure in the environment is monitored for compliance, decreasing the risk of undetected violations. However, if you only need to monitor specific resources for compliance, a more granular setting is appropriate.

For enforce access, it’s best to select only the resources you specifically want Fugue to remediate rather than including all of them. For example, if you deliberately modify a resource, automated remediation would roll back your changes. Additionally, you may experience faster remediation if you restrict it to a small number of resources.

See Service Coverage for a list of supported resources.

Avoid Enforcing AWS Autoscaled Resources

Enabling enforcement on autoscaled resources is not recommended. This is because AWS dynamically adjusts autoscaled resource properties when there is a scaling event, but Fugue adjusts the resource properties when they diverge from the baseline, which in turn causes AWS to adjust them again. This creates a cycle of potentially destructive changes to infrastructure and/or increased costs.

For example, if an Auto Scaling group’s desired capacity is set to 2 in the Fugue baseline and enforcement is enabled, but an autoscaling event occurs and AWS launches a third instance, Fugue will set the desired capacity back to 2 on its next scan and cause AWS to terminate the third instance. AWS will then increase the desired capacity again due to the autoscaling event.

Elastic Load Balancers are similarly affected. Because a baseline captures autoscaled instances attached to an ELB, Fugue may remediate the ELB by attempting to reattach terminated instances. This is true even if enforcement is not enabled for the AutoScaling group.

Likewise, if an autoscaled DynamoDB table has a baseline of 5 provisioned read capacity units but an autoscaling event causes AWS to decrease throughput to 1, Fugue will set it back to 5 on its next scan, and so on.

As a best practice, we recommend that you do not enable enforcement for the following resources:

  • AutoScaling.AutoScalingGroup

  • ELB.LoadBalancer

  • DynamoDB.Table

Known Issues

Maximum of 1,000 SQS Queues

Due to a limitation of the AWS API, the maximum number of SQS queues Fugue may scan in an account at once is 1,000. Additionally, the AWS API may not reliably return the same 1,000 queues every scan. As a result, users with more than 1,000 queues will be unable to see them all at once in Fugue, and the precise list of queues displayed will vary.

Other

What if I have other questions?

Reach out to support@fugue.co for assistance.