Reports & Dashboards

Note

Other ways to access compliance information:

  • Compliance Report Email – receive a daily or weekly compliance overview of one environment

  • Notifications – get notified of compliance changes in an environment

  • Export Data – download a CSV or Excel file of compliance data for an entire organization

Fugue’s Reports page contains several predefined reports and dashboards that show different aspects of an organization or tenant compliance state.

_images/reports-page-2.png

There are three categories of reports and dashboards:

Organization View vs. Tenant View

Organization View and Tenant View both feature the same reports and dashboards, but the data reflects different sources:

  • Organization View incorporates data across all tenants in your organization.

  • Tenant View incorporates data across all environments in a single tenant.

If you have Fugue Organizations enabled and you are logged into the root tenant, Organization View is selected by default. You can toggle Organization View off to display Tenant View instead:

_images/reports-page-tenant-view.png

If you’re in a child tenant, or if you don’t have Fugue Organizations enabled, you can only access the Tenant View. The Organization View toggle is not shown.

Report Actions

Selecting a dashboard or report displays it within the UI with default values set for the filters. You can take the following actions:

Compliance Posture Dashboard

The Compliance Posture Dashboard for an organization or tenant allows you to visualize information on rule violations by severity, service, tenant (Organization View only), environment, as well as resource compliance and control evaluations over time.

Example Tenant View:

_images/compliance-posture-dashboard-1.png
  • Rule Violations (Total)

  • Critical Rule Violations (Total)

  • High Rule Violations (Total)

  • Rule Violations By Severity (Total)

  • Rule Violations By Service (Total)

  • Rule Violations by Tenant (Total) – Organization View only

  • Rule Violations By Environment (Total) – Tenant View only

  • Rule Violations Over Time (Total) (does not support drills)

  • Resource Noncompliant Over Time (Percentage) (does not support drills)

  • Control Evaluations By Family (Percentage)

Compliance Posture Dashboard Filters

You can filter by:

  • Tenant (Organization View only)

  • Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)

  • Environment

  • Data from (time frame)

Resources Dashboard

The Resources Dashboard for an organization or a tenant allows you to visualize information on resource compliance by resource type, severity, tenant (Organization View only), and environment over time for an organization or tenant.

Example Tenant View:

_images/resources-dashboard-1.png
  • Scanned Resources (Total)

  • Noncompliant Resources (Total)

  • Resource Noncompliance (Percentage)

  • Resource Noncompliance Over Time (Percentage) (does not support drills)

  • Resource Noncompliance by Type (Total and Percentage) (does not support drills)

  • Noncompliant Resources Over Time (Total)

  • Noncompliant Resources with Critical/High Rule Violations (Total)

  • Noncompliant Resources by Tenant (Total) – Organization View only

  • Noncompliant Resources by Environment (Total) – Tenant View only

Resources Dashboard Filters

You can filter by:

  • Tenant (Organization View only)

  • Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)

  • Environment

  • Data from (time frame)

Billing Metrics Dashboard

The Billing Metrics Dashboard for a tenant or an organization provides an aggregate of Resources Under Management (RUM) and Scanned Resources for a tenant or organization.

Example Tenant View:

_images/billing-metrics-dashboard-tenant.png

Billing Metrics Dashboard Filters

You can filter by:

  • Tenant (Organization View only)

  • Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)

  • Environment

Current Rule Results

The Current Rule Results table for an organization or a tenant allows you to view details in tabular format on rule results data, including information on resource tags.

Example Tenant View:

_images/current-rule-results-1.png

Current Rule Results Filters

You can filter by:

  • Tenant (Organization View only)

  • Environment

  • Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)

  • Account ID

  • Resource

  • Rule Name

  • Rule ID

  • Rule Result

  • Severity

  • Resource Type

  • Tag

  • Control

  • Compliance Family (including custom families)

Current Rule Violations

The Current Rule Violations table for an organization or tenant allows you to view details in tabular format on outstanding rule violations and filter by severity, resource type, rule, and more. (Does not support drills.)

Example Tenant View:

_images/current-rule-violations-2.png

Current Rule Violation Filters

You can filter by:

  • Tenant (Organization View only)

  • Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)

  • Environment

  • Rule severity level

  • Resource type

  • Provider account ID

  • Resource

  • Compliance family (including custom families)

  • Compliance control

  • Rule ID

Resources Report

The Resources Report for an organization or tenant allows you to view details in tabular format regarding resources, their compliance status, and the rule results that impact that status. (Does not support drills.)

Example Tenant View:

_images/resources-report-2.png

Resources Report Filters

You can filter by:

  • Tenant (Organization View only)

  • Environment

  • Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)

  • Resource type

  • Provider account ID

  • Resource

  • Resource compliance

  • Compliance family (including custom families)

  • Whether the resource has rule results

Compliance Family Dashboards

Compliance Family Dashboards allow you to visualize information on resource compliance by resource type, severity, and environment over time for supported compliance families:

For example, the SOC 2 (2017) Dashboard for an organization or tenant allows you to visualize information on resource compliance by resource type, severity, and environment over time for SOC 2 (v2017).

