Glossary

Common Fugue terms and concepts are defined below.

AWS Well-Architected
AWS Well-Architected Framework

The AWS Well-Architected Framework provides architectural best practices for designing and operating cloud infrastructure.

baseline

A snapshot of a “known-good” configuration of cloud infrastructure. It is a complete picture of a cloud environment and defines every resource with all of its attributes. A baseline acts as a “contract” between different stakeholders such as DevOps and Security.

CIS AWS
CIS AWS Foundations Benchmark

CIS AWS Foundations Benchmark is a set of configuration guidelines created by the Center for Internet Security (CIS) to help organizations safeguard their AWS infrastructure against today’s evolving cyber threats. Fugue supports the following versions: v1.2.0, v1.3.0, and v1.4.0 (latest). See Compliance.

CIS Azure
CIS Azure Foundations Benchmark

CIS Azure Foundations Benchmark is a set of configuration guidelines created by the Center for Internet Security (CIS) to help organizations safeguard their Azure infrastructure against today’s evolving cyber threats. Fugue supports the following versions: v1.1.0 and v1.3.0 (latest). See Compliance.

CIS Controls

The Center for Internet Security Critical Security Controls for Effective Cyber Defense is a publication of best practice guidelines for computer security. The publication was initially developed by the SANS Institute. Fugue supports the following version: v7.1. See Compliance.

CIS Docker
CIS Docker Benchmark

The CIS Docker Benchmark provides guidance on secure configurations for developing and deploying Docker containers on Linux based platforms. Fugue focuses on sections of the benchmark that apply to containers running in AWS Elastic Container Service (ECS). Fugue supports the following version: v1.2.0. See Compliance.

CIS Google
CIS Google Foundations Benchmark

CIS Google Cloud Platform Foundations Benchmark is a set of configuration guidelines created by the Center for Internet Security (CIS) to help organizations safeguard their Google Cloud infrastructure against today’s evolving cyber threats. Fugue supports the following versions: v1.1.0 and v1.2.0 (latest). See Compliance.

CIS Kubernetes
CIS Kubernetes Foundations Benchmark

CIS Kubernetes Foundations Benchmark is a set of configuration guidelines created by the Center for Internet Security (CIS) to help organizations safeguard their Kubernetes infrastructure against today’s evolving cyber threats. Fugue supports the following version: v1.6.1 (latest). See Compliance.

compliance control
control

A specific recommendation within a compliance family that defines a process, policy, or approach. For example, PCI DSS (v3.2.1) 1.3.5, “Permit only ‘established’ connections into the network,” is a control. Controls map to one or more rules, and rules map to one or more controls. See Compliance Concepts.

compliance family
family

A group of rules (which can be a mix of custom rules and Fugue-defined rules), which may be further associated with compliance controls that Fugue evaluates infrastructure against. Families can be either Fugue-defined, or user-defined custom families. Custom families do not include any control associations, whereas most Fugue-defined compliance families contain rules that are associated with controls. See Compliance and Families.

compliant

Describes a resource, rule, or control that meets a set of conditions related to policy. A control is compliant if all underlying rules are compliant. A rule is compliant if all applicable resources pass it. A resource is compliant if it passes all applicable rules. Which rules are applicable to which resources depends on which families are selected for an environment. See Compliance Concepts.

control evaluation

The compliance value of a control based on the results of all applicable rules. If any resource fails any rule that maps to a control (e.g., if there is a single rule result with a “fail” value), that control is noncompliant. If all applicable resources pass all the rules that map to a control (e.g., there are no rule results with a “fail” value), the control is compliant. If the control can’t be assessed because a required resource doesn’t exist or Fugue lacks permission to assess it, the control’s value is Missing Data. Note that “missing data” is called Unknown in the API. See Compliance Concepts.

CSA Cloud Controls Matrix
CSA CCM

CSA Cloud Controls Matrix is a cybersecurity control framework for cloud security assurance and compliance maintained by the Cloud Security Alliance. Abbreviated as CSA CCM. Fugue supports the following version: v3.0.1. See Compliance.

custom rule

A user-defined rule written in the Rego policy language. See Custom Rules to learn more, or Compliance Concepts to learn about rules in general.

daily resources scans

Fugue determines a “Daily Resources Scans” metric for each customer based on an aggregate of the number of times each resource is scanned over the course of a day, excluding default immutable resources. Resource scans can be generated via scheduled scans, or on-demand scans initialized by a user. Scanned resource numbers are updated at 8 AM, 5 PM, 9 PM UTC.

drift

Any change made to the configuration of a resource, or the deletion of existing resources or the creation of new resources that deviate from a baseline. Drift is typically an inadvertent change made outside of official change control process and can cause security or operational issues. See Drift Detection.

drift detection

Fugue detects any configuration changes (drift) that deviate from a baseline. See Drift Detection.

enforcement
baseline enforcement

An action taken without human intervention by Fugue to revert any configuration drift back to the established baseline without the need for external remediation scripts or “bots.” AWS & AWS GovCloud only. See Baseline Enforcement. Also called “automated remediation.”

environment

A collection of cloud resources within a single cloud account that Fugue uses as a “unit” to manage security and compliance assessments as well as baseline configuration drift and enforcement. An environment represents not just cloud infrastructure but the state of its compliance and whether it has changed (drifted) from its ideal configuration. See Environment Configuration.

event
events

An event is a change in compliance state, resource configuration due to drift, or resource configuration due to enforcement.

FBP
Fugue Best Practices

The Fugue Best Practices Framework complements the CIS Benchmarks by providing guidance and recommendations to secure cloud resources against advanced misconfiguration exploits. Abbreviated as FBP. For a list of controls, see Fugue Best Practices.

