Release Notes¶
Fugue ensures that cloud infrastructure stays in continuous compliance with enterprise security policies.
2020.07.08¶
Rule Waivers¶
Rule waivers provide exceptions on rule violations that apply to a specific resource. Waived rules no longer count as “Failed” in compliance calculations.
You can view waived resources on the Waivers page.
Refer to Rule Waivers for more information about working with waivers.
Rule Severity on the Compliance by Resource Page¶
Rule severity establishes the level of risk posed by a misconfiguration to your cloud security posture. Severity falls into the following categories: critical, high, medium, or low. Adding rule severity to the Compliance by Resource page makes it easier for you to prioritize fixing the resources that have a higher severity. Refer to Compliance for more information on rule severity.
Two New RBAC Policies¶
Fugue added two new RBAC policies – Contributor and Auditor. The Contributor policy grants all the permissions in the Editor policy, as well as allows users to waive rules, create custom rules, and create environments. The Auditor policy grants all the permissions in the Read Only policy, as well as allows users to run a scan and create notifications. For more information on working with RBAC, refer to Role-Based Access Control (RBAC).
UX Update to the Top Navigation¶
Custom Rules have moved to the Rules section in the top navigation.
Bug Fixes¶
The rule that checks the CloudFront viewer protocol policy was updated to support redirect-to-https in addition to https-only. Refer to the remediation steps for more information.
2020.06.05¶
Ability to export compliance data via the UI¶
Fugue now supports the capability to export compliance data for multiple environments at the same time for AWS accounts and Azure subscription levels. On the Environment Landing page, clicking on the Export Data button allows you to download the Rule Results with Controls data as a CSV or Excel (.xlsx). Refer to Export Data for more information.
2020.06.04¶
Extended Azure Service Coverage Beta¶
Fugue launched support for resources in the following Azure services in beta:
Azure.Automation.Account
Azure.Automation.Credential
Azure.Automation.Schedule
Azure.Cdn.Profile
Azure.Compute.AvailabilitySet
Azure.Compute.Image
Azure.Compute.SharedImageGallery
Azure.Compute.Snapshot
Azure.Compute.VirtualMachineScaleSet
Azure.Container.Group
Azure.Container.Registry
Azure.Databricks.Workspace
Azure.KeyVault.Vault
Azure.MySQL.Database
Azure.MySQL.FirewallRule
Azure.MySQL.Server
Azure.MySQL.VirtualNetworkRule
Azure.Network.ApplicationGateway
Azure.Network.ApplicationSecurityGroup
Azure.Network.DDoSProtectionPlan
Azure.Network.DNSZone
Azure.Network.Firewall
Azure.Network.LoadBalancer
Azure.Network.RouteTable
Azure.PostgreSQL.Database
Azure.PostgreSQL.VirtualNetworkRule
Azure.PostgreSQL.Server
Azure.PostgreSQL.FirewallRule
Azure.SQL.Database
Azure.SQL.ElasticPool
Azure.SQL.VirtualNetworkRule
If you are interested in gaining access to these Azure beta resources, please send an email to support@fugue.co.
For a full list of supported Azure types, see Service Coverage - Azure.
Visualizer Updates¶
Updates to the visualizer include:
The region name displays when the visualizer is zoomed out.
Expanded support for Azure beta service coverage:
Azure.Automation.Account (AUTO)
Azure.Cdn.Profile (CDN)
Azure.Compute.SharedImageGallery (GALRY)
Azure.Container.Registry (RGST)
Azure.Databricks.Workspace (DATAB)
Azure.MySQL.Server (MYSQL)
Azure.Network.ApplicationGateway (AGW)
Azure.Network.DNSZone (DNS)
Azure.Network.Firewall (FW)
Azure.Network.LoadBalancer (LB)
Azure.PostgreSQL.Server (PGSQL)
Made an UX improvement — clicking the compliance icon redirects you to the compliance section in the panel.
Refer to Visualizer for more information.
Updates to Compliance Rules¶
The following rules were added to the CIS Controls 7.1., ISO 27001, SOC 2, NIST 800-53, and HIPAA Compliance Families:
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 11215 (Memcached SSL)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 135 (MSSQL Debugger)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 137 (NetBIOS Name Service)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 138 (NetBios Datagram Service)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 139 (NetBios Session Service)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 1433 (MSSQL Server)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 1434 (MSSQL Admin)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2382 (SQL Server Analysis Services browser)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2383 (SQL Server Analysis Services)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2484 (Oracle DB SSL)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 3020 (CIFS / SMB)
The following Azure rules were added to the CIS Controls 7.1., ISO 27001, SOC 2, NIST 800-53, HIPAA, GDPR, and PCI Compliance Families:
MySQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
PostgreSQL Database server firewall rules should not permit start and end IP addresses to be 0.0.0.0
Ensure Azure Application Gateway Web application firewall (WAF) is enabled
MySQL Database server ‘enforce SSL connection’ should be enabled
PostgreSQL Database server ‘enforce SSL connection’ should be enabled
Updated AWS CIS benchmark 2.1 rule to reflect that it needs to check that there is at least one CloudTrail with multi-region enabled that has logging on and management events set to true.
