FAQ

General

How do I contact support?

To contact Fugue support, reach out to support@fugue.co. You can also check out Support for self-service help.

Where can I sign up for Fugue?

Sign up for Fugue here.

How do I change my Fugue user password?

Note

These instructions does not apply to organizations that have enabled single sign-on, except for the organization account owner. Users in an SSO-enabled organization do not use a Fugue username and password to log in.

To change your Fugue user password, follow these steps:

  1. Select the “Don’t remember your password?” link on the login page or access the Forgot Password page directly.

_images/ForgotPasswordLink.png

2. Enter your email address in the “Forgot Your Password?” form.

_images/ForgotPasswordForm.png

3. After you submit the form, you’ll see a message that the password reset email was sent. Check your inbox for an email from Fugue and click the “Reset Password” button in it.

4. Next, enter and confirm your new password in the “Reset Password” form. Your password must be at least 8 characters long.

_images/EnterNewPassword.png

5. Finally, after you submit the form, you’ll see a message that your password has successfully been reset, and you can log into your account using the new password.

What browsers are supported?

Fugue supports the following browsers:

  • Chrome

  • Firefox

  • Microsoft Edge

  • Opera

  • Safari

What are some use cases for Fugue?

Use cases for Fugue include reporting compliance, detecting drift, and enforcing resource configuration. For details, see Use Cases.

Plans

What plans are offered?

Fugue is available in three tiers: Enterprise (paid) and Developer (free). All Fugue accounts start with a free 30-day trial of Enterprise. For more information, see Fugue Plans.

What’s the difference between Enterprise Trial, Enterprise, and Developer?

All new users will have access to our free 30-day Enterprise trial, during which you will have access to all of our features. After the conclusion of the trial, you have the option to purchase Fugue Enterprise or Fugue Team, or your account will be transitioned to our free plan, Fugue Developer. For a side-by-side comparison, see Plan Comparison.

How do I upgrade my Fugue account?

To upgrade to the Enterprise or Team tier from the Enterprise trial or Developer tier, contact sales@fugue.co, or select the “Upgrade” button next to your plan type on the Account Overview page:

_images/plan-upgrade-button.png

How do I find out what my plan is?

The Account Overview page lists your current plan type (Enterprise Trial, Enterprise, Team, Developer).

How is scanning limited in Fugue Developer and Fugue Team?

In Fugue Developer, on-demand scans are limited to 10 per rolling 24-hour period. After you hit the on-demand scan limit, a new scan is allotted every 2.4 hours. To scan on demand, use the Fugue UI or API.

There is a 24-hour minimum interval for scheduled (aka automatic) scans, so scans are limited to once per day. You may set the interval to be longer.

In Fugue Team, on-demand scans are limited to 25 per rolling 24-hour period, and after the limit, a new scan is allotted every 0.96 hours. The minimum interval is 1 hour for scheduled scans, so scans are limited to once per hour. You may set the interval to be longer.

Scheduled scans do not count toward the on-demand scan limit.

How much does it cost?

Fugue Developer is free forever. See Plans and Pricing for Team and Enterprise pricing.

Where can I find more information?

See the FAQ in Plans and Pricing.

Environments

How many environments can Fugue store?

There is currently no specific limit on the number of environments you can create.

Does Fugue support AWS GovCloud?

Yes. All activities that are supported in standard AWS regions are supported in AWS GovCloud regions. To learn more about setting up a GovCloud environment, see Setup - AWS & AWS GovCloud.

To see a list of services and resources supported in AWS GovCloud, see Service Coverage - AWS & AWS GovCloud.

For details on the differences between standard AWS regions and the GovCloud AWS regions, refer to Amazon’s documentation about service-specific differences and general differences.

What AWS and AWS GovCloud regions does Fugue support?

