Reports & Dashboards¶
Note
Other ways to access compliance information:
Compliance Report Email – receive a daily or weekly compliance overview of one environment
Notifications – get notified of compliance changes in an environment
Export Data – download a CSV or Excel file of compliance data for an entire organization
Fugue’s Reports page contains several predefined reports and dashboards that show different aspects of an organization’s compliance state:
Compliance Family Dashboards for supported compliance families:
Selecting a dashboard or report displays it within the UI with default values set for the filters. You have the following options:
Change the exposed filters of the report/dashboard
Download the report/dashboard as a PDF or set of XLSX/CSV files
Send an email with the report/dashboard to one or more recipients
Schedule an email with the report/dashboard for one or more recipients
Schedule a report to be sent to an AWS S3 bucket using an IAM Role
Schedule a report to be sent to an AWS S3 bucket using Access Keys
Configure email alerts when a metric breaches a specified threshold
Drill into a report for further investigation
Compliance Posture Dashboard¶
The Compliance Posture Dashboard allows you to visualize information on rule violations by severity, service, environment, as well as resource compliance and control evaluations over time.
Rule Violations (Total)
Critical Rule Violations (Total)
High Rule Violations (Total)
Rule Violations By Severity (Total)
Rule Violations By Service (Total)
Rule Violations By Environment (Total)
Rule Violations Over Time (Total) (does not support drills)
Resource Noncompliant Over Time (Percentage) (does not support drills)
Control Evaluations By Family (Percentage)
Compliance Posture Dashboard Filters¶
Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)
Environment(s)
Data from (time frame)
Current Rule Violations¶
Current Rule Violations allows you to view details in tabular format on outstanding rule violations and filter by severity, resource type, rule, and more. (Does not support drills.)
Current Rule Violation Filters¶
Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)
Environment(s)
Rule severity level
Resource type
Provider account ID
Compliance family
Current Rule Results¶
The Current Rule Results allows you to view details in tabular format on rule results data, including information on resource tags.
Current Rule Results Filters¶
Environments
Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)
Account ID
Rule Name
Rule ID
Rule Results
Severity
Resource Type
Tag
Control
Compliance Family
Resources Dashboard¶
The Resources Dashboard allows you to visualize information on resource compliance by resource type, severity, and environment over time.
Scanned Resources (Total)
Noncompliant Resources (Total)
Resource Noncompliance (Percentage)
Resource Noncompliance Over Time (Percentage) (does not support drills)
Resource Noncompliance by Type (Total and Percentage) (does not support drills)
Noncompliant Resources Over Time (Total)
Noncompliant Resources with Critical/High Rule Violations (Total)
Noncompliant Resources by Environment (Total)
Resources Dashboard Filters¶
Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)
Environment(s)
Data from (time frame)
Resources Report¶
The Resources Report allows you to view details in tabular format regarding resources, their compliance status, and the rule results that impact that status. (Does not support drills.)
Resources Report Filters¶
Environment(s)
Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)
Resource type
Provider account ID
Resource compliance
Compliance family
Whether the resource has rule results
Compliance Family Dashboards¶
Compliance Family Dashboards allow you to visualize information on resource compliance by resource type, severity, and environment over time supported compliance families:
For example, the SOC 2 (2017) Dashboard allows you to visualize information on resource compliance by resource type, severity, and environment over time for SOC 2 (v2017).
Each report includes the following information:
Controls Evaluated (Total)
Noncompliant Controls (Total)
Control Noncompliance (Percentage)
Control Compliance By Category (Percentage)
Noncompliant Controls By Environment (Total)
Noncompliant Resources By Service (Total)
Control Noncompliance Over Time (Percentage)
Compliance Family Dashboards Filters¶
Data from (time frame)
Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)
Environment(s)
How to Filter a Report or Dashboard¶
To apply one or more filters to a report, follow the steps below:
1. Select the desired report or dashboard from the Reports page.
2. Select the Filters dropdown:
3. Next to the category you want to filter by, select a condition from the dropdown menu (“is equal to,” “contains,” etc.):
4. For Provider, Environment, or Severity filters, click inside the text box to the right of the condition. A dropdown menu will appear. (Note that not all reports have all filters.)