GDPR

GDPR refers to the European General Data Protection Regulation, or standards that were introduced for data protection and privacy for individuals within the EU and EEA. Fugue supports the following version: v2016. See Compliance.

HIPAA

HIPAA regulations protect the privacy and security of certain health information. HIPAA is short for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Fugue supports the following version: v2013. See Compliance.

infrastructure

The set of virtualized resources generally divided into compute, networking, and storage functions but can also be applied to new functions such as serverless computing, stream processing, container orchestration, and much more. Cloud infrastructure configurations are typically exposed and configured via APIs.

infrastructure as code
IaC

Describes configuration and code files (e.g., AWS CloudFormation and Terraform) that represent predeployment cloud resources. This is used in contrast with runtime AWS, Azure, and Google Cloud resources.

ISO 27001

ISO 27001 is a specification for information security management systems. It also includes controls for information risk management processes. Fugue supports the following version: v2013. See Compliance.

Missing Data

The value for a control evaluation when a compliance control can’t be assessed because it requires a specific resource but either the resource doesn’t exist or Fugue lacks the necessary permissions to assess it. Called Unknown in the API. See Compliance Concepts.

NIST 800-53

NIST 800-53 provides standards and guidelines to help federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). NIST is short for National Institute of Standards and Technology. Fugue supports the following version: vRev4. See Compliance.

noncompliant

Describes a resource, rule, or control that fails a set of conditions related to policy. A noncompliant resource violates a rule, making the rule itself noncompliant. A noncompliant control has at least 1 underlying noncompliant rule violated by at least 1 noncompliant resource. The rules that are applicable to resources depend on which compliance families are selected for an environment. See Compliance Concepts.

PCI
PCI DSS

PCI DSS is a set of standards that emphasizes data security for companies that process credit cards. PCI DSS is short for Payment Card Industry Data Security Standard. Fugue supports the following version: v3.2.1. See Compliance.

RBAC

Role-based access control. RBAC allows administrators to restrict read and write access to key parts of Fugue. See RBAC.

repository

A repository contains code files and other metadata relevant to version control systems. A Fugue repository environment contains resources from infrastructure as code files, such as Terraform hcl files, AWS CloudFormation templates, or Kubernetes YAML manifest files.

resource

A resource is any configuration item that needs to be tracked and analyzed from a policy or drift perspective. Examples of AWS resource types include EC2 instances, ELB listeners, customer-managed IAM policies, KMS keys, and S3 bucket policies. Examples of Azure resources include managed disks, SQL servers, storage accounts, and virtual networks. Examples of Google Cloud resources include Compute Engine instances, BigQuery tables, and Cloud Storage buckets. See Service Coverage - AWS & AWS GovCloud, Service Coverage - Azure & Azure Government, and Service Coverage - Google Cloud for a full list of resource types.

resource evaluation

The compliance value for a resource based on the results of all applicable rules. If the resource fails any applicable rule (e.g., if there is a single rule result with a “fail” value), the resource has the value noncompliant. If it passes all applicable rules (e.g., there are no rule results with a “fail” value), it is compliant. A resource evaluation may be different for a given resource depending on which rules are applied. See Compliance Concepts.

rule

A rule checks cloud infrastructure configurations to determine whether a resource, region, or account complies with a specific policy. For example, the rule “IAM password policies should require a minimum length of 14 characters” checks whether an AWS account has an appropriately complex IAM password policy. Rules map to one or more controls, and controls map to one or more rules. Fugue also supports custom rules, which are policies you write. See Compliance Concepts.

rule result

A compliance value determined by evaluating a rule on a specific resource, region, or account. A rule result is “fail” if the resource does not comply with the rule, or if a required resource is missing; “pass” if the resource complies with the rule; or “unknown” if an error prevented the rule from being evaluated.

RUM

Resources Under Management (RUM). For billing purposes, Fugue calculates RUM. RUM excludes all duplicate resources, AWS-managed IAM policies (e.g., DatabaseAdministrator, SecurityAudit), default AWS ElastiCache parameter groups, and built-in Azure Role Definitions, so if multiple environments include the same resources, Fugue will only count those resources once. See Service Coverage. See also daily resources scans. RUM is updated at 8 AM, 5 PM, 9 PM UTC.

runtime

Describes “live” cloud infrastructure available on AWS, Azure, or Google Cloud. Fugue uses the term in contrast with infrastructure as code, which describes configuration and code files (e.g., AWS CloudFormation and Terraform) that represent predeployment cloud resources.

scan

A scan is a comprehensive survey of a Fugue environment at a point in time to retrieve resource configuration state, assess compliance, and identify potential misconfigurations.

self-healing infrastructure

Cloud resources that use baseline enforcement to revert drift back to the baseline and “heal” itself of misconfigurations. The baseline provides the necessary context to perform self-healing safely and without code.

service

A public cloud provider “product,” usually with its own API, such as storage, servers, networking, etc. Examples: Amazon EC2, AWS Identity & Access Management (IAM), Amazon S3, Azure Virtual Machines, Azure Blob Storage, Google Compute Engine, Google BigQuery. See Service Coverage - AWS & AWS GovCloud, Service Coverage - Azure & Azure Government, and Service Coverage - Google Cloud.

SOC 2

SOC 2 is a compliance report for Statement on Standards for Attestation Engagements (SSAE). SOC 2 reports apply to service organizations that hold, store, or process customer data in the cloud. Fugue supports the following version: v2017. See Compliance.

waiver

When a rule is waived for a resource, the result – PASS or FAIL – is effectively ignored in compliance calculations for that environment. See Rule Waivers.