Fugue supports the following regions:

  • US East (N. Virginia) - us-east-1

  • US East (Ohio) - us-east-2

  • US West (N. California) - us-west-1

  • US West (Oregon) - us-west-2

  • Asia Pacific (Mumbai) - ap-south-1

  • Asia Pacific (Seoul) - ap-northeast-2

  • Asia Pacific (Singapore) - ap-southeast-1

  • Asia Pacific (Sydney) - ap-southeast-2

  • Asia Pacific (Tokyo) - ap-northeast-1

  • Canada (Central) - ca-central-1

  • EU (Frankfurt) - eu-central-1

  • EU (Ireland) - eu-west-1

  • EU (London) - eu-west-2

  • EU (Paris) - eu-west-3

  • South America (São Paulo) - sa-east-1

  • AWS GovCloud (US-East) - us-gov-east-1

  • AWS GovCloud (US) - us-gov-west-1

Environments can include a single region or any combination of regions, including all.

How can I change my environment’s region(s)?

Some environments support region updates via the API. This only applies to environments that use the regions body parameter, not region. You can check this parameter through the API. See the API User Guide for details.

Does Fugue support Microsoft Azure?

Yes, Fugue supports Microsoft Azure. You can use Fugue to scan resource groups in your Azure subscription for compliance assessment, drift detection, and baseline enforcement.

For general information about using Fugue with Azure, including setup instructions, see Setup - Azure. For service coverage, see Service Coverage - Azure. If you have any other questions about Fugue and Azure, reach out to support@fugue.co.

How can I quickly create multiple environments?

You can automate creation of Fugue environments using our utility scripts:

For other useful scripts, see our GitHub repo common-utility-scripts.

Scanning

How can I trigger a scan?

You can manually initiate a scan in the UI by selecting the Actions button in the top right of an environment page, then clicking Start New Scan:

_images/start-env-scan.gif

You’ll see a banner showing that the scan is in progress. When the banner indicates that the scan has finished, you can refresh the page for results.

You can also kick off a scan using the Fugue API.

Where do I view my scan results?

Once your environment is established, your scan results will display on the environment dashboard.

How can I change the resources that Fugue scans in my AWS standard or GovCloud environment?

Changing the AWS resources Fugue scans is a two-step process:

  1. Select cog Edit Environment from the Actions drop-down in the top right of the page and select/deselect resources you want to include or exclude from scanning, then click “Save changes.” See Service Coverage - AWS & AWS GovCloud for a list of supported resources.

  2. Update the IAM policy for the Fugue role. For instructions, see How To: Update the Fugue IAM Role.

The next scan includes the updated resource types. You can manually trigger a scan via the UI or API.

Warning

After updating the permissions in Fugue, you must update its IAM role in AWS or scans will fail. For instructions, see How To: Update the Fugue IAM Role. You can also reach out to support@fugue.co.

How can I change the resource groups Fugue scans in my Azure environment?

You can remove resource groups by editing the environment settings, as long as at least one resource group remains selected. However, to add resource groups after the environment has been created, you must use the Fugue API. See Updating Selected Resource Groups for details.

You can access environment settings by selecting cog Edit Environment from the Actions drop-down in the top right of the page. Deselect any resource groups you want to remove from the environment, then click “Save changes.” The next scan reflects the changes. You can manually trigger a scan via the UI or API.

Can I scan ElastiCache clusters within a replication group?

When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually.

In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.

Compliance

What compliance families are supported?

Currently, Fugue supports the following compliance families:

Can I change the compliance standards Fugue uses to evaluate my infrastructure?

Yes. You can change them at any time by selecting the Actions button on the top right of an environment page, selecting cog Edit Environment from the drop-down menu, and accessing the Compliance tab. Simply check or uncheck the desired compliance standard boxes and select Save Changes when you’re done. The next scan evaluates your resources using the new compliance standard(s). You can manually trigger a scan via the UI or API.

Can I waive a rule or “ignore” a noncompliant resource?

Fugue enables you to waive a rule for a specific resource in an environment. When a rule is waived for a resource, the rule resultPASS or FAIL – is effectively ignored in compliance calculations for that environment. A failed rule doesn’t count against a resource when compliance is calculated.

