How do I contact support?¶
How do I change my Fugue user password?¶
These instructions does not apply to organizations that have enabled single sign-on, except for the organization account owner. Users in an SSO-enabled organization do not use a Fugue username and password to log in.
To change your Fugue user password, follow these steps:
2. Enter your email address in the “Forgot Your Password?” form.
3. After you submit the form, you’ll see a message that the password reset email was sent. Check your inbox for an email from Fugue and click the “Reset Password” button in it.
4. Next, enter and confirm your new password in the “Reset Password” form. Your password must be at least 8 characters long.
5. Finally, after you submit the form, you’ll see a message that your password has successfully been reset, and you can log into your account using the new password.
What browsers are supported?¶
Fugue supports the following browsers:
What plans are offered?¶
What’s the difference between Enterprise Trial, Enterprise, and Developer?¶
All new users will have access to our free 30-day Enterprise trial, during which you will have access to all of our features. After the conclusion of the trial, you have the option to purchase Fugue Enterprise or Fugue Team, or your account will be transitioned to our free plan, Fugue Developer. For a side-by-side comparison, see Plan Comparison.
How do I upgrade my Fugue account?¶
How do I find out what my plan is?¶
The Account Overview page lists your current plan type (Enterprise Trial, Enterprise, Team, Developer).
How is scanning limited in Fugue Developer and Fugue Team?¶
In Fugue Developer, on-demand scans are limited to 10 per rolling 24-hour period. After you hit the on-demand scan limit, a new scan is allotted every 2.4 hours. To scan on demand, use the Fugue UI or API.
There is a 24-hour minimum interval for scheduled (aka automatic) scans, so scans are limited to once per day. You may set the interval to be longer.
In Fugue Team, on-demand scans are limited to 25 per rolling 24-hour period, and after the limit, a new scan is allotted every 0.96 hours. The minimum interval is 1 hour for scheduled scans, so scans are limited to once per hour. You may set the interval to be longer.
Scheduled scans do not count toward the on-demand scan limit.
How much does it cost?¶
How many environments can Fugue store?¶
There is currently no specific limit on the number of environments you can create.
Does Fugue support AWS GovCloud?¶
Yes. All activities that are supported in standard AWS regions are supported in AWS GovCloud regions. To learn more about setting up a GovCloud environment, see Setup - AWS & AWS GovCloud.
To see a list of services and resources supported in AWS GovCloud, see Service Coverage - AWS & AWS GovCloud.
What AWS and AWS GovCloud regions does Fugue support?¶
Fugue supports the following regions:
US East (N. Virginia) - us-east-1
US East (Ohio) - us-east-2
US West (N. California) - us-west-1
US West (Oregon) - us-west-2
Asia Pacific (Mumbai) - ap-south-1
Asia Pacific (Seoul) - ap-northeast-2
Asia Pacific (Singapore) - ap-southeast-1
Asia Pacific (Sydney) - ap-southeast-2
Asia Pacific (Tokyo) - ap-northeast-1
Canada (Central) - ca-central-1
EU (Frankfurt) - eu-central-1
EU (Ireland) - eu-west-1
EU (London) - eu-west-2
EU (Paris) - eu-west-3
South America (São Paulo) - sa-east-1
AWS GovCloud (US-East) - us-gov-east-1
AWS GovCloud (US) - us-gov-west-1
Environments can include a single region or any combination of regions, including all.
How can I change my environment’s region(s)?¶
Some environments support region updates via the API. This only applies to environments that use the
regions body parameter, not
region. You can check this parameter through the API. See the API User Guide for details.
Does Fugue support Microsoft Azure?¶
For general information about using Fugue with Azure, including setup instructions, see Setup - Azure. For service coverage, see Service Coverage - Azure. If you have any other questions about Fugue and Azure, reach out to email@example.com.
How can I quickly create multiple environments?¶
You can automate creation of Fugue environments using our utility scripts:
For other useful scripts, see our GitHub repo common-utility-scripts.
How can I trigger a scan?¶
You can manually initiate a scan in the UI by selecting the Actions button in the top right of an environment page, then clicking Start New Scan:
You’ll see a banner showing that the scan is in progress. When the banner indicates that the scan has finished, you can refresh the page for results.
You can also kick off a scan using the Fugue API.
Where do I view my scan results?¶
Once your environment is established, your scan results will display on the environment dashboard.
