How to Use the Fugue Compliance Suite, Part 1: Runtime

Note

To see the full list of Compliance Suite validations and the compliance standards they map to, install the Fugue Client Tools and view the Ludwig modules locally:

  • /opt/fugue/lib on macOS and Linux
  • C:\Program Files\Fugue\lib\ on Windows

Overview

This two-part example shows you how to use the validations in the Fugue Compliance Suite to enforce security and compliance standards such as NIST 800-53, CIS, and HIPAA at design-time and runtime.

Note: For the sake of clarity we refer to the CIS AWS Foundations Benchmark generically as a “standard.” This enables us to reference compliance standards more broadly (NIST, HIPAA, etc.) and simplify the terminology when we’re talking about functionality that may apply to the CIS Benchmark or other compliance standards.

Prerequisites

You’ll need to have the Fugue Client Tools installed, because we’re going to use the Ludwig compiler. lwc allows us to compile Ludwig files and apply design-time validations. If you haven’t installed the package yet, follow the instructions here.

To apply a validation at runtime, you’ll need the paid version of Fugue and a running Conductor. See the Quick Setup for Conductor installation.

What We’ll Do In This Example

Here in Part 1, we’ll cover how to apply a compliance library at runtime. We’ll also show how to resolve validation errors in order to bring a composition into compliance.

In Part 2, we’ll cover how to apply a compliance library at design-time and fix compliance violations. We’ll also go over how to customize a compliance library so it contains the validations you need.

What We’ll Have When We’re Done

Three compliant compositions and a customized compliance library.

How Long It Will Take

About 45 minutes.

Download

You can download the source code for this example from our Github repo:

If you executed init during the Quick Setup, download the files to the directory where you ran the command.

Get editor plug-ins here.

Let’s Go!

Getting Started

The Compliance Suite is a library of validations that enforce compliance and regulatory standards. This library is included along with the rest of the Fugue Standard Library when you install the Fugue Client Tools.

First, a quick recap: a validation is a type of function that tests a property of your code, and if any portion of the code fails that test, it will not compile and cannot be executed. Validations can be applied at design-time or at runtime.

Reasons you might apply validations at design-time:

  • You want to test a composition for compliance during development
  • You want the validation to apply to infrastructure in a single process

Reasons you might apply validations at runtime:

  • You want the validation to apply to infrastructure in all processes
  • You want to protect against accidental or malicious removal of compliance validations

You can also do both. You can apply the validation at design-time during development, then apply it at runtime when your composition is ready for production.

4 Steps to Use the Compliance Suite

There are four basic steps to implementing the Compliance Suite:

  1. Select one or several compliance standards
  2. Customize the library (optional)
  3. Apply the validations
  4. Resolve errors and reapply (if applicable)

In this walkthrough, we’ll show you how to apply the Compliance Suite at runtime and at design-time.

We’ll also show you how to use customize a library to exclude or include specific validations.

Use Case: Applying the HIPAA Library at Runtime

Step 1: Select Compliance Standard

First, let’s select a compliance standard to use. We can use all of the standards, or just one. We can even just use individual validations, and mix and match.

The Compliance Suite consists of the following libraries:

As the Compliance Suite Overview explains, each library contains validations that enforce the security and compliance controls for that particular standard.

The Compliance Suite also contains account-level standards. These Fugue.Compliance.[STANDARD].Account modules contain everything in the corresponding Fugue.Compliance.[STANDARD] library but also contain account-level validations. Account-level modules should only be applied at design-time.

For our first example, we are going to apply the Fugue.Compliance.HIPAA library as a runtime validation. Later, we’ll show you how to select specific validations from within a standard.

Step 2: Copy and Customize Library (Optional)

To keep our first example simple, we won’t make any changes to the Fugue.Compliance.HIPAA library. We’ll apply the entire bundle of HIPAA validations to our composition – and since we’re applying them at runtime, any other composition we run will have to pass validation before it becomes a process.