To learn more about waivers, see Waivers.

How do I waive a rule?

To waive a custom or out-of-the-box rule, see How to Waive a Rule.

Will changing my compliance standards and saving them automatically trigger a new scan?

No, the next scan will still run at its scheduled time. However, you can manually trigger a scan via the UI or API, or change the scan interval using the API.

How can I output a CSV or Excel file of compliance results for my Fugue account?

To export compliance data for all environments in a Fugue account, see Export Data.

Drift Detection & Enforcement

How do I set or update a baseline?

There are several ways to set or update a baseline:

To disable a baseline, see Disabling a Baseline & Drift Detection.

Can I turn off drift detection?

You can disable the baseline in order to disable drift detection. You can also suppress drift events at a resource level.

Note that certain resource types do not report drift, by design. See Resource Types That Don’t Report Drift for details.

How do I enable enforcement?

Before Fugue can enforce your resource configuration, the following steps are required:

  1. Select the resource types to be enforced.

  2. Update the IAM role to allow Fugue to modify configuration of the selected resources.

  3. Set a baseline to establish the “known-good” state that drifted resources should be reverted to.

  4. Enable enforcement through Enforcement Settings. There are two ways to access it:

  • By selecting cog Edit Environment from the Actions drop-down in the top right of the page

  • By selecting the Disabled or Enabled link below Baseline Enforcement

The Enforcement Settings tab contains a checkbox that allows you to enable or disable baseline enforcement. To enable it, check the box. Then, click “Save changes.” The next scan reflects the changes. You can manually trigger a scan via the UI or API.

You can also enable and disable enforcement through the API.

For more information about enabling enforcement, see Environment Configuration.

How do I disable enforcement?

You can disable enforcement through the Enforcement Settings tab. There are two ways to access it:

  • By selecting cog Edit Environment from the Actions drop-down in the top right of the page

  • By selecting the Disabled or Enabled link below Baseline Enforcement

The Enforcement Settings tab contains a checkbox that allows you to enable or disable baseline enforcement. To disable it, uncheck the box. Then, click “Save changes.” The next scan reflects the changes. You can manually trigger a scan via the UI or API.

You can also enable and disable enforcement through the API.

For more information about disabling enforcement, see Environment Configuration.

How can I change the AWS or AWS GovCloud resources that Fugue enforces?

If this is the first time you’re enabling enforcement, see How do I enable enforcement? first.

If you’ve already enabled enforcement, changing the AWS resources Fugue enforces is a two-step process:

  1. Select cog Edit Environment from the Actions drop-down in the top right of the page and select/deselect resources you want to include or exclude from baseline enforcement (“enforce access”). See Service Coverage - AWS & AWS GovCloud for a list of supported resources.

  2. Update the IAM policy for the Fugue role. For instructions, see How To: Update the Fugue IAM Role.

The next scan enforces the updated resource types. You can manually trigger a scan via the UI or API.

Warning

After updating the permissions in Fugue, you must update its IAM role in AWS or scans will fail. For instructions, see How To: Update the Fugue IAM Role. You can also reach out to support@fugue.co.

Can Fugue enforce the resource groups in my Azure environment?

Yes, Fugue can enforce resource groups in an Azure environment.

What kind of drift does Fugue enforce?

Fugue only supports enforcement of modified resources. It does not delete new resources that have been added or recreate existing resources that have been deleted.

When a resource is enforced, does Fugue simply modify it, or does it destroy the resource and recreate it?

Fugue performs mutable updates, which means it changes resource configuration without destroying and recreating the resource itself.

AWS IAM Permissions

What kind of AWS IAM permissions does Fugue need?

To scan your account and/or detect drift, Fugue requires certain read-only permissions (“scan access”). To automatically remediate changes to your baseline, Fugue requires certain write permissions (“enforce access”).

See a list of all possible Fugue permissions here.