How can I change the resources that Fugue scans in my AWS standard or GovCloud environment?¶
Changing the AWS resources Fugue scans is a two-step process:
Select Edit Environment from the Actions drop-down in the top right of the page and select/deselect resources you want to include or exclude from scanning, then click “Save changes.” See Service Coverage - AWS & AWS GovCloud for a list of supported resources.
Update the IAM policy for the Fugue role. For instructions, see How To: Update the Fugue IAM Role.
The next scan includes the updated resource types. You can manually trigger a scan via the UI or API.
How can I change the resource groups Fugue scans in my Azure environment?¶
You can remove resource groups by editing the environment settings, as long as at least one resource group remains selected. However, to add resource groups after the environment has been created, you must use the Fugue API. See Updating Selected Resource Groups for details.
You can access environment settings by selecting Edit Environment from the Actions drop-down in the top right of the page. Deselect any resource groups you want to remove from the environment, then click “Save changes.” The next scan reflects the changes. You can manually trigger a scan via the UI or API.
Can I scan ElastiCache clusters within a replication group?¶
ElastiCache.Cluster resources belong to an
ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan
the clusters individually.
In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
What compliance families are supported?¶
Currently, Fugue supports the following compliance families:
Can I change the compliance standards Fugue uses to evaluate my infrastructure?¶
Yes. You can change them at any time by selecting the Actions button on the top right of an environment page, selecting Edit Environment from the drop-down menu, and accessing the Compliance tab. Simply check or uncheck the desired compliance standard boxes and select Save Changes when you’re done. The next scan evaluates your resources using the new compliance standard(s). You can manually trigger a scan via the UI or API.
Can I waive a rule or “ignore” a noncompliant resource?¶
Fugue enables you to waive a rule for a specific resource in an environment. When a rule is waived for a resource, the rule result –
FAIL – is effectively ignored in compliance calculations for that environment. A failed rule doesn’t count against a resource when compliance is calculated.
To learn more about waivers, see Waivers.
Will changing my compliance standards and saving them automatically trigger a new scan?¶
Drift Detection & Enforcement¶
How do I set or update a baseline?¶
There are several ways to set or update a baseline:
To disable a baseline, see Disabling a Baseline & Drift Detection.
Can I turn off drift detection?¶
Note that certain resource types do not report drift, by design. See Resource Types That Don’t Report Drift for details.
How do I enable enforcement?¶
Before Fugue can enforce your resource configuration, the following steps are required:
Update the IAM role to allow Fugue to modify configuration of the selected resources.
Set a baseline to establish the “known-good” state that drifted resources should be reverted to.
Enable enforcement through Enforcement Settings. There are two ways to access it:
By selecting the Disabled or Enabled link below Baseline Enforcement
The Enforcement Settings tab contains a checkbox that allows you to enable or disable baseline enforcement. To enable it, check the box. Then, click “Save changes.” The next scan reflects the changes. You can manually trigger a scan via the UI or API.
For more information about enabling enforcement, see Environment Configuration.
How do I disable enforcement?¶
You can disable enforcement through the Enforcement Settings tab. There are two ways to access it:
By selecting the Disabled or Enabled link below Baseline Enforcement
The Enforcement Settings tab contains a checkbox that allows you to enable or disable baseline enforcement. To disable it, uncheck the box. Then, click “Save changes.” The next scan reflects the changes. You can manually trigger a scan via the UI or API.
For more information about disabling enforcement, see Environment Configuration.
How can I change the AWS or AWS GovCloud resources that Fugue enforces?¶
If this is the first time you’re enabling enforcement, see How do I enable enforcement? first.
If you’ve already enabled enforcement, changing the AWS resources Fugue enforces is a two-step process:
Select Edit Environment from the Actions drop-down in the top right of the page and select/deselect resources you want to include or exclude from baseline enforcement (“enforce access”). See Service Coverage - AWS & AWS GovCloud for a list of supported resources.
Update the IAM policy for the Fugue role. For instructions, see How To: Update the Fugue IAM Role.
The next scan enforces the updated resource types. You can manually trigger a scan via the UI or API.
Can Fugue enforce the resource groups in my Azure environment?¶
Yes, Fugue can enforce resource groups in an Azure environment.
What kind of drift does Fugue enforce?¶
Fugue only supports enforcement of modified resources. It does not delete new resources that have been added or recreate existing resources that have been deleted.