Even though we aren’t going to customize the library, it’s a good idea to make a copy of it to upload to the Conductor. That way you can make changes later if you need to. You can find the Fugue Standard Library in /opt/fugue/lib on macOS and Linux and C:\Program Files\Fugue\lib on Windows. We’ll give our copy of Fugue.Compliance.HIPAA the new name AcmeCorpHIPAA.lw:

cp /opt/fugue/lib/Fugue/Compliance/HIPAA.lw AcmeCorpHIPAA.lw

Or, in a Windows environment:

copy C:\Program Files\Fugue\lib\Fugue\Compliance\HIPAA.lw AcmeCorpHIPAA.lw

Step 3: Apply Validations

To validate a composition at runtime, we need to upload it to the Conductor with the fugue policy validation-add command.

If you haven’t installed the Conductor yet, take a few minutes to follow the instructions in the Quick Setup. Note that runtime validations require the paid version of Fugue.

To upload the validation to the Conductor, use the command fugue policy validation-add <file> --name <name> and give your runtime validation a name:

fugue policy validation-add AcmeCorpHIPAA.lw --name AcmeCorpHIPAA

You’ll see output like this:

[fugue validation] Compiling Ludwig File AcmeCorpHIPAA.lw
[ OK ] Successfully compiled. No errors.

Uploading validation module to S3 ...
[ OK ] Successfully uploaded.

Requesting the Conductor create new validation module ...
[ DONE ] Validation module 'AcmeCorpHIPAA' uploaded and added to the Conductor.

Note

If you are unable to upload a validation module to the Conductor it may be because of an existing process. Runtime validations are automatically applied to all running processes in an account. You will be unable to upload any validation that an existing process would fail. However, you can work around this scenario by configuring a custom compliance library instead.

Now let’s test it out by running a simple composition. HIPAATopic.lw declares an SNS.Topic and SNS.Subscription:

composition

import Fugue.AWS as AWS
import Fugue.AWS.SNS as SNS

subscription: SNS.Subscription.new {
  endpoint: SNS.Http("http://example.com"),
  topic: topic
}

topic: SNS.Topic.new {
  name: "example-topic",
  region: AWS.Us-east-1,
}

(Download HIPAATopic.lw here.)

We’ll execute the run command, and the Conductor will automatically check the composition for compliance with HIPAA:

fugue run HIPAATopic.lw -a HIPAATopic

You should see output like this:

[ fugue run ] Running /Users/main-user/projects/HIPAATopic.lw

Run Details:
    Account: default
    Alias: HIPAATopic

Compiling Ludwig file /Users/main-user/projects/HIPAATopic.lw
[ OK ] Successfully compiled. No errors.

Uploading compiled Ludwig composition to S3...
[ OK ] Successfully uploaded.

Requesting the Conductor to create and run process based on composition ...
[ ERROR ] ludwig (validation error):
  "/tmp/328474250/composition/src/HIPAATopic.lw" (line 6, column 15):
  Validation failed:

    6| subscription: SNS.Subscription.new {
    7|   endpoint: SNS.Http("http://example.com"),
    8|   topic: topic
    9| }

  SNS requires access via HTTPS.

  - HIPAA_§164.306(a)
  - HIPAA_§164.312(a)(2)(iv)
  - HIPAA_§164.312(e)(2)(ii)

  (from Fugue.AWS.SNS.Compliance.subscriptionNoHttp)

ludwig (validation error):
  "/tmp/328474250/composition/src/HIPAATopic.lw" (line 11, column 8):
  Validation failed:

    11| topic: SNS.Topic.new {
    12|   name: "example-topic",
    13|   region: AWS.Us-east-1,
    14| }

  SNS requires access via HTTPS.

