Fugue ensures that cloud infrastructure stays in continuous compliance with enterprise security policies.
Updates to the navigation within the Environment Details page— the visualizer is located on its own page, Environment Settings have been moved to the top level navigation, and the Drift Events page is renamed to Events.
Updates to the user interface. The Organizations tab is now located at the same level as Environments and updates were made to the environment cards, as shown below. Additionally, on the Environment Landing page, selecting View in Visualizer redirects users to the Visualizer page.
Auto-remediation is now supported for Azure.
Displaying compliance errors within the visualizer on VPC.
The /resources API endpoint now requires authorization. Previously, users were able to hit this endpoint without authenticating with Fugue. To use the /resources endpoint authentication is now required.
Docs site: The Fugue Documentation site has been redesigned, moved to https://docs.fugue.co, and features the following new content:
The visualizer includes security group and subnet labeling within VPCs. This makes it easier to identify which security groups and subnets are associated with a particular VPC, as shown below. To learn more about the visualizer, refer here.
The visualizer “full screen” fills the browser window, rather than the entire screen.
The visualizer supports Azure, as shown below.
Azure notifications are available to alert on compliance, drift, and auto-remediation events. To get started using notifications, refer here.
Fixed an issue with the CIS AWS 2-5 rule: “Ensure AWS Config is Enabled in all Regions.”
Visualization: Cloud resource visualization displays resources that are not compliant within an environment, as shown below:
Expanded rule coverage:
IAM root account should not be used. Corresponds to the following compliance controls:
Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password. Corresponds to the following compliance control:
Ensure credentials unused for 90 days or greater are disabled. Corresponds to the following compliance controls:
Ensure access keys are rotated every 90 days or less. Corresponds to the following compliance controls:
Ensure no root account access key exists. Corresponds to the following compliance controls:
Ensure hardware MFA is enabled for the “root” account. Corresponds to the following compliance controls:
Ensure MFA is enabled for the “root” account. Corresponds to the following compliance controls:
Expanded service coverage: Fugue now supports the following resource:
IAM.CredentialReport. To start scanning for
IAM.CredentialReport, update your Fugue IAM role to include:
"iam:GenerateCredentialReport", "iam:GetCredentialReport", "iam:ListVirtualMFADevices"
Improvements to the Compliance by Resource modal: The compliance controls that fail are displayed under the description of the rule, as shown below:
Notifications: Fugue offers notifications for compliance, drift, and auto-remediation (baseline enforcement) events within environments, allowing you to be alerted to infrastructure changes detected during a scan without having to log into Fugue.
Within Organization Settings, you may add notifications and choose to be notified by email, AWS SNS topic, or both. By using the SNS integration, you can connect Fugue notifications to third-party tools such as Slack.
Full screen visualizer: You can expand cloud resource visualization to a full screen view. This allows you to better interact with and view your infrastructure. Clicking the
fbutton, as highlighted below, opens the full screen visualization experience.
Here’s an example of full screen mode:
Updates to the “Create Environment” workflow: The “create environment” workflow has been updated as follows. In the first step, you enter your environment’s name and select the cloud service provider:
In the second step, you select the region and resource types, and then enter the AWS IAM role ARN:
In the third step, you select the compliance libraries you want Fugue to use to assess your infrastructure:
In the fourth step, you can view a summary of the environment name, region, AWS IAM role ARN, the selected compliance standards, and the selected resource types to scan and enforce, as shown below:
For full setup instructions, see Setup.
AWS GovCloud regions: Fugue now supports AWS GovCloud regions via the Fugue application and API. All existing functionality for other commercial AWS regions is supported for AWS GovCloud regions including:
Assess AWS GovCloud regions for compliance violations against the following compliance standards: CIS AWS, NIST SP 800-53, PCI-DSS, HIPAA, GDPR, SOC 2, and ISO 27001.
Enable configuration drift detection and optionally, enforcement on baselines.
Cloud resource visualization: Fugue’s new cloud resource visualization feature creates detailed, interactive diagrams of your cloud resources. This allows you to quickly visualize cloud infrastructure configurations and relationships without having to create diagrams by hand, which can be a painstaking and error-prone process. Diagrams are generated and updated automatically. You can zoom in or out to more closely inspect the resources:
Improved compliance control messages: The compliance control message contains additional information about what caused a resource to be noncompliant and violate the control, as shown below.
Added service coverage support for
To scan for ElastiCache clusters, parameter groups, and replication groups, update your Fugue IAM role to include the following permissions:
"elasticache:DescribeCacheClusters", "elasticache:DescribeCacheParameterGroups", "elasticache:DescribeCacheParameters", "elasticache:DescribeReplicationGroups", "elasticache:ListTagsForResource"
ElastiCache.Cluster resources belong to an
ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually.
In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
Created the Fugue API Reference, which contains Swagger documentation and examples.
Added service coverage support for AWS S3 bucket ACLs. The new functionality will provide more protection for S3 buckets.
Users who have enabled scanning on S3 buckets must update their Fugue IAM role to include the following permission, or scans involving S3 buckets will be incomplete:
If you have any questions, reach out to firstname.lastname@example.org.
Added service coverage support for SNS subscriptions and CloudWatch Metric Alarms.
To scan for SNS subscriptions and CloudWatch Metric Alarms, update your Fugue IAM role to include the following permissions:
"cloudwatch:DescribeAlarms", "sns:GetSubscriptionAttributes", "sns:ListSubscriptions"
Added support for SOC 2 and ISO 27001 compliance standards.