When a resource is enforced, does Fugue simply modify it, or does it destroy the resource and recreate it?¶
Fugue performs mutable updates, which means it changes resource configuration without destroying and recreating the resource itself.
AWS IAM Permissions¶
What kind of AWS IAM permissions does Fugue need?¶
To scan your account and/or detect drift, Fugue requires certain read-only permissions (“scan access”). To automatically remediate changes to your baseline, Fugue requires certain write permissions (“enforce access”).
See a list of all possible Fugue permissions here.
You can customize which resources Fugue has scan access or enforce access to by ticking the appropriate checkboxes in the Edit Environment Settings dialog. (See note about scan permissions.)
For a quick tutorial on creating the IAM role, see How To: Create a Fugue IAM Role.
SecurityAudit read-only policy¶
When you launch a CloudFormation stack to create the Fugue role, Fugue automatically attaches the AWS-managed SecurityAudit read-only policy. (For details, see Setup, or visit the AWS docs for the Security Auditor job function.)
When you launch a CloudFormation stack to create the role, the SecurityAudit policy attached to the role grants read-only (scan) access to all supported resources. However, if you choose to manually create a role, you can create a policy that contains only the customized read (and write) permissions. To do so, check off the desired resource types, select “Edit Existing AWS IAM Role,” and copy the generated JSON to your role policy. See a list of all possible Fugue permissions here. For more details, see Setup.
Can I give Fugue enforce access (write permissions) without enabling baseline enforcement?¶
Yes, you can grant Fugue read/write permissions for a particular resource without enabling baseline enforcement. This allows you to give Fugue’s IAM role ARN the correct permissions for drift and enforce protection without having to update the role on a later date. See a list of all possible Fugue permissions here.
What permissions are needed for compliance scanning, drift detection, and baseline enforcement?¶
For compliance scanning and drift detection, scan access (read permission) is needed. For Fugue to perform baseline enforcement, scan access and enforce access (write permission) are needed. See a list of all possible Fugue permissions here.
How do I update the Fugue IAM role trust policy?¶
In response to a security event, Fugue may require you to change the trusted entity that can assume the Fugue IAM role. For instructions, see Setup.
What’s the SecurityAudit policy and why is it attached?¶
SecurityAudit is an AWS-managed policy that grants read-only (scan) access to all supported resources. When you launch a CloudFormation stack to create the Fugue role, the policy is automatically attached. Fugue also creates an inline policy for any permissions not covered by the
SecurityAudit policy, such as enforcement (write) permissions.
What if I don’t want to use the SecurityAudit policy?¶
If you don’t want the Fugue role to have read-only (scan) access to all supported resources, you may manually create a role and customize policy permissions. See Setup and this note for additional details.
Why does Fugue use inline policies instead of managed policies?¶
A customer-managed policy is a standalone policy that can be attached to multiple principals. An inline policy is embedded in a single principal and cannot be attached to others, so it can’t be used to escalate other principals’ privileges. Additionally, an inline role is deleted when its principal is deleted. For these reasons, Fugue uses inline policies. Learn more in the AWS docs.
Azure Service Principal Role¶
How do I manage users?¶
For instructions on managing users, see User Management.
For information about managing users with RBAC, see Role-Based Access Control (RBAC).
For information about using single sign-on with Fugue, see Single Sign-on (SSO).
For information about using MFA with Fugue, see Multi-Factor Authentication (MFA).
How do I use RBAC to manage users?¶
For information about using RBAC to manage users, see Role-Based Access Control (RBAC).
How do I enable SSO?¶
How can I visualize the resources in my environment?¶
The cloud resource visualizer creates detailed, auto-generated, interactive diagrams of the infrastructure in your environment. To access the visualizer, select the Visualizer link in the header near the top of the page:
See the visualizer documentation for more information.
What resource types are visualized?¶
What do the characters next to subnet and security group names mean?¶
The two characters next to a subnet name or CIDR block or a security group represent the first two digits of the resource ID. For an example, see Which Resources Are Visualized? in the visualizer documentation.
Which cloud providers are supported?¶
Does the visualizer support keyboard shortcuts?¶
The visualizer supports the following keyboard shortcuts:
Pan: Arrow keys
Zoom in: Plus
Zoom out: Minus
Open/close View Options panel: Period
Center/reset zoom: Double-tap the spacebar
AWS Regions and Environments¶
Since Fugue allows you to create multiple environments per region, and environments may contain multiple regions, we recommend that you only enable enforcement once per region. Enabling enforcement in the same region multiple times can introduce enforcement conflicts.