  Topic requires a policy that includes a Deny statement for "StringEquals": {"SNS:Protocol": "http"} for at least "SNS:Receive"

  - HIPAA_§164.306(a)
  - HIPAA_§164.312(a)(2)(iv)
  - HIPAA_§164.312(e)(2)(ii)

  (from Fugue.AWS.SNS.Compliance.topicDenyHttp)

The Conductor applies the AcmeCorpHIPAA validation to our composition automatically, and it turns out our composition is not compliant. The number of violated HIPAA controls may seem daunting, but because there’s a lot of overlap, it’s actually an easy fix.

The error messages indicate that our SNS subscription uses the SNS.Http endpoint type instead of the more secure SNS.Https. If we make a few changes to our composition so it uses HTTPS instead of HTTP, and if we also introduce an IAM policy for the topic, we should be able to bring the composition into compliance.

Step 4: Resolve Errors and Reapply (if applicable)

Our modified composition replaces SNS.Http with SNS.Https and changes the endpoint URL. We’ve also added a typed IAM policy according to HIPAA’s specifications.

composition

import Fugue.AWS as AWS
import Fugue.AWS.IAM.Typed as Typed
import Fugue.AWS.SNS as SNS

subscription: SNS.Subscription.new {
  endpoint: SNS.Https("https://example.com"),
  topic: topic
}

topic: SNS.Topic.new {
  name: "example-topic",
  region: AWS.Us-east-1,
  policy: Typed.Policy.toString(topicPolicyDocument)
}

topicPolicyDocument: Typed.Policy.new {
  version: Typed.Policy.V2012-10-17,
  statements: [
    Typed.Policy.deny {
      principals: [ Typed.Policy.aws [ "*" ] ],
      actions: ["SNS:Receive"],
      resources: ["*"],
      conditions: [ Typed.Condition.stringEquals("SNS:Protocol", "http") ]
    }
  ]
}

(Download HIPAATopicFixed.lw here.)

Let’s try to run the composition again and see if it passes validation.

fugue run HIPAATopicFixed.lw -a HIPAATopic

You should see output like this:

[ fugue run ] Running /Users/main-user/projects/HIPAATopicFixed.lw

Run Details:
    Account: default
    Alias: HIPAATopic

Compiling Ludwig file /Users/main-user/projects/HIPAATopicFixed.lw
[ OK ] Successfully compiled. No errors.

Uploading compiled Ludwig composition to S3...
[ OK ] Successfully uploaded.

Requesting the Conductor to create and run process based on composition ...
[ DONE ] Process created and running.


State    Updated    Created    Account              FID                                   Alias       Flags      Last Message  Next Command
-------  ---------  ---------  -------------------  ------------------------------------  ----------  -------  --------------  --------------
Running  3:50am     3:50am     fugue-1538608745415  66a4a602-ba13-4e73-bc70-d9243098633b  HIPAATopic  -e                       run

[ HELP ] Run the "fugue status" command to view details and status for all Fugue processes.

Success! You’ve used Fugue’s Compliance Suite to enforce HIPAA compliance at runtime, ensuring all current and future processes are compliant. But don’t rest on your laurels yet – next we’re going to show you how to apply a compliance library at design-time.

By the way, you can use the fugue policy validation-remove command to remove the runtime validation when you’re done with it.

Note

If you want to apply an entire compliance standard at runtime and know you won’t need to modify it later, you can upload this very tiny validation module:

import Fugue.Compliance.HIPAA

When you upload it to the Conductor with fugue policy validation-add, all of the validations referenced in Fugue.Compliance.HIPAA get bundled up, too, and are automatically applied to current and future processes.

This tip works for all of the other compliance standards, too.

Continue to Part 2

In Part 1, we’ve demonstrated how to use the Compliance Suite to enforce security and regulatory standards at runtime. Next, in Part 2, we’ll go over using the Compliance Suite at design-time. We’ll also show how to customize a compliance library for your organization’s needs. When you’re ready, proceed to Part 2!