2020.05.29¶
Expanded AWS Service Coverage¶
Fugue launched support for resources in the following AWS services:
AWS Private Certificate Authority
Directory Service
Elastic File System
Glacier
Inspector
Kinesis
Kinesis Data Firehose
Organizations
Systems Manager (SSM)
To enable the services, update the Fugue IAM role to include the required permissions. Scan permissions are below. Enforce permissions for all services are here.
"acm-pca:DescribeCertificateAuthority",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:GetCertificateAuthorityCsr",
"acm-pca:ListCertificateAuthorities",
"acm-pca:ListTags",
"ds:DescribeConditionalForwarders",
"ds:ListTagsForResource",
"elasticfilesystem:DescribeLifecycleConfiguration",
"elasticfilesystem:DescribeTags",
"glacier:GetVaultNotifications",
"glacier:ListTagsForVault",
"kinesis:DescribeStreamSummary",
"ssm:GetDocument",
"ssm:GetMaintenanceWindow",
"ssm:GetMaintenanceWindowTask",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetPatchBaseline",
"ssm:ListAssociations",
"ssm:ListResourceDataSync",
"ssm:ListTagsForResource"
Bug Fixes¶
Updated IAM permissions required for AWS config to include reading tags.
Fixed security group rule message to correctly include the open port on the Compliance by Control section.
2020.05.12¶
Support for CIS Controls 7.1¶
Fugue has added support for the CIS Controls 7.1 compliance family. CIS Controls are a set of actions for cyber defense based on common attack patterns, created by a group of experts such as NSA Red and Blue teams, the US Department of Energy nuclear energy labs, and law enforcement organizations. Refer to Compliance for more information on how to get started using the CIS Control compliance family.
Visualizer Updates¶
Updates include:
Added support for AWS Redshift and AWS EFS
Exporting a diagram of the visualizer now lists AWS regions
Added resource details for stubbed/implicit resources
Updates to Compliance Terminology¶
Fugue has updated terminology in our web user interface to provide more clarity on compliance across resources, rules, and controls.
Changes include:
Adjusting terminology to “controls” (from “rules”), where the product is referring to compliance controls.
Updating control evaluations and resource evaluations to have compliant/noncompliant values, as opposed to pass/fail.
Terminology definitions and explanations of how compliance evaluations are calculated are enumerated on the Compliance page.
2020.04.29¶
Scoping Environments to Multiple Regions¶
You can now create an AWS environment that spans multiple regions, as shown below. For more information on creating an environment that scans multiple regions, refer to Setup - AWS & AWS GovCloud.
Note: You cannot add multiple regions to existing environments. You need to create new environments through the API or UI. Once you have created the new environments, you can update their selected regions through the API. Refer to the AWS User Guide for more information.
You can filter by region on the Compliance by Resource page, as shown below.
When an environment contains more than one region, horizontal brackets labeled by region separate the infrastructure. Global resources, such as the CloudFront distributions below, are labeled global. Refer to Visualizer for more information.
Responsive Registration Page and More¶
The Registration and Forgot Password pages are now responsive, as shown below.
Visualizer Updates¶
Compliance view updates
New References portion in resource details panel
The entire VPC or VNet is no longer shaded all red when it has compliance violations, as shown below. Refer to Visualizing Resource Compliance State for more information.
When you select a resource to view the resource details, a References panel is added, which lists other resources related to the currently selected resource. For example, if you select a VPC, it lists the associated security groups, subnets, networks, and internet gateways. You can click on a resource listed in the Reference section and it redirects you to that resource, as shown below. Refer to Viewing Resource Details for more information.
2020.04.16¶
Role Based Access Control (RBAC)¶
Fugue added a new RBAC policy – Editor. The Editor policy grants all the permissions in the Read Only policy and some of the permissions in the Admin policy. Editors cannot create or delete environments, configure custom rules, manage users, or configure API clients. They can, however, take actions such as changing environment settings, running scans, and configuring notifications and reports. For more information on working with RBAC, refer to Role-Based Access Control.
