Common Fugue terms and concepts are defined below.


A snapshot of a “known-good” configuration of cloud infrastructure. It is a complete picture of a cloud environment and defines every resource with all of its attributes. A baseline acts as a “contract” between different stakeholders such as DevOps and Security.


CIS AWS Foundations Benchmark v. 1.2.0 is a set of configuration guidelines created by the Center for Internet Security (CIS) for various technology groups to safeguard their AWS systems against today’s evolving cyber threats. Abbreviated as CIS. See Compliance.

CIS Azure

CIS Azure Foundations Benchmark is a set of configuration guidelines created by the Center for Internet Security (CIS) to help organizations safeguard their Azure infrastructure against today’s evolving cyber threats. Abbreviated as CISAZURE. See Compliance.

CIS Controls

The Center for Internet Security Critical Security Controls for Effective Cyber Defense is a publication of best practice guidelines for computer security. The publication was initially developed by the SANS Institute. Abbreviated as CISCONTROLS in AWS and CISCONTROLSAZURE in Azure. See Compliance.

compliance control

A specific recommendation within a compliance family that defines a process, policy, or approach. For example, PCI-DSS 1.3.5, “Permit only ‘established’ connections into the network,” is a control. Controls map to one or more rules, and rules map to one or more controls. See Compliance Concepts.

compliance family
compliance standard

A group of compliance controls that Fugue evaluates infrastructure against. For example, Fugue supports the following standards: CIS AWS, CIS Azure, CIS Controls, Fugue Best Practices, GDPR, HIPAA, ISO 27001, NIST SP 800-53, PCI-DSS, and SOC 2. The terms compliance family and compliance standard are synonymous. See Compliance.


Describes a resource, rule, or control that meets a set of conditions related to policy. A control is compliant if all underlying rules are compliant. A rule is compliant if all applicable resources pass it. A resource is compliant if it passes all applicable rules. Which rules are applicable to which resources depends on which compliance families are selected for an environment. See Compliance Concepts.

control evaluation

The compliance value of a control based on the results of all applicable rules. If any resource fails any rule that maps to a control (e.g., if there is a single rule result with a “fail” value), that control is noncompliant. If all applicable resources pass all the rules that map to a control (e.g., there are no rule results with a “fail” value), the control is compliant. If the control can’t be assessed because a required resource doesn’t exist or Fugue lacks permission to assess it, the control’s value is Missing Data. Note that “missing data” is called Unknown in the API. See Compliance Concepts.

CSA Cloud Controls Matrix

CSA Cloud Controls Matrix (v3.0.1) is a cybersecurity control framework for cloud security assurance and compliance maintained by the Cloud Security Alliance. Abbreviated as CSACCM in AWS and Azure. See Compliance.

custom rule

A user-defined rule written in the Rego policy language. See Custom Rules to learn more, or Compliance Concepts to learn about rules in general.

daily resources scans

Fugue determines a “Daily Resources Scans” metric for each customer based on an aggregate of the number of times each resource is scanned over the course of a day, excluding default immutable resources. Resource scans can be generated via scheduled scans, or on-demand scans initialized by a user. Scanned resource numbers are updated at 8 AM, 5 PM, 9 PM UTC.


Any change made to the configuration of a resource, or the deletion of existing resources or the creation of new resources that deviate from a baseline. Drift is typically an inadvertent change made outside of official change control process and can cause security or operational issues. See Drift Detection.

drift detection

Fugue detects any configuration changes (drift) that deviate from a baseline. See Drift Detection.

baseline enforcement

An action taken without human intervention by Fugue to revert any configuration drift back to the established baseline without the need for external remediation scripts or “bots.” AWS & AWS GovCloud only. See Enabling Enforcement. Also called “automated remediation.”


A collection of cloud resources within a single cloud account that Fugue uses as a “unit” to manage security and compliance assessments as well as baseline configuration drift and enforcement. An environment represents not just cloud infrastructure but the state of its compliance and whether it has changed (drifted) from its ideal configuration. See Environment Configuration.


An event is a change in compliance state, resource configuration due to drift, or resource configuration due to enforcement.

Fugue Best Practices

The Fugue Best Practices Framework complements the CIS Benchmarks by providing guidance and recommendations to secure cloud resources against advanced misconfiguration exploits. Abbreviated as FBP. For a list of controls, see Fugue Best Practices.


GDPR (2016/679) refers to the European General Data Protection Regulation, or standards that were introduced for data protection and privacy for individuals within the EU and EEA. Abbreviated as GDPR in AWS and GDPRAZURE in Azure. See Compliance.