5. Select one or more properties from the property dropdown menu. You can start typing, and the field will suggest autocompletions:
6. For the Data From filter, enter a time frame and a number (e.g., “days” and “30”):
7. Repeat as needed to apply additional filters.
8. Select the Run button:
How to Create an Alert¶
To set up an email alert when a metric breaches a specified threshold, follow the steps below:
1. Select the desired report or dashboard from the Reports page.
2. Optionally apply filters to the report. The filters will also be applied to the alert.
3. Hover over the specific report you’d like to be alerted about and select the “Alerts” (bell) icon that appears:
4. The metric is pre-selected for you (e.g., “Total Rule Results”). Select a condition (“is greater than,” “is less than,” etc.) and enter a threshold. When the threshold is breached, the alert will trigger.
5. The email delivery method is preselected for you. Enter one or more email addresses in the field below it.
6. Select the desired frequency of the alert.
7. Select Save Alert.
How to Edit or Duplicate an Alert¶
To edit or duplicate an existing alert, follow the steps below:
1. Select the desired report or dashboard from the Reports page.
2. Hover over a specific report. If alerts exist for the report, the “Alert” (bell) icon shows the number:
3. Select the “Alert” (bell) icon to see a list of alerts:
4. Select the three dots (“Alert Options”) icon and select Edit Alert or Duplicate Alert:
5. Make your changes and select Save Alert.
How to Delete an Alert¶
To delete an existing alert, follow the steps below:
1. Select the desired report or dashboard from the Reports page.
2. Hover over a specific report. If alerts exist for the report, the “Alert” (bell) icon shows the number:
3. Select the “Alert” (bell) icon to see a list of alerts:
4. Select the three dots (“Alert Options”) icon and select Delete Alert:
5. Select Yes, delete alert:
How to Download a Report¶
You can download a report by PDF or CSV. You can also drill down into most reports and download the results.
PDF¶
To download a report by PDF, follow the steps below:
1. Select the cog icon in the upper-right of the UI:
2. Select Download as PDF…
3. Optionally specify a filename and expand Advanced Options to select single column format, expand tables, or set paper size.
4. Select Open in Browser to generate and load the PDF in your browser window, or Download to download the PDF.
CSV¶
To download a report by CSV, follow the steps below:
1. Select the cog icon in the upper-right of the UI:
2. Select Download as CSVs to download a ZIP containing a CSV file for each report in the dashboard.
How to Send a Report by Email¶
To send a report by email, follow the steps below:
1. Select the cog icon in the upper-right of the UI:
2. Select Send.
3. Specify the following information:
Title
Recipient email address(es) – enter address and select
AddCustom message (optional; this will appear in the body of the email)
Data format: PDF, Visualization (PNG), CSV ZIP file
Filters (optional) To send reports for a specific environment, provider, etc., expand the Filters drop-down. The filter options vary based on the selected report. Specify the filter criteria.
Advanced options (optional): Select single column layout, expand tables, set paper size
4. Select Send.
How to Schedule a Report by Email¶
To schedule a report by email, follow the steps below:
1. Select the cog icon in the upper-right of the UI:
2. Select Schedule.
3. If there’s already an existing scheduled email, select New. If there are no scheduled emails, a new one is created by default.
4. Specify the following information:
Name of scheduled email
Recipient email address(es) – enter address and select
AddCustom message (optional; this will appear in the body of the email)
Data format: PDF, Visualization (PNG), CSV ZIP file
Trigger: Repeating interval is currently the only supported trigger
Delivery schedule: Daily, Weekly, Monthly, Hourly, By Minute and what time the email should be delivered
Filters (optional) To send reports for a specific environment, provider, etc., expand the Filters drop-down. The filter options vary based on the selected report. Specify the filter criteria.
Advanced options (optional): Select single column layout, expand tables, set timezone, set paper size
5. Optionally, select Send Test. This sends a test email to all of the specified addresses.
6. Select Save All.
How to Edit a Scheduled Email¶
To edit a scheduled email, follow the steps below:
1. Select the cog icon in the upper-right of the UI.
2. Select Schedule.
3. Select the email name from the Schedules list:
4. Make your changes and select Save All.
How to Delete a Scheduled Email¶
To delete a scheduled email, follow the steps below:
1. Select the cog icon in the upper-right of the UI.
2. Select Schedule.
3. Hover over the scheduled email you’d like to delete and select the X that appears:
4. Select Save All.
How to Duplicate a Scheduled Email¶
To duplicate a scheduled email, follow the steps below:
1. Select the cog icon in the upper-right of the UI.
2. Select Schedule.
3. Hover over the scheduled email you’d like to duplicate and select the Duplicate (copy) icon that appears:
4. Customize the duplicate and select Save All.
How to Unsubscribe from a Scheduled Email¶
Users can unsubscribe to scheduled emails by selecting the “unsubscribe” link in the email body.