Cloud Resource Visualization¶
Cloud resource visualization now supports visualizing VPC gateway endpoints (refer to our blog post on Cloud Network Security 101: AWS VPC Endpoints for more information on security for VPC endpoints). VPC gateway endpoints (ENDPT) are shown as a line between a VPC and all S3 buckets or all DDB tables in the same region, as shown below. Refer to Visualizer for more information on working with cloud resource visualization.
2020.04.07¶
UX Improvements¶
In the environment search field, you can enter spaces when searching for an environment, as shown below:
Rule Engine Upgrade¶
All rules evaluated by Fugue now use the open source Fugue Regot Toolkit, also known as Fregot. This yields performance improvements that will increase scan speeds for some large environments. Check out Fregot on GitHub.
New IAM Permissions Required¶
Due to internal upgrades, additional permissions are needed to scan or enforce any of the following AWS services:
CloudWatch
ECR
EFS
MediaStore
S3
SNS
SSM
Step Functions (SFN)
WAF
If your environments are configured to scan or enforce any of these services, you should update your IAM role policy to include these read-only permissions for the services you’ve enabled:
"cloudwatch:ListTagsForResource",
"ecr:ListTagsForResource",
"elasticfilesystem:DescribeLifecycleConfiguration",
"mediastore:ListTagsForResource",
"s3:GetBucketObjectLockConfiguration",
"sns:ListTagsForResource",
"ssm:GetDocument",
"states:ListTagsForResource",
"waf:GetLoggingConfiguration",
"waf:ListTagsForResource",
If these permissions are not included, scans will not fail; however, you may see an Incomplete Scan Results message.
For instructions, see How To: Update the Fugue IAM Role.
For more information about how Fugue handles IAM permissions, see IAM Policy Permissions.
Compliance Event Notifications¶
Previously, Fugue generated notifications when the following events occurred:
Existing resource transitions from compliant to noncompliant, or vice versa
Newly added resource is noncompliant
Existing resource that was missing data transitions to compliant, or vice versa
Existing resource that was missing data transitions to noncompliant, or vice versa
We are changing notifications logic to only summarize events where:
Existing resource transitions from compliant to noncompliant, or vice versa
Newly added resource is noncompliant
Bug Fixes¶
Fixed scan failure when no resources were detected in an environment and drift detection was enabled.
Improved the rules that check for inappropriate port 80 and 5800 ingress to work with ELBv2 and to describe what additional resources are relevant to the failure, if any.
2020.03.17¶
The visualizer now allows selection of VPCs and auto-scaling groups (ASGs) in order to view the resource configuration details for those types.
Fugue now supports indicating a resource is transient in nature. When a resource is tagged with the key
fugue:transientand valuetruein AWS or Azure, drift events are not generated for changes to that resource. This is useful in situations where resources are created and destroyed dynamically.
AWS:
Azure:
2020.03.03¶
On-Demand Scan via the UI¶
Previously, you could only kick off an on-demand scan via the API. Now, Fugue enables you to use the UI to initiate on-demand scans. From the Actions drop-down, select Start New Scan within an environment to start a scan, as shown below.
Cloud Resource Visualization – View Resource Details¶
You can view configuration details about your resources within the cloud resource visualization. To view the resource details, zoom in and click on a resource, as shown below. See Visualizer for more information.
UX Improvements to Settings and Setting a Baseline¶
The Establish Baseline button and Settings are under the new Actions button, as shown below.
Bug Fixes¶
A bug has been resolved where the custom rule family would still display within an environment even after you delete all custom rules. Now if you delete all custom rules, the custom rule family no longer displays.
Removed Obsolete VPC Flow Logs Rule¶
The rules for confirming VPC flow logs are correctly enabled have been updated. Overall compliance results will remain unchanged; however, you may see compliance events relating to this change to the underlying rules.
2020.02.14¶
Cloud Resource Visualization – Collections & Additional Resource Support¶
An improvement has been made to cloud resource visualization to illustrate a resource that contains other resources, and this is known as a collection. For example, AWS auto scaling groups containing EC2 instances, and ECS services containing tasks, are rendered as collections. A collection is depicted as a square with a thick border containing zero or more nodes. Collections may also be expanded or collapsed to view individual nodes.
Additionally, the cloud resource visualizer now supports visualizing AWS.ECS.Task resources, as well as AWS.EC2.Instance resources belonging to auto scaling groups.
Rule Updates¶
The CIS 1-16 rule was updated to be more comprehensive by flagging users with inline policies.
2020.01.31¶
Additional AWS Resources - Beta¶
Fugue launched support for resources in the following AWS services:
Systems Manager
Directory Service
Kinesis
Kinesis Data Firehose
Elastic File System
Inspector
ACM PCA
Glacier
If you are interested in gaining access to these beta resources, please email support@fugue.co.
