Common Fugue terms and concepts are defined below.


A snapshot of a “known-good” configuration of cloud infrastructure. It is a complete picture of a cloud environment and defines every resource with all of its attributes. A baseline acts as a “contract” between different stakeholders such as DevOps and Security.


CIS AWS Foundations Benchmark v. 1.2.0 is a set of configuration guidelines created by the Center for Internet Security (CIS) for various technology groups to safeguard their AWS systems against today’s evolving cyber threats. Abbreviated as CIS in Fugue. See Compliance.

CIS Azure

CIS Azure Foundations Benchmark is a set of configuration guidelines created by the Center for Internet Security (CIS) to help organizations safeguard their Azure infrastructure against today’s evolving cyber threats. Abbreviated as CISAZURE in Fugue. See Compliance.

compliance control

An individual recommendation within a compliance standard. For example, CIS AWS 2-9, “Ensure VPC flow logging is enabled in all VPCs,” is a control in the CIS AWS compliance standard.

compliance standard

A group of compliance controls that Fugue evaluates infrastructure against. For example, Fugue supports the following standards: CIS AWS, CIS Azure, GDPR, HIPAA, ISO 27001, NIST SP 800-53, PCI-DSS, and SOC 2. Also called compliance family.


Describes a resource configuration that adheres to a compliance control from standards such as SOC 2, ISO 27001, PCI-DSS, HIPAA, CIS AWS, CIS Azure, or NIST SP 800-53.

custom rule

A user-defined compliance control. See Custom Rules.


Any change made to the configuration of a resource, or the deletion of existing resources or the creation of new resources that deviate from a baseline. Drift is typically an inadvertent change made outside of official change control process and can cause security or operational issues. See Drift Detection.

drift detection

Fugue detects any configuration changes (drift) that deviate from a baseline. See Drift Detection.

baseline enforcement

An action taken without human intervention by Fugue to revert any configuration drift back to the established baseline without the need for external remediation scripts or “bots.” See Enabling Enforcement.


A collection of cloud resources within a single cloud account and region that Fugue uses as a “unit” to manage security and compliance assessments as well as baseline configuration drift and enforcement. An environment represents not just cloud infrastructure but the state of its compliance and whether it has changed (drifted) from its ideal configuration. See Environment Configuration.


An event is a change in compliance state, resource configuration due to drift, or resource configuration due to enforcement.

Fugue Best Practices

The Fugue Best Practices Framework complements the CIS Benchmarks by providing guidance and recommendations to secure cloud resources against advanced misconfiguration exploits. For a list of rules, see Fugue Best Practices.


GDPR (2016/679) refers to the European General Data Protection Regulation, or standards that were introduced for data protection and privacy for individuals within the EU and EEA. Abbreviated as GDPR in Fugue. See Compliance.


HIPAA (2013) regulations protect the privacy and security of certain health information. HIPAA is short for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Abbreviated as HIPAA in Fugue. See Compliance.


Also referred to as Infrastructure as a Service (IaaS). The set of virtualized computing resources generally divided into compute, networking, and storage functions but can also be applied to new functions such as serverless computing, stream processing, or container orchestration. Cloud infrastructure configurations are typically exposed and configured via APIs.

ISO 27001

ISO 27001(2013) is a specification for information security management systems. It also includes controls for information risk management processes. Abbreviated as ISO27001 in Fugue. See Compliance.

NIST SP 800-53

NIST SP 800-53 Rev. 4. provides standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST is short for National Institute of Standards and Technology. Abbreviated as NIST in Fugue. See Compliance.


Describes a resource configuration that violates a compliance control from a compliance standard.


PCI-DSS v. 3.2.1. is a set of standards that emphasizes data security for companies that process credit cards. PCI-DSS is short for Payment Card Industry Data Security Standard. Abbreviated as PCI in Fugue. See Compliance.


Role-based access control. RBAC allows administrators to restrict read and write access to key parts of Fugue. See RBAC.


A resource is any configuration item that needs to be tracked and analyzed from a policy or drift perspective. Examples of AWS resources include EC2 instances, ELB listeners, customer-managed IAM policies, KMS keys, and S3 bucket policies. Examples of Azure resources include managed disks, SQL servers, storage accounts, and virtual networks. See Service Coverage for a full list of resource types.


Resources Under Management (RUM). For billing purposes, Fugue calculates RUM. RUM excludes all AWS-managed IAM policies (e.g., DatabaseAdministrator, SecurityAudit), and duplicate resources are excluded, so if multiple environments include the same resources, Fugue will only count those resources once. See Service Coverage.


A scan is a comprehensive survey of a Fugue environment to retrieve resource configuration state, assess compliance, and identify potential misconfigurations.

self-healing infrastructure

Cloud resources that use baseline enforcement to revert drift back to the baseline and “heal” itself of misconfigurations. The baseline provides the necessary context to perform self-healing safely and without code.


A public cloud provider “product,” usually with its own API, such as storage, servers, networking, etc. Examples: AWS EC2, AWS IAM, AWS S3, Azure Virtual Machines, Azure Blob Storage


SOC 2 (2017) is a compliance report for Statement on Standards for Attestation Engagements (SSAE). SOC 2 reports apply to service organizations that hold, store, or process customer data in the cloud. Abbreviated as SOC2 in Fugue. See Compliance.