Sending the Report to an Amazon S3 Bucket Using an IAM Role¶
Fugue provides the ability to send and schedule report data to Amazon S3 using a trusted IAM role. This prevents the need to generate long-standing AWS Access Keys, instead relying on a trusted IAM policy to delegate access to your S3 bucket to Fugue, a general best practice when dealing with credentials.
Note
Fugue recommends that you create a separate S3 bucket for receiving data deliveries, if possible. See Creating a Bucket.
You can schedule reports to be delivered to an Amazon S3 bucket of your choice using an IAM Role. This is a two step process.
Create a Sufficently Permissioned IAM role¶
To provide the required parameters, you will need to create an S3 Bucket and associated IAM role in the same AWS Account to grant permissions to Fugue to upload data when your data send or schedule is executed.
This IAM role should specify the following IAM Policy and Trust Relationship, replacing the following placeholders:
bucket-name: Name of the S3 Bucket where files should be uploaded. See Creating a Bucket.
optional-s3-path: Optional path where files should be placed. Leave this empty to have them placed in the root of the bucket.
aws-kms-key-arn: The ARN of the AWS Key Management Service used to encrypt data within your S3 bucket. Fugue strongly recommends you utilize an SSE-KMS encryption when creating S3 Buckets, with a specific key being created and only used for this bucket. This will ensure your S3 Buckets will be compliant with various Fugue Rules and general S3 best practices. If your target S3 Bucket utilizes Amazon S3 key (SSE-S3) or no encryption, you may omit the entire “KMS” section of this policy when creating your IAM role.
external-id-value: When assuming your Role, Fugue will utilize this External ID value in the same way it does for AWS Environment Role Assumption. You can learn more about External IDs here, but in general, they prevent others from assuming this role and using it for other purposes. Instructions for retrieving your External ID value in Fugue can be found here.
To create a sufficiently permissioned IAM role:
1. Navigate to IAM.
2. In the left navigation, select Roles.
3. Click Create role.
4. In select type of trusted entity, select AWS service > S3 > S3 (Allows S3 to call AWS services on your behalf). Click Next: Permissions.
5. Select Create policy. The Create policy workflow opens in a new tab.
6. In Create policy, select the JSON tab.
7. Enter the following information:
Replace
#<your-bucket-name>/<optional-s3-path>with your S3 bucket name and optionally, include the path (line 13).Replace
#<aws-kms-key-arn>with your KMS Key encrypted for objects stored in your S3 bucket. If you did not use SSE-KMS on your S3 bucket, delete this section of the policy (line 28).Replace
#<your-bucket-name>with your S3 bucket name (line 33).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Object",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::<your-bucket-name>/<optional-s3-path>/*" ]
},
{
"Sid": "KMS",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:GenerateDataKeyPair"
],
"Resource": [
"<aws-kms-key-arn>" ]
},
{
"Sid": "S3Bucket",
"Effect": "Allow",
"Action": "s3:ListBucketMultipartUploads",
"Resource": "arn:aws:s3:::<your-bucket-name>" }
]
}
8. Click Next: Tags. (Optionally) Add tags and click Next: Review.
9. Enter a Name for your policy. (Optionally) Enter a Description for your policy. Click Create policy.
10. Navigate back to the Roles tab and click the refresh icon.
11. In the search field, enter the name of the newly created policy and select it.
12. Click Next: Tags. (Optionally) Add tags and click Next: Review.
13. Enter a role name and click Create role.
14. On the Roles page, search and select your newly created role.
15. Select Trust relationships > Edit trust relationship.
16. In Edit Trust Relationship, enter the following information in the Policy Document section:
Replace
#<external-id-value>with your external ID. Instructions for retrieving your External ID value in Fugue can be found here (line 12).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::370134896156:role/ReportIntegrationRole"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<external-id-value>" }
}
}
]
}
17. Click Update Trust Policy.
Schedule the Report to be Sent to an AWS S3 Bucket¶
To schedule the report to be sent to an Amazon S3 bucket:
1. Select the cog icon in the upper-right of the UI:
2. Select Schedule.
3. If there’s already an existing scheduled email, select New. If there are no scheduled emails, a new one is created by default.