Bug Fixes¶
The release also includes fixes including:
Ability to query by the “custom” family when retrieving compliance using the API
Optimize a Fugue Best Practices rule that ran slowly in some environments
Allow values greater than or equal to 24 for the CIS 1-10 password reuse control
Fix drift detection with some Cognito User Pool Clients, KMS grants, and Load Balancer Listener Rules
2020.01.13¶
Cloud Resource Visualization – Keyboard Shortcuts¶
The visualizer supports keyboard shortcuts. These shortcuts include:
Arrow Keys: Pan around the visualizer.
Plus (Equals) / Minus (Underscore) Keys: Zoom in and out.
Period Key: Open/close the sidebar.
Spacebar (Double Tap): Recenter the visualizer.
Multi-Factor Authentication Support (MFA)¶
Fugue supports multi-factor authentication (MFA). After you enable MFA, the next time you log in, you are prompted to scan a QR code using an authenticator app, as shown below. When you log into Fugue anytime subsequently, you are prompted to enter a one-time code after authenticating:
2019.12.23¶
Cloud Resource Visualization - Export Functionality¶
Improvements have been made to the export functionality for cloud resource visualization. When you export a .PNG of resources, the environment name, date/time of the scan, and account ID for AWS or subscription ID for Azure are included, as shown below. This makes it easier to identify the environment that you are looking at.
Additionally, the image filename includes the name of the environment, as well as the date/time of the scan.
Cloud Resource Visualization - VPC Peering¶
Cloud resource visualization now shows VPC peering, as shown below. This allows you to see which VPCs have peering relationships.
Search By Environment¶
The All Environments landing page now allows you to search by environment name or ID:
2019.11.21¶
Rule Remediation Steps in Documentation¶
The online documentation includes rule remediation steps for many common compliance violations. Follow the steps to manually bring resources back into compliance using the AWS Management Console, AWS CLI, Azure Portal, or Azure CLI. For the list of rule remediation steps, refer here.
Exporting Visualizer Diagrams and Customizing Your Visualizer View¶
You can export an image of your Fugue visualized environment, as well as customize what information displays within the visualizer, such as compliance information, and collapse/expand all groups. See Exporting a Diagram.
Ability to Delete User Groups¶
You can delete user groups, as shown below. See How to Delete Groups.
Fugue Developer and Fugue Enterprise¶
Fugue is now available in two plans: Developer and Enterprise. For more information, see the documentation in Fugue Plans.
New Account Overview Page¶
The Account Overview page lists your plan type, which is Enterprise for existing customers. Refer to the online documentation for more information.
2019.10.31¶
Single Sign-On (Beta)¶
Fugue is excited to announce support for single sign-on (SSO) in beta. SSO allows users to provision and deprovision users from an existing identity provider (IdP).
The Fugue login page is changing, as shown below. Non-SSO users enter their username and password to log into Fugue:
Once SSO is enabled on your organization, users enter their email address and log into Fugue using your IdP. If you are interested in gaining access to SSO beta, please contact support@fugue.co.
Additional Compliance Family Support for Azure¶
Fugue now supports the following compliance families for Azure: ISO 27001, SOC 2, HIPAA, GDPR, NIST SP 800-53, and PCI-DSS.
Fugue Best Practices¶
Fugue released a set of Best Practices checks to complement existing controls to detect critical misconfigurations that can be exploited.
Some rules that are part of the Fugue Best Practices compliance family include:
IAM policies should not allow broad list actions on S3 buckets
IAM role trust policies should not allow all principals to assume the role
IAM roles attached to instance profiles should not allow broad list actions on S3 buckets
S3 bucket policies should not allow all actions for all principals
S3 bucket policies should not allow list actions for all principals
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)
VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)
2019.10.17¶
Expanded AWS Service Coverage¶
Fugue now supports the following AWS services:
ACM
API Gateway
Cognito
ECR
ECS
EKS
Guard Duty
Lambda
Macie
MediaStore
RedShift
Route53
Step Functions (SFN)
Secrets Manager
S3: Attributes to block public access
To start scanning for these newly supported services, you should either:
Option 1: Launch a new CloudFormation stack that contains the SecurityAudit read-only policy and add the following resources listed below as part of your inline policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"apigateway:GET",
"cloudwatch:GetDashboard",
"cloudwatch:ListDashboards",
"cognito-idp:DescribeIdentityProvider",
"cognito-idp:DescribeResourceServer",
"cognito-idp:DescribeUserPool",
"cognito-idp:DescribeUserPoolClient",
"cognito-idp:DescribeUserPoolDomain",
"cognito-idp:GetGroup",
"cognito-idp:ListGroups",
"cognito-idp:ListIdentityProviders",
"cognito-idp:ListResourceServers",
"cognito-idp:ListUserPoolClients",
"dynamodb:ListTagsOfResource",
"elasticache:ListTagsForResource",
"lambda:GetAlias",
"lambda:GetEventSourceMapping",
"lambda:GetFunction",
"macie:ListMemberAccounts",
"macie:ListS3Resources",
"mediastore:DescribeContainer",
"s3:ListBucket",
"secretsmanager:DescribeSecret",
"sns:GetSubscriptionAttributes",
"sns:ListSubscriptions",
"states:DescribeStateMachine",
"waf:GetWebACL"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "0"
}
]
}
Option 2: Update your existing AWS IAM policy to include the SecurityAudit read-only policy if it is already not attached and add the following resources listed below as part of your inline policy:
Refer to AWS IAM Permissions and Add an Inline Policy for more information.