In order to determine compliance across an AWS account, it’s a best practice to create environments for all regions in which you’ve configured infrastructure. This is specifically applicable to the following compliance controls: CIS AWS 2-5, HIPAA§164.308(a)(1)(ii)(D), HIPAA§164.308(a)(6)(i), HIPAA_§164.312(b), and GDPR_30-(1).
Recommended AWS Resource Types to Scan¶
In order to get the most out of Fugue, you can opt to scan a Fugue-recommended set of resource types. We’ve chosen these resources because of their high impact on security, and they include security groups, IAM roles, S3 buckets, and more.
See the Fugue-recommended resource types:
Recommended AWS Resource Types to Enforce¶
We recommend enabling baseline enforcement on the following AWS resource types:
These resources are business-critical, so unauthorized changes (drift) and misconfigurations should be corrected as quickly as possible. To allow Fugue to automatically make the corrections, see our instructions for enabling baseline enforcement. You’ll also need to ensure your IAM role has the following read and write permissions. If you haven’t yet enabled scanning and enforcement on the resources, update your IAM role policy by adding the permissions below:
"cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "ec2:DescribeSecurityGroups", "iam:GetAccountPasswordPolicy", "s3:GetAccelerateConfiguration", "s3:GetBucketACL", "s3:GetBucketCors", "s3:GetBucketLocation", "s3:GetBucketLogging", "s3:GetBucketPolicy", "s3:GetBucketRequestPayment", "s3:GetBucketTagging", "s3:GetBucketVersioning", "s3:GetBucketWebsite", "s3:GetEncryptionConfiguration", "s3:GetLifecycleConfiguration", "s3:GetReplicationConfiguration", "s3:ListAllMyBuckets", "s3:ListBucket"
"cloudtrail:AddTags", "cloudtrail:PutEventSelectors", "cloudtrail:RemoveTags", "cloudtrail:StartLogging", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateTags", "ec2:DeleteTags", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "iam:UpdateAccountPasswordPolicy", "s3:DeleteBucketPolicy", "s3:DeleteBucketWebsite", "s3:PutAccelerateConfiguration", "s3:PutBucketAcl", "s3:PutBucketCors", "s3:PutBucketLogging", "s3:PutBucketPolicy", "s3:PutBucketRequestPayment", "s3:PutBucketTagging", "s3:PutBucketVersioning", "s3:PutBucketWebsite", "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:PutReplicationConfiguration"
Avoid Enforcing AWS Autoscaled Resources¶
Enabling enforcement on autoscaled resources is not recommended. This is because AWS dynamically adjusts autoscaled resource properties when there is a scaling event, but Fugue adjusts the resource properties when they diverge from the baseline, which in turn causes AWS to adjust them again. This creates a cycle of potentially destructive changes to infrastructure and/or increased costs.
For example, if an Auto Scaling group’s desired capacity is set to 2 in the Fugue baseline and enforcement is enabled, but an autoscaling event occurs and AWS launches a third instance, Fugue will set the desired capacity back to 2 on its next scan and cause AWS to terminate the third instance. AWS will then increase the desired capacity again due to the autoscaling event.
Elastic Load Balancers are similarly affected. Because a baseline captures autoscaled instances attached to an ELB, Fugue may remediate the ELB by attempting to reattach terminated instances. This is true even if enforcement is not enabled for the AutoScaling group.
Likewise, if an autoscaled DynamoDB table has a baseline of 5 provisioned read capacity units but an autoscaling event causes AWS to decrease throughput to 1, Fugue will set it back to 5 on its next scan, and so on.
As a best practice, we recommend that you do not enable enforcement for the following resources:
Maximum of 1,000 SQS Queues¶
Due to a limitation of the AWS API, the maximum number of SQS queues Fugue may scan in an account at once is 1,000. Additionally, the AWS API may not reliably return the same 1,000 queues every scan. As a result, users with more than 1,000 queues will be unable to see them all at once in Fugue, and the precise list of queues displayed will vary.
Notification of Newly Compliant Resources When Transitioning to Fugue Developer¶
Currently, under specific conditions, a Trial user who has enabled notifications and transitions to Developer may receive a notification that certain noncompliant resources are newly compliant. This only occurs if all of the following are true:
The user is a Trial user who transitions to Developer
The user has notifications enabled
The user has resources that are noncompliant with the unsupported compliance families