Common Fugue terms and concepts are defined below.


See enforcement.


A snapshot of a “known-good” configuration of cloud infrastructure. It is a complete picture of a cloud environment and defines every resource with all of its attributes. A baseline acts as a “contract” between different stakeholders such as DevOps and Security.


CIS AWS Foundations Benchmark v. 1.2.0 is a set of configuration guidelines created by the Center for Internet Security (CIS) for various technology groups to safeguard their AWS systems against today’s evolving cyber threats. Abbreviated as CIS in Fugue.

CIS Azure

CIS Azure Foundations Benchmark is a set of configuration guidelines created by the Center for Internet Security (CIS) to help organizations safeguard their Azure infrastructure against today’s evolving cyber threats. Abbreviated as CISAZURE in Fugue.

compliance control

An individual recommendation within a compliance standard. For example, CIS AWS 2-9, “Ensure VPC flow logging is enabled in all VPCs,” is a control in the CIS AWS compliance standard.

compliance standard

A group of compliance controls that Fugue evaluates infrastructure against. For example, Fugue supports the following standards: CIS AWS, CIS Azure, GDPR, HIPAA, ISO 27001, NIST SP 800-53, PCI-DSS, and SOC 2. Also called compliance family.


Describes a resource configuration that adheres to a compliance control from standards such as SOC 2, ISO 27001, PCI, HIPAA, CIS, or NIST 800-53.

custom rule

A user-defined compliance control. See Custom Rules.


Any change made to the configuration of a resource, or the deletion of existing resources or the creation of new resources - that deviate from a baseline. Drift is typically an inadvertent change made outside of official change control process and can cause security or operational issues.

drift detection

Fugue detects any configuration changes that deviate from a baseline.


An action taken without human intervention by Fugue to revert any configuration drift back to the established baseline without the need for external remediation scripts or “bots.” Also called auto-remediation.


An environment represents not just cloud infrastructure but the state of its compliance and whether it has changed (drifted) from its ideal configuration. Through this concept of an environment, Fugue is able to provide you with a comprehensive snapshot of your compliance state at any given moment. Once you set a baseline – a known-good configuration – Fugue monitors your resources for drift.


A collection of cloud resources within a single cloud account and region that Fugue uses as a “unit” to manage security and compliance assessments as well as baseline configuration drift/enforcement.


An event is a change in compliance state, resource configuration due to drift, or resource configuration due to enforcement (auto-remediation).


GDPR (2016/679) refers to the European General Data Protection Regulation, or standards that were introduced for data protection and privacy for individuals within the EU and EEA. Abbreviated as GDPR in Fugue.


HIPAA (2013) regulations protect the privacy and security of certain health information. HIPAA is short for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Abbreviated as HIPAA in Fugue.


Also referred to as Infrastructure as a Service (IaaS). The set of virtualized computing resources generally divided into compute, networking, and storage functions but can also be applied to new functions such as serverless computing, stream processing, or container orchestration. Cloud infrastructure configurations are typically exposed and configured via APIs.

ISO 27001

ISO 27001(2013) is a specification for information security management systems. It also includes controls for information risk management processes. Abbreviated as ISO27001 in Fugue.

NIST SP 800-53

NIST SP 800-53 Rev. 4. provides standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST is short for National Institute of Standards and Technology. Abbreviated as NIST in Fugue.


Describes a resource configuration that violates a compliance control from standards such as SOC 2, ISO 27001, PCI, HIPAA, CIS, or NIST 800-53.


PCI-DSS v. 3.2.1. is a set of standards that emphasizes data security for companies that process credit cards. PCI-DSS is short for Payment Card Industry Data Security Standard. Abbreviated as PCI in Fugue.


An entity you can work with in the cloud that has a unique resource ID for a cloud provider (example: AWS EC2 instance, VPC Flow Log, Security Group)

self-healing infrastructure

Cloud resources that use baseline enforcement to revert drift back to the baseline and “heal” itself of misconfigurations. The baseline provides the necessary context to perform self-healing safely and without code.


A public cloud provider “product”, usually with its own API, such as storage, servers, networking, etc.. Examples: AWS EC2, AWS IAM, AWS S3, Azure Virtual Machines, Azure Blob Storage


SOC 2 (2017) is a compliance report for Statement on Standards for Attestation Engagements (SSAE). SOC 2 reports apply to service organizations that hold, store, or process customer data in the cloud. Abbreviated as SOC2 in Fugue.