Updates to the Visualizer¶
Added the ability to pinch on your trackpad to zoom in and out on the visualizer.
2019.10.03¶
Custom Rules¶
Users can now write custom rules to extend Fugue functionality to specific enterprise requirements, with CRUD actions and syntax/testing available via UI, API, and CLI.
Custom rules are written with Open Policy Agent’s Rego query language. OPA is a policy-as-code framework and CNCF open source project commonly used for policy on Kubernetes and other cloud technologies.
Visualizer¶
Collapsed nodes that have a mix of compliant and non compliant resources display as stacks with red and black coloring, as highlighted below:
2019.09.13¶
Visualizer updates¶
Visualizer UX improvements — Added an expand icon and number of resources that exist within a collapsed node. For example, if you have 13 S3 buckets collapsed in a node, the number 13 is shown, as shown below. Clicking the icon expands the collapsed S3 buckets.
Clicking the
(warning) icon displays the compliance violations for a resource.Clicking on a subnet or security group within a node or on the list on the side, highlights all the places within your infrastructure where the security group or subnet resides, as shown below.
Displaying the compliance violations for subnets and security groups.
Performance improvements
IAM role generation updates¶
Updates to IAM role generation for read-only permissions, which allows Fugue to scan and detect drift for your environments. When you create a new IAM role utilizing the Fugue UI, the Security Audit read-only policy is attached to the role along with inline policies to cover other permissions that are not covered by the Security Audit policy. If you have existing environments, you can continue to use your existing IAM role as is or choose to attach the SecurityAudit policy and remove the inline policies covered by the Security Audit policy.
2019.08.23¶
Updates to the navigation within the Environment Details page— the visualizer is located on its own page, Environment Settings have been moved to the top level navigation, and the Drift Events page is renamed to Events.
Updates to the user interface. The Organizations tab is now located at the same level as Environments and updates were made to the environment cards, as shown below. Additionally, on the Environment Landing page, selecting View in Visualizer redirects users to the Visualizer page.
Baseline enforcement is now supported for Azure.
Displaying compliance errors within the visualizer on VPC.
The /resources API endpoint now requires authorization. Previously, users were able to hit this endpoint without authenticating with Fugue. To use the /resources endpoint authentication is now required.
2019.08.07¶
Docs site: The Fugue Documentation site has been redesigned, moved to https://docs.fugue.co, and features the following new content:
The visualizer includes security group and subnet labeling within VPCs. This makes it easier to identify which security groups and subnets are associated with a particular VPC, as shown below. To learn more about the visualizer, refer here.
The visualizer “full screen” fills the browser window, rather than the entire screen.
The visualizer supports Azure, as shown below.
Azure notifications are available to alert on compliance, drift, and baseline enforcement events. To get started using notifications, refer here.
Fixed an issue with the CIS AWS 2-5 rule: “Ensure AWS Config is Enabled in all Regions.”