You can customize which resources Fugue has scan access or enforce access to by ticking the appropriate checkboxes in the Edit Environment Settings dialog. (See note about scan permissions.)

For a quick tutorial on creating the IAM role, see How To: Create a Fugue IAM Role.

SecurityAudit read-only policy

When you launch a CloudFormation stack to create the Fugue role, Fugue automatically attaches the AWS-managed SecurityAudit read-only policy. (For details, see Setup, or visit the AWS docs for the Security Auditor job function.)

Note

When you launch a CloudFormation stack to create the role, the SecurityAudit policy attached to the role grants read-only (scan) access to all supported resources. However, if you choose to manually create a role, you can create a policy that contains only the customized read (and write) permissions. To do so, check off the desired resource types, select “Edit Existing AWS IAM Role,” and copy the generated JSON to your role policy. See a list of all possible Fugue permissions here. For more details, see Setup.

Can I give Fugue enforce access (write permissions) without enabling baseline enforcement?

Yes, you can grant Fugue read/write permissions for a particular resource without enabling baseline enforcement. This allows you to give Fugue’s IAM role ARN the correct permissions for drift and enforce protection without having to update the role on a later date. See a list of all possible Fugue permissions here.

What permissions are needed for compliance scanning, drift detection, and baseline enforcement?

For compliance scanning and drift detection, scan access (read permission) is needed. For Fugue to perform baseline enforcement, scan access and enforce access (write permission) are needed. See a list of all possible Fugue permissions here.

How do I update the Fugue IAM role trust policy?

In response to a security event, Fugue may require you to change the trusted entity that can assume the Fugue IAM role. For instructions, see Setup.

What’s the SecurityAudit policy and why is it attached?

SecurityAudit is an AWS-managed policy that grants read-only (scan) access to all supported resources. When you launch a CloudFormation stack to create the Fugue role, the policy is automatically attached. Fugue also creates an inline policy for any permissions not covered by the SecurityAudit policy, such as enforcement (write) permissions.

For more details, see Setup, or visit the AWS docs for the Security Auditor job function.

What if I don’t want to use the SecurityAudit policy?

If you don’t want the Fugue role to have read-only (scan) access to all supported resources, you may manually create a role and customize policy permissions. See Setup and this note for additional details.

Why does Fugue use inline policies instead of managed policies?

A customer-managed policy is a standalone policy that can be attached to multiple principals. An inline policy is embedded in a single principal and cannot be attached to others, so it can’t be used to escalate other principals’ privileges. Additionally, an inline role is deleted when its principal is deleted. For these reasons, Fugue uses inline policies. Learn more in the AWS docs.

Azure Service Principal Role

What type of RBAC role does Fugue require to scan and enforce my Azure infrastructure?

Fugue needs a Reader role in order to scan your Azure resource groups.

Fugue needs a Contributor role in order to scan AND enforce your Azure resource groups.

For details, see Setup - Azure.

Service Coverage

What cloud provider services does Fugue support?

See our service coverage pages for AWS & AWS GovCloud and Azure for a list of currently supported services.

Organization

How do I manage users?

For instructions on managing users, see User Management.

For information about managing users with RBAC, see Role-Based Access Control (RBAC).

For information about using single sign-on with Fugue, see Single Sign-on (SSO).

For information about using MFA with Fugue, see Multi-Factor Authentication (MFA).

How do I use RBAC to manage users?

For information about using RBAC to manage users, see Role-Based Access Control (RBAC).

How do I enable SSO?

For information about using single sign-on with Fugue, see Single Sign-on (SSO). To enable SSO, contact support@fugue.co.

How do I enable MFA?

For information about using MFA with Fugue, see Multi-Factor Authentication (MFA). To enable MFA, contact support@fugue.co.

Visualizer

How can I visualize the resources in my environment?

The cloud resource visualizer creates detailed, auto-generated, interactive diagrams of the infrastructure in your environment. To access the visualizer, select the Visualizer link in the header near the top of the page:

_images/viz-link.png

See the visualizer documentation for more information.

