Tutorial: Hello World AWS


Need to get up and running fast? See Get Started in 5 Minutes.

For a deep dive into setup information, see Setup - AWS & AWS GovCloud or Setup - Azure.

Getting started

Ready to create your very first Fugue environment? An environment represents the cloud infrastructure configuration in a given region of your cloud provider account – in this case, Amazon Web Services (AWS). Fugue surveys the resources in the region and reports whether they are compliant with a particular compliance standard. For this example, that’ll be CIS AWS Foundations Benchmark, PCI-DSS, and the Fugue Best Practices Framework.


You can select any supported compliance standard if you have an Enterprise, Enterprise trial, or Team account. The Fugue Developer tier is limited to CIS and FBP.

Sign up for Fugue

Before you can create an environment, you’ll need to sign up for a free account with Fugue. (You’ll start off with a free Enterprise trial, which gives you access to all of Fugue’s features; after 30 days, you’ll be transitioned to the free-forever Developer plan if you choose not to upgrade.)


Once you’re all signed up and logged in, select the Define New Environment button:


Name environment

Go ahead and give your new environment a name – we named ours Example Us-west-1:


AWS is already selected as the cloud provider, so click Continue.

Select region and resource types

Next, select the region you want Fugue to survey. This example uses us-west-1 (N. California), but you can use whatever region you like..


Now we need to select the resource types Fugue will check for compliance. For this simple example, we’ll select only three to scan and none to enforce:

  • AWS.EC2.SecurityGroup

  • AWS.EC2.Subnet

  • AWS.EC2.Vpc


Connect to AWS resources

Now, back to our environment. In order for Fugue to scan the configuration of your cloud infrastructure, it needs certain read-only IAM permissions. You grant these permissions to Fugue by assigning it an IAM role with a tailored policy.

Make sure Create New IAM Role is selected (as shown), and then select Launch Stack in AWS Console. This deploys a CloudFormation stack in your account, creating an IAM role granting the permissions Fugue needs to survey your infrastructure configuration. The role is assigned the read-only AWS-managed SecurityAudit policy.

(Just so you know: when needed, Fugue creates a supplemental inline role granting read and/or read/write permissions not covered by SecurityAudit. This doesn’t apply to our example, however, because we’ve only selected a few resource types for scanning.)

For more information about how Fugue handles IAM permissions, see IAM Policy Permissions.


After you select Launch Stack in AWS Console, you’ll be brought to the CloudFormation console. If you want to preview the permissions Fugue will be given, you can select View in Designer. Otherwise, go ahead and select Next to continue through the Create Stack wizard.


You can continue to select Next, accepting the defaults, until you get to the review page; check the box to acknowledge that CloudFormation may create IAM resources with custom names, and then select Create stack.


AWS takes you to the newly launched stack. Select the Outputs tab and look for the IAM role ARN in the Value field. (This takes a few seconds, so you may need to refresh the page first.) Copy the ARN and return to Fugue.


Paste the ARN into the AWS IAM Role ARN field and select Continue.


Select compliance families

Here, we’ll select the compliance standards Fugue will use to assess our infrastructure. For this example, we’ve selected CIS AWS Foundations Benchmark (CIS AWS), PCI-DSS, and Fugue Best Practices.


Review settings

Finally, review the environment details and make sure everything looks right. When you’re ready, select Approve and Begin Initial Scan.


Fugue starts generating your environment. In just a few short minutes, you’ll be taken to the dashboard for your shiny, new environment!


What’s Next?

Fugue will continue to scan the resource configuration in your environment at regular intervals (and on demand). This is how Fugue detects compliance violations in your infrastructure.

Now that you’ve created an environment, learn how to configure it further in Environment Configuration. When your environment is in a known-good state, you can optionally set a baseline, which is a “snapshot” of resource configuration at a point in time. When you set a baseline, Fugue lets you know of any changes to that configuration, known as drift.

When baseline enforcement is enabled, Fugue autonomously and intelligently reverts configuration drift back to the state recorded in the baseline. But baseline enforcement is a topic for another walkthrough! See Example: Scan, Detect Drift, Enforce.

If you’d like to learn more about checking your infrastructure’s compliance state, see Compliance. You might also enjoy visualizing your environment. Or, jump into setting up Notifications.