HIPAA (2013) regulations protect the privacy and security of certain health information. HIPAA is short for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Abbreviated as HIPAA in AWS and HIPAAAZURE in Azure. See Compliance.


Also referred to as Infrastructure as a Service (IaaS). The set of virtualized computing resources generally divided into compute, networking, and storage functions but can also be applied to new functions such as serverless computing, stream processing, or container orchestration. Cloud infrastructure configurations are typically exposed and configured via APIs.

ISO 27001

ISO 27001(2013) is a specification for information security management systems. It also includes controls for information risk management processes. Abbreviated as ISO27001 in AWS And ISO27001AZURE in Azure. See Compliance.

Missing Data

The value for a control evaluation when a compliance control can’t be assessed because it requires a specific resource but either the resource doesn’t exist or Fugue lacks the necessary permissions to assess it. Called Unknown in the API. See Compliance Concepts.

NIST SP 800-53

NIST SP 800-53 Rev. 4. provides standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST is short for National Institute of Standards and Technology. Abbreviated as NIST in AWS and NISTAZURE in Azure. See Compliance.


Describes a resource, rule, or control that fails a set of conditions related to policy. A noncompliant resource violates a rule, making the rule itself noncompliant. A noncompliant control has at least 1 underlying noncompliant rule violated by at least 1 noncompliant resource. The rules that are applicable to resources depend on which compliance families are selected for an environment. See Compliance Concepts.


PCI-DSS v. 3.2.1. is a set of standards that emphasizes data security for companies that process credit cards. PCI-DSS is short for Payment Card Industry Data Security Standard. Abbreviated as PCI in AWS and PCIAZURE in Azure. See Compliance.


Role-based access control. RBAC allows administrators to restrict read and write access to key parts of Fugue. See RBAC.


A resource is any configuration item that needs to be tracked and analyzed from a policy or drift perspective. Examples of AWS resource types include EC2 instances, ELB listeners, customer-managed IAM policies, KMS keys, and S3 bucket policies. Examples of Azure resources include managed disks, SQL servers, storage accounts, and virtual networks. See Service Coverage - AWS & AWS GovCloud and Service Coverage - Azure & Azure Government for a full list of resource types.

resource evaluation

The compliance value for a resource based on the results of all applicable rules. If the resource fails any applicable rule (e.g., if there is a single rule result with a “fail” value), the resource has the value noncompliant. If it passes all applicable rules (e.g., there are no rule results with a “fail” value), it is compliant. A resource evaluation may be different for a given resource depending on which rules are applied. See Compliance Concepts.


A rule checks cloud infrastructure configurations to determine whether a resource, region, or account complies with a specific policy. For example, the rule “IAM password policies should require a minimum length of 14 characters” checks whether an AWS account has an appropriately complex IAM password policy. Rules map to one or more controls, and controls map to one or more rules. Fugue also supports custom rules, which are policies you write. See Compliance Concepts.

rule result

A compliance value determined by evaluating a rule on a specific resource, region, or account. A rule result is “fail” if the resource does not comply with the rule, or if a required resource is missing; “pass” if the resource complies with the rule; or “unknown” if an error prevented the rule from being evaluated.


Resources Under Management (RUM). For billing purposes, Fugue calculates RUM. RUM excludes all duplicate resources, AWS-managed IAM policies (e.g., DatabaseAdministrator, SecurityAudit), default AWS ElastiCache parameter groups, and built-in Azure Role Definitions, so if multiple environments include the same resources, Fugue will only count those resources once. See Service Coverage. See also daily resources scans. RUM is updated at 8 AM, 5 PM, 9 PM UTC.


A scan is a comprehensive survey of a Fugue environment at a point in time to retrieve resource configuration state, assess compliance, and identify potential misconfigurations.

self-healing infrastructure

Cloud resources that use baseline enforcement to revert drift back to the baseline and “heal” itself of misconfigurations. The baseline provides the necessary context to perform self-healing safely and without code.


A public cloud provider “product,” usually with its own API, such as storage, servers, networking, etc. Examples: Amazon EC2, AWS Identity & Access Management (IAM), Amazon S3, Azure Virtual Machines, Azure Blob Storage. See Service Coverage - AWS & AWS GovCloud and Service Coverage - Azure & Azure Government.


SOC 2 (2017) is a compliance report for Statement on Standards for Attestation Engagements (SSAE). SOC 2 reports apply to service organizations that hold, store, or process customer data in the cloud. Abbreviated as SOC2 in AWS and SOC2AZURE in Azure. See Compliance.


When a rule is waived for a resource, the result – PASS or FAIL – is effectively ignored in compliance calculations for that environment. See Rule Waivers.