SOC 2 governance applies to organizations storing customer data in the cloud.
ISO 27001 is a specification for an information security management system that includes controls for information risk management processes.
Bug Fixes and Improvements¶
Fugue automatically logs users out of the application every 24 hoursinstead of once a month.
Other bug fixes and improvements.
Improved API Clients table to display the client secret age and last activity of the API client. In the previously released API Clients table, the client secret’s age and the last activity of the client secret did not display within the table. It is important to know your client secret’s age so you can properly rotate it according to your organization’s security policy. Additionally, displaying the last activity for the client secret allows you to revoke and/or delete client secrets that are no longer in use. For more information, see the API page.
Improved page load times of the environment list and environment detail pages
Improved link to “Edit IAM Role in AWS Console” to point directly to list of roles in the console
The API has 4 main areas of functionality:
Create, update, and delete environments
Run scans on demand or on a specific schedule
Retrieve scan results by compliance rule or resource type
Retrieve drift and enforcement events
Additional compliance checks for PCI and HIPAA have been added.
The new PCI compliance rules include:
AWS Glacier requires that AWS S3 bucket policy only accepts HTTPS. This applies to PCI_DSS_4.1.
Point in time recovery is enabled on the AWS Dynamo database. This applies to PCI_DSS_3.1.
Users specified backup retention periods for AWS RDS. This applies to PCI_DSS_3.1.
Any security group for a private subnet does not have CIDR ingress from 0.0.0.0/0. This applies to PCI_1.2.1 and PCI_1.3.1.
The new HIPAA compliance rules include:
AWS Glacier requires that AWS S3 bucket policy only accepts HTTPS.
Enable transport encryption for AWS ElastiCache.
AWS service coverage has been expanded to support SNS Topics, WAF Web ACLs, and CloudFront Distributions. If you want to scan for these newly released services, you will want to update your IAM Role to include:
"cloudfront:GetDistribution", "cloudfront:ListDistributions", "cloudfront:ListTagsForResource", "sns:GetTopicAttributes", "sns:ListTopics", "waf:GetWebACL", "waf:ListWebACLs"
The compliance report email allows you to view the compliance state of your environment without having to log into Fugue.
Additional Payment Card Industry (PCI) rules have been added within Fugue. These rules include:
PCI DSS 8.1.4, which requires that users have a password that contains at least 7 characters and includes both alphabetic and numeric characters.
PCI DSS 8.2.5, which requires users do not submit a new password/phrase that is the same as any of the last four passwords/phrases they used.
PCI DSS 4.1, which requires that AWS CloudWatch metric filter alarms is via SQS and not via HTTPS.
PCI DSS 8.2.4, which requires users to change their passwords/phrases at least once every 90 days.
PCI DSS 10.5.3 and PCI DSS 10.7, which requires that versioning and lifecycle policy be enabled for AWS S3 buckets.
Addressed an issue where clicking outside a modal window failed to close it.
Addressed an issue where selecting Edit Environment Setting on the Environment landing page failed to redirect users to the Edit Environment Settings modal window.
Addressed an issue where selecting a resource that was not included in your IAM role ARN would cause the scan to fail. Now, the scan completes and the resources not included in your role ARN are listed in a message.
The multi-user feature allows users to invite other parties in their organization to access and collaborate on the same Fugue environments.
PCI DSS rules are now supported within Fugue.
Added service coverage support for CloudTrail, Config, SQS, VPC, and KMS.
Users can select the specific resources that they want to manage within Fugue. Compliance scanning, drift detection, and remediation only occur on the selected resources. For details, see Setup.
Rules that pertain to resources that Fugue isn’t permitted to scan now display with an “Unknown” label.
Service coverage has been expanded to support RDS.
Users can see when their next scan is scheduled to start.
Scan cloud environments for risks and generate risk reports¶
Use Fugue to scan your cloud environment and produce comprehensive reports identifying compliance violations in your cloud infrastructure. Use this report in conjunction with an auditor to address these violations. Once all violations are addressed, the security teams can demonstrate Fugue’s functionality to both the CISO and the auditor. Fugue supports scanning and identifying compliance violations for the following compliance standards or benchmarks: CIS, NIST, HIPAA, and GDPR. The report also provides a snapshot of your infrastructure at any point in time.
Scan cloud environments for drift based on the declared baseline¶
Once you work with an auditor to address the compliance violations in your cloud infrastructure, you can establish a baseline. This lets Fugue know that this is the declared baseline and Fugue scans the environment for any changes to this declared baseline. If a change is detected, which is also known as drift, Fugue notifies you via the Drift Detection page.This allows you to proactively review and fix drift in your cloud environment. Use this drift report to show your CISO, security team, and auditor that Fugue detected the drift and enabled you to manually correct the issue. To learn more about enabling drift detection with Fugue, refer to details in Configuration.
Enable automated remediation on resources in cloud environments¶
Once you establish a baseline, you can enable self-healing, which is known as baseline enforcement within Fugue. When baseline enforcement is enabled, Fugue scans your environment and if any resources in your baseline are modified, they are reverted back to the baseline state. You can use the Drift report to show your CISO, security team, and auditor that drift occurred, and it was reverted back to the baseline state. To learn more about enabling automated remediation, refer to details in Configuration.