What resource types are visualized?

For the complete list, see Which Resources Are Visualized? in the visualizer documentation.

What do the characters next to subnet and security group names mean?

The two characters next to a subnet name or CIDR block or a security group represent the first two digits of the resource ID. For an example, see Which Resources Are Visualized? in the visualizer documentation.

Which cloud providers are supported?

The visualizer supports environments in AWS standard and GovCloud regions and Azure.

Does the visualizer support keyboard shortcuts?

The visualizer supports the following keyboard shortcuts:

  • Pan: Arrow keys

  • Zoom in: Plus + (equals =)

  • Zoom out: Minus - (underscore _)

  • Open/close View Options panel: Period .

  • Center/reset zoom: Double-tap the spacebar

Notifications

What if I have a question about notifications?

For FAQs about notifications, see Notifications.

Best Practices

AWS Regions and Environments

Since Fugue allows you to create multiple environments per region, and environments may contain multiple regions, we recommend that you only enable enforcement once per region. Enabling enforcement in the same region multiple times can introduce enforcement conflicts.

In order to determine compliance across an AWS account, it’s a best practice to create environments for all regions in which you’ve configured infrastructure. This is specifically applicable to the following compliance controls: CIS AWS 2-5, HIPAA§164.308(a)(1)(ii)(D), HIPAA§164.308(a)(6)(i), HIPAA_§164.312(b), and GDPR_30-(1).

For more information about setting up environments, see Setup - AWS & AWS GovCloud and Environment Configuration.

Avoid Enforcing AWS Autoscaled Resources

Enabling enforcement on autoscaled resources is not recommended. This is because AWS dynamically adjusts autoscaled resource properties when there is a scaling event, but Fugue adjusts the resource properties when they diverge from the baseline, which in turn causes AWS to adjust them again. This creates a cycle of potentially destructive changes to infrastructure and/or increased costs.

For example, if an Auto Scaling group’s desired capacity is set to 2 in the Fugue baseline and enforcement is enabled, but an autoscaling event occurs and AWS launches a third instance, Fugue will set the desired capacity back to 2 on its next scan and cause AWS to terminate the third instance. AWS will then increase the desired capacity again due to the autoscaling event.

Elastic Load Balancers are similarly affected. Because a baseline captures autoscaled instances attached to an ELB, Fugue may remediate the ELB by attempting to reattach terminated instances. This is true even if enforcement is not enabled for the AutoScaling group.

Likewise, if an autoscaled DynamoDB table has a baseline of 5 provisioned read capacity units but an autoscaling event causes AWS to decrease throughput to 1, Fugue will set it back to 5 on its next scan, and so on.

As a best practice, we recommend that you do not enable enforcement for the following resources:

  • AutoScaling.AutoScalingGroup

  • ELB.LoadBalancer

  • DynamoDB.Table

Enable Multi-Factor Authentication (MFA)

It’s a security best practice to enable multi-factor authentication (MFA) where available. To enable MFA for your Fugue organization, see the User Management page and contact support@fugue.co.

Known Issues

Maximum of 1,000 SQS Queues

Due to a limitation of the AWS API, the maximum number of SQS queues Fugue may scan in an account at once is 1,000. Additionally, the AWS API may not reliably return the same 1,000 queues every scan. As a result, users with more than 1,000 queues will be unable to see them all at once in Fugue, and the precise list of queues displayed will vary.

Notification of Newly Compliant Resources When Transitioning to Fugue Developer

Currently, under specific conditions, a Trial user who has enabled notifications and transitions to Developer may receive a notification that certain noncompliant resources are newly compliant. This only occurs if all of the following are true:

  • The user is a Trial user who transitions to Developer

  • The user has notifications enabled

  • The user has enabled compliance families that are unsupported in Developer (that is, any family other than CIS AWS, CIS Azure, and Fugue Best Practices)

  • The user has resources that are noncompliant with the unsupported compliance families

Other

What if I have other questions?

Reach out to support@fugue.co for assistance.