2019.07.08¶
Visualization: Cloud resource visualization displays resources that are not compliant within an environment, as shown below:
Expanded rule coverage:
IAM root account should not be used. Corresponds to the following compliance controls:
ISO27001_A.6.1.2;ISO27001_A.9.2.3;ISO27001_A.9.4.1
SOC2_CC5.2;SOC2_CC6.1;SOC2_CC6.3
CIS_AWS_1.2.0_1-1
HIPAA_§164.308(a)(1)(ii)(D);HIPAA_§164.308(a)(6)(i);HIPAA_§164.312(b)
GDPR_30-(1)
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password. Corresponds to the following compliance control:
CIS_AWS_1.2.0_1-2
Ensure credentials unused for 90 days or greater are disabled. Corresponds to the following compliance controls:
ISO27001_A.9.2.3;ISO27001_A.9.2.4;ISO27001_A.9.3.1
SOC2_CC6.1;SOC2_CC6.2;SOC2_CC6.3
CIS_AWS_1.2.0_1-3
NIST-800-53_IA-4d;NIST-800-53_IA-4d
HIPAA_§164.308(a)(3)(i);HIPAA_§164.312(a)(1):HIPAA_§164.308(a)(3)(i);HIPAA_§164.312(a)(1);HIPAA_§164.308(a)(3)(ii)(B),HIPAA_§164.308(a)(3)(ii)(C),HIPAA_§164.308(a)(4)(i),HIPAA_§164.308(a)(4)(ii)(B),HIPAA_§164.308(a)(4)(ii)(C),HIPAA_§164.312(a)(2)(i),HIPAA_§164.312(a)(2)(ii),HIPAA_§164.312(a)(2)(iii),HIPAA_§164.312(d)
PCI_DSS_8.1.4
Ensure access keys are rotated every 90 days or less. Corresponds to the following compliance controls:
ISO27001_A.9.2.3;ISO27001_A.9.2.4;ISO27001_A.9.3.1
SOC2_CC6.1;SOC2_CC6.2;SOC2_CC6.3
CIS_AWS_1.2.0_1-4
NIST-800-53_IA-4d;NIST-800-53_IA-5 (1)(d)
HIPAA_§164.308(a)(5)(ii)(D);HIPAA_§164.308(a)(3)(i);HIPAA_§164.312(a)(1);HIPAA_§164.308(a)(3)(ii)(B),HIPAA_§164.308(a)(3)(ii)(C),HIPAA_§164.308(a)(4)(i),HIPAA_§164.308(a)(4)(ii)(B),HIPAA_§164.308(a)(4)(ii)(C),HIPAA_§164.312(a)(2)(i),HIPAA_§164.312(a)(2)(ii),HIPAA_§164.312(a)(2)(iii),HIPAA_§164.312(d)
PCI_DSS_8.2.4
Ensure no root account access key exists. Corresponds to the following compliance controls:
ISO27001_A.9.2.3;ISO27001_A.9.3.1;ISO27001_A.9.4.1
SOC2_CC5.2;SOC2_CC6.1;SOC2_CC6.3
CIS_AWS_1.2.0_1-12
HIPAA_§164.308(a)(3)(i);HIPAA_§164.312(a)(1)
PCI_DSS_8.1
Ensure hardware MFA is enabled for the “root” account. Corresponds to the following compliance controls:
ISO27001_A.9.2.3;ISO27001_A.9.3.1;ISO27001_A.9.4.1;ISO27001_A.9.4.1;ISO27001_A.9.4.3
SOC2_CC5.2;SOC2_CC6.1;SOC2_CC6.3
CIS_AWS_1.2.0_1-14
HIPAA_§164.308(a)(3)(i);HIPAA_§164.312(a)(1)
Ensure MFA is enabled for the “root” account. Corresponds to the following compliance controls:
SO27001_A.9.2.3;ISO27001_A.9.3.1;ISO27001_A.9.4.1;ISO27001_A.9.4.1;ISO27001_A.9.4.3
SOC2_CC5.2;SOC2_CC6.1;SOC2_CC6.3
CIS_AWS_1.2.0_1-13
NIST-800-53_IA-2 (1)
HIPAA_§164.308(a)(3)(i);HIPAA_§164.312(a)(1);HIPAA_§164.308(a)(3)(i);HIPAA_§164.312(a)(1);HIPAA_§164.308(a)(3)(ii)(B),HIPAA_§164.308(a)(3)(ii)(C),HIPAA_§164.308(a)(4)(i),HIPAA_§164.308(a)(4)(ii)(B),HIPAA_§164.308(a)(4)(ii)(C),HIPAA_§164.312(a)(2)(i),HIPAA_§164.312(a)(2)(ii),HIPAA_§164.312(a)(2)(iii),HIPAA_§164.312(d)
PCI_DSS_8.1
Expanded service coverage: Fugue now supports the following resource:
IAM.CredentialReport. To start scanning forIAM.CredentialReport, update your Fugue IAM role to include:
"iam:GenerateCredentialReport",
"iam:GetCredentialReport",
"iam:ListVirtualMFADevices"
Refer to the Service Coverage page to see the full list of supported service coverage. If you have any questions, reach out to support@fugue.co.
Improvements to the Compliance by Resource modal: The compliance controls that fail are displayed under the description of the rule, as shown below:
2019.07.03¶
Features¶
Support for Azure: Cloud service coverage is being expanded to include Azure in addition to AWS. This makes Fugue a multi-cloud solution. For setup instructions, see Setup - Azure. For general information, see Azure.
2019.06.26¶
Features¶
Notifications: Fugue offers notifications for compliance, drift, and baseline enforcement events within environments, allowing you to be alerted to infrastructure changes detected during a scan without having to log into Fugue.