4. Specify the following information:
Name of scheduled email.
In where should this data go, select Amazon S3 (IAM).
In Amazon S3 (IAM), enter the following information:
In Bucket, enter the bucket name. See Creating a Bucket.
(Optionally) Enter the path where files should be placed (e.g.,
folder/sub1/sub2). Leave this empty to have them placed in the root of the bucket.Enter your IAM Role.
Select the Region in which your S3 bucket lives.
From Send All Results, select Yes or No.
In Format data as, select PDF, Visualization (PNG), or CSV ZIP file.
In Trigger, select Repeating interval, which is currently the only supported trigger.
In Delivery schedule, select Daily, Weekly, Monthly, Hourly, or By Minute and what time the report should be delivered.
(Optionally) In Filters, expand the drop-down and select to send reports for a specific environment, provider, etc. The filter options vary based on the selected report. Specify the filter criteria.
(Optionally) In Advanced options, expand the drop-down and select single column layout, expand tables, set timezone, set paper size.
5. (Optionally) Click Send Test.
6. Click Save All.
The report sent to your AWS S3 bucket includes the date/time.
Sending the Report to an Amazon S3 Bucket Using Access Key¶
You can schedule reports to be delivered to an Amazon S3 bucket of your choice using an Access Key.
Note
There is a limit of 5,000 rows of data being sent using the Access Key. As a best practice, Fugue recommends using an IAM Role to send/schedule the reports. Refer to Schedule a report to be sent to an AWS S3 bucket using IAM Role for more information.
To schedule the report to be sent to an Amazon S3 bucket:
1. Select the cog icon in the upper-right of the UI:
2. Select Schedule.
3. If there’s already an existing scheduled email, select New. If there are no scheduled emails, a new one is created by default.
4. Specify the following information:
Name of scheduled email
In where should this data go, select Amazon S3.
In S3 Details, enter the following information:
S3 bucket name
(Optional) Path within the S3 bucket
AWS Access Key ID and Secret Access Key corresponding to an IAM user that has the appropriate permissions. If your AWS S3 Bucket is encrypted using SSE with a customer managed KMS Key,
kms:Encryptandkms:GenerateDataKeyis also required. Refer to Creating a Sufficiently Permissioned IAM User for more information.S3 bucket region
Data format: PDF, Visualization (PNG), CSV ZIP file
Trigger: Repeating interval is currently the only supported trigger
Delivery schedule: Daily, Weekly, Monthly, Hourly, By Minute and what time the report should be delivered
Filters (optional) To send reports for a specific environment, provider, etc., expand the Filters drop-down. The filter options vary based on the selected report. Specify the filter criteria.
Advanced options (optional): Select single column layout, expand tables, set timezone, set paper size
5. Click Save All.
The report sent to your AWS S3 bucket includes the date/time, as shown below.
Creating a Sufficiently Permissioned IAM User¶
The IAM user will need access to a policy with the following permissions:
For AWS S3:
s3:PutObject(required for all)If the AWS S3 bucket is using SSE with a customer managed KMS key, then
kms:Encryptandkms:GenerateDataKeyare also required
Below is an example IAM policy to provide s3:PutObject permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::YOUR_BUCKET_NAME/OPTIONAL_SUBDIRECTORY/*"
],
"Effect": "Allow",
"Sid": "S3PutObject"
}
]
}
Below is an example IAM policy to provide KMS permissions:
{
"Version": "2012-10-17",
"Statement": {
"Action": [
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "YOUR_KMS_KEY_ARN",
"Effect": "Allow"
}
}
For more information refer to:
How to Drill Down Into a Report¶
To drill down into a report, select the report/dashboard on the Reports page, then select a chart. Not all charts/reports/dashboards support drills.
Below, we’ve drilled down into the Rule Violations By Severity report in the Compliance Posture Dashboard, selecting only the violations of medium severity:
You can download the drill data:
