Fugue 101

Welcome to Fugue! If you’ve just created an environment, you’re in the right place. In this document, we’ll go over some core Fugue concepts and explain how to navigate the product.

Note

Want to jump right in and create your first environment? You can get started in 5 minutes.

Concepts

Before diving into Fugue, it’s helpful to understand some core concepts:

• An environment contains resources from a single AWS account, Azure subscription, Google project, or code repository. AWS, Azure, and Google environments contain runtime resources and configurations, and repository environments contain infrastructure as code resources from code files for cloud configurations.

• A baseline represents a “snapshot” of an environment’s resource configuration at a point in time.

• When you set a baseline, Fugue lets you know of any changes to that configuration, known as drift.

• With baseline enforcement optionally enabled, Fugue reverts any configuration drift back to the established baseline.

To get the most out of Fugue, a good workflow is to:

• Scan an environment to refresh your resources’ compliance state

• Set a baseline and configure notifications to be alerted to drift events

• Optionally enable enforcement so drifted resources may be corrected back to the state in the baseline

Permissions

For runtime cloud environments, Fugue requires read-only access to all services you want Fugue to scan for compliance or drift and read and write access to all services you want Fugue to enforce. This access is controlled through your associated AWS Identity & Access Management (IAM) role, Azure service principal, or Google service account. You can see the list of AWS and AWS GovCloud IAM permissions here.

AWS IAM role resources:

• AWS IAM Policy Permissions

• How To: Update the Fugue IAM Role

• How To: Create a Fugue IAM Role

Azure permissions resources:

• Setup - Azure

• How To: Change Selected Resource Groups

Google permissions resources:

• Setup - Google Cloud

For repository environments, Fugue does not currently require any external permissions. Executing a regula scan with Regula requires Fugue API client credentials. Learn more here:

• Setup - Repository Environment

If you have further questions, reach out to support@fugue.co.

Compliance

See Compliance Concepts for a primer on rules, families, controls, and how they relate to each other.

Navigating Fugue

Let’s tour the product!

Environment dashboard

After you create your first AWS, Azure, Google, or repository environment, you’re taken to a dashboard where you can view at-a-glance details about the environment. You can also:

• Review compliance state

• See a visualization of resource configuration

• View drift and remediation events

• Set a baseline

• Trigger a scan

• Edit environment settings

Environment Overview page

To access the Environment Overview page, select the “Environments” link in the top right corner of the UI. You’ll see a list of your environments:

On the Environment Overview page, you can do the following:

• View an executive summary for each of your available environments

• Search by environment name, provider, or ID to filter the list of environments

• Search environments by the following key-value pairs: name, provider, and ID (i.e., AWS account ID, Azure subscription ID, Google project ID, and environment ID). For example, enter provider:AWS name:Production and id:7210988899

  • Search terms can be saved and shared via URL

• Create a new AWS, Azure, Google, or repository environment

• Edit settings for an environment

• Scan an environment

• Export rule result data

• Expand/collapse the Environment Summary view

Environment summary

The summary for each environment shows the following details:

• Provider account/subscription ID/project ID

• AWS region(s) or Azure resource group(s)

  • If all AWS regions are selected, “All Regions” is displayed

  • If a subset of AWS regions or multiple Azure resource groups are selected, hover over the i to see the list

• Last scan and next scan (for runtime environments only)

• Whether baseline & drift detection or enforcement have been enabled

• Number of scanned resources, including how many are compliant or noncompliant

• Number of passed or failed compliance controls

• Selected compliance families

By selecting the ellipsis next to an environment, you can also access a drop-down list of actions for that environment:

• View takes you to the environment dashboard

• View in Visualizer takes you to the visualizer page

• Start New Scan scans the environment

• Edit Settings allows you to configure the environment

• Remove allows you to permanently delete the environment