Within Organization Settings, you may add notifications and choose to be notified by email, AWS SNS topic, or both. By using the SNS integration, you can connect Fugue notifications to third-party tools such as Slack.
Full screen visualizer: You can expand cloud resource visualization to a full screen view. This allows you to better interact with and view your infrastructure. Clicking the
fbutton, as highlighted below, opens the full screen visualization experience.
Here’s an example of full screen mode:
Updates to the “Create Environment” workflow: The “create environment” workflow has been updated as follows. In the first step, you enter your environment’s name and select the cloud service provider:
In the second step, you select the region and resource types, and then enter the AWS IAM role ARN:
In the third step, you select the compliance libraries you want Fugue to use to assess your infrastructure:
In the fourth step, you can view a summary of the environment name, region, AWS IAM role ARN, the selected compliance standards, and the selected resource types to scan and enforce, as shown below:
For full setup instructions, see Setup.
2019.06.10¶
Fugue Risk Manager is now simply Fugue.
Features¶
AWS GovCloud regions: Fugue now supports AWS GovCloud regions via the Fugue application and API. All existing functionality for other commercial AWS regions is supported for AWS GovCloud regions including:
Assess AWS GovCloud regions for compliance violations against the following compliance standards: CIS AWS, NIST SP 800-53, PCI-DSS, HIPAA, GDPR, SOC 2, and ISO 27001.
Enable configuration drift detection and optionally, enforcement on baselines.
Cloud resource visualization: Fugue’s new cloud resource visualization feature creates detailed, interactive diagrams of your cloud resources. This allows you to quickly visualize cloud infrastructure configurations and relationships without having to create diagrams by hand, which can be a painstaking and error-prone process. Diagrams are generated and updated automatically. You can zoom in or out to more closely inspect the resources:
Improved compliance control messages: The compliance control message contains additional information about what caused a resource to be noncompliant and violate the control, as shown below.
2019.05.29¶
Features¶
Added service coverage support for
ElastiCache.Cluster,ElastiCache.ParameterGroup, andElastiCache.ReplicationGroupresources.To scan for ElastiCache clusters, parameter groups, and replication groups, update your Fugue IAM role to include the following permissions:
"elasticache:DescribeCacheClusters",
"elasticache:DescribeCacheParameterGroups",
"elasticache:DescribeCacheParameters",
"elasticache:DescribeReplicationGroups",
"elasticache:ListTagsForResource"
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually.
In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
Refer to the Service Coverage page to see the full list of supported services. If you have any questions, reach out to support@fugue.co.
Created the Fugue API Reference, which contains Swagger documentation and examples.
2019.05.09¶
Features¶
Added service coverage support for AWS S3 bucket ACLs. The new functionality will provide more protection for S3 buckets.
Users who have enabled scanning on S3 buckets must update their Fugue IAM role to include the following permission, or scans involving S3 buckets will be incomplete:
"s3:GetBucketACL"
If you have any questions, reach out to support@fugue.co.
Added service coverage support for SNS subscriptions and CloudWatch Metric Alarms.
To scan for SNS subscriptions and CloudWatch Metric Alarms, update your Fugue IAM role to include the following permissions:
"cloudwatch:DescribeAlarms",
"sns:GetSubscriptionAttributes",
"sns:ListSubscriptions"
Refer to the Service Coverage page to see the full list of supported services. If you have any questions, reach out to support@fugue.co.
Added support for SOC 2 and ISO 27001 compliance standards.
SOC 2 governance applies to organizations storing customer data in the cloud.
ISO 27001 is a specification for an information security management system that includes controls for information risk management processes.
Bug Fixes and Improvements¶
Fugue automatically logs users out of the application every 24 hoursinstead of once a month.
Other bug fixes and improvements.
2019.04.25¶
Features¶
Improved API Clients table to display the client secret age and last activity of the API client. In the previously released API Clients table, the client secret’s age and the last activity of the client secret did not display within the table. It is important to know your client secret’s age so you can properly rotate it according to your organization’s security policy. Additionally, displaying the last activity for the client secret allows you to revoke and/or delete client secrets that are no longer in use. For more information, see the API page.
Improved page load times of the environment list and environment detail pages
Improved link to “Edit IAM Role in AWS Console” to point directly to list of roles in the console
Bug Fixes¶
Fixed an issue where the list compliance results by rule API endpoint would return no results when no compliance family was selected
Various scan fixes
2019.03.28¶
Features¶
The API has 4 main areas of functionality:
Create, update, and delete environments
Run scans on demand or on a specific schedule
Retrieve scan results by compliance rule or resource type
Retrieve drift and enforcement events
For more information, refer to the API user guide and the API documentation.
Additional compliance checks for PCI and HIPAA have been added.
The new PCI compliance rules include:
AWS Glacier requires that AWS S3 bucket policy only accepts HTTPS. This applies to PCI_DSS_4.1.
Point in time recovery is enabled on the AWS Dynamo database. This applies to PCI_DSS_3.1.
Users specified backup retention periods for AWS RDS. This applies to PCI_DSS_3.1.
Any security group for a private subnet does not have CIDR ingress from 0.0.0.0/0. This applies to PCI_1.2.1 and PCI_1.3.1.
The new HIPAA compliance rules include:
AWS Glacier requires that AWS S3 bucket policy only accepts HTTPS.
Enable transport encryption for AWS ElastiCache.
AWS service coverage has been expanded to support SNS Topics, WAF Web ACLs, and CloudFront Distributions. If you want to scan for these newly released services, you will want to update your IAM Role to include:
"cloudfront:GetDistribution",
"cloudfront:ListDistributions",
"cloudfront:ListTagsForResource",
"sns:GetTopicAttributes",
"sns:ListTopics",
"waf:GetWebACL",
"waf:ListWebACLs"
Refer to the Service Coverage page to see the full list of supported service coverage. If you have any questions, reach out to support@fugue.co.
2019.03.15¶
Features¶
The compliance report email allows you to view the compliance state of your environment without having to log into Fugue.
Additional Payment Card Industry (PCI) rules have been added within Fugue. These rules include:
PCI DSS 8.1.4, which requires that users have a password that contains at least 7 characters and includes both alphabetic and numeric characters.
PCI DSS 8.2.5, which requires users do not submit a new password/phrase that is the same as any of the last four passwords/phrases they used.
PCI DSS 4.1, which requires that AWS CloudWatch metric filter alarms is via SQS and not via HTTPS.
PCI DSS 8.2.4, which requires users to change their passwords/phrases at least once every 90 days.
PCI DSS 10.5.3 and PCI DSS 10.7, which requires that versioning and lifecycle policy be enabled for AWS S3 buckets.
Bug Fixes¶
Addressed an issue where clicking outside a modal window failed to close it.
Addressed an issue where selecting Edit Environment Setting on the Environment landing page failed to redirect users to the Edit Environment Settings modal window.
Addressed an issue where selecting a resource that was not included in your IAM role ARN would cause the scan to fail. Now, the scan completes and the resources not included in your role ARN are listed in a message.
2019.02.25¶
The multi-user feature allows users to invite other parties in their organization to access and collaborate on the same Fugue environments.
2019.02.12¶
PCI DSS rules are now supported within Fugue.
Added service coverage support for CloudTrail, Config, SQS, VPC, and KMS.
2019.01.28¶
Users can select the specific resources that they want to manage within Fugue. Compliance scanning, drift detection, and baseline enforcement only occur on the selected resources. For details, see Setup.
Rules that pertain to resources that Fugue isn’t permitted to scan now display with an “Unknown” label.
Service coverage has been expanded to support RDS.
Users can see when their next scan is scheduled to start.
2018.11.26¶
Features¶
Scan cloud environments for risks and generate risk reports¶
Use Fugue to scan your cloud environment and produce comprehensive reports identifying compliance violations in your cloud infrastructure. Use this report in conjunction with an auditor to address these violations. Once all violations are addressed, the security teams can demonstrate Fugue’s functionality to both the CISO and the auditor. Fugue supports scanning and identifying compliance violations for the following compliance standards or benchmarks: CIS, NIST, HIPAA, and GDPR. The report also provides a snapshot of your infrastructure at any point in time.
Scan cloud environments for drift based on the declared baseline¶
Once you work with an auditor to address the compliance violations in your cloud infrastructure, you can establish a baseline. This lets Fugue know that this is the declared baseline and Fugue scans the environment for any changes to this declared baseline. If a change is detected, which is also known as drift, Fugue notifies you via the Drift Detection page.This allows you to proactively review and fix drift in your cloud environment. Use this drift report to show your CISO, security team, and auditor that Fugue detected the drift and enabled you to manually correct the issue. To learn more about enabling drift detection with Fugue, refer to details in Configuration.
Enable baseline enforcement on resources in cloud environments¶
Once you establish a baseline, you can enable self-healing, which is known as baseline enforcement within Fugue. When baseline enforcement is enabled, Fugue scans your environment and if any resources in your baseline are modified, they are reverted back to the baseline state. You can use the Drift report to show your CISO, security team, and auditor that drift occurred, and it was reverted back to the baseline state. To learn more about enabling baseline enforcement, refer to details in Configuration.