Example Tenant View:

_images/soc-2-dashboard-2.png

Each report includes the following information:

  • Controls Evaluated (Total)

  • Noncompliant Controls (Total)

  • Control Noncompliance (Percentage)

  • Control Compliance By Category (Percentage)

  • Noncompliant Controls by Tenant (Total) – Organization View only

  • Noncompliant Controls By Environment (Total) – Tenant View only

  • Noncompliant Resources By Service (Total)

  • Control Noncompliance Over Time (Percentage)

Compliance Family Dashboards Filters

You can filter by:

  • Tenant (Organization View only)

  • Service provider (e.g., AWS, AWS_GOVCLOUD, AZURE, GOOGLE, or REPOSITORY)

  • Environment

  • Data from (time frame)

  • Compliance family

How to Filter a Report or Dashboard

To apply one or more filters to a report, follow the steps below:

1. Select the desired report or dashboard from the Reports page.

2. Next to the category you want to filter by, select a condition from the dropdown menu (“is,” “contains,” etc.).

3. Click inside the text box to the right of the condition. A dropdown menu of properties will appear. You can start typing, and the field will suggest autocompletions.

4. Repeat as needed to apply additional filters.

5. Select the Reload/Update button:

_images/report-update-reload.png

How to Create an Alert

To set up an email alert when a metric breaches a specified threshold, follow the steps below:

1. Select the desired report or dashboard from the Reports page.

2. Optionally apply filters to the report. The filters will also be applied to the alert.

3. Hover over the specific report you’d like to be alerted about and select the Alerts (bell) icon that appears:

_images/report-alert-icon.png

4. The metric is pre-selected for you (e.g., “Total Rule Results”). Select a condition (“is greater than,” “is less than,” etc.) and enter a threshold. When the threshold is breached, the alert will trigger.

_images/report-alert-configure.png

5. The email delivery method is preselected for you. Enter one or more email addresses in the field below it.

6. Select the desired frequency of the alert.

7. Select Save Alert.

How to Edit or Duplicate an Alert

To edit or duplicate an existing alert, follow the steps below:

1. Select the desired report or dashboard from the Reports page.

2. Hover over a specific report. If alerts exist for the report, the Alert (bell) icon shows the number:

_images/report-alert-existing.png

3. Select the Alert (bell) icon to see a list of alerts:

_images/report-list-alerts.png

4. Select the three dots (Alert Options) icon and select Edit Alert or Duplicate Alert:

_images/report-alert-options.png

5. Make your changes and select Save Alert.

How to Delete an Alert

To delete an existing alert, follow the steps below:

1. Select the desired report or dashboard from the Reports page.

2. Hover over a specific report. If alerts exist for the report, the Alert (bell) icon shows the number:

_images/report-alert-existing.png

3. Select the Alert (bell) icon to see a list of alerts:

_images/report-list-alerts.png

4. Select the three dots (Alert Options) icon and select Delete Alert:

_images/report-alert-options.png

5. Select Yes, delete alert:

_images/report-alert-delete.png

How to Download a Report

You can download a report by PDF or CSV. You can also drill down into most reports and download the results.

PDF

To download a report by PDF, follow the steps below:

1. Select the ellipsis next to the Reload/Update button in the upper right:

_images/report-button-ellipsis.png

2. Select Download.

3. Select PDF from the Format drop-down.

4. Optionally set the paper size, expand tables to show all rows, or arrange dashboard tiles in a single column.

5. Select Open in Browser to generate and load the PDF in your browser window, or Download to download the PDF.

CSV

To download a report by CSV, follow the steps below:

1. Select the ellipsis next to the Reload/Update button in the upper right:

_images/report-button-ellipsis.png

2. Select Download.

3. Select CSV from the Format drop-down.

4. Click Download to download a ZIP containing a CSV file for each report in the dashboard.

How to Send a Report by Email Immediately

To send a report by email immediately, follow the steps below:

1. Select the ellipsis next to the Reload/Update button in the upper right:

_images/report-button-ellipsis.png

2. Select Schedule delivery.

3. If a previously scheduled report is listed, you can select Send now to send it immediately, or select New to create a new one.

4. If sending a new email, in the Settings tab, under Recurrence, select Send now.

5. Under Email addresses, specify the recipient(s).

6. Under Format, select PDF, CSV zip file, or PNG visualization.

7. Optionally, in the Filters tab, specify any desired filters.

8. Optionally, configure additional settings in Advanced options. Available options vary based on data format.

9. Select Send now.

How to Schedule a Report by Email

To schedule a report by email, follow the steps below:

1. Select the ellipsis next to the Reload/Update button in the upper right:

_images/report-button-ellipsis.png

2. Select Schedule delivery.

3. If a previously scheduled report is listed, select New to create a new one.

4. In the Settings tab, set the recurrence (e.g., daily) and time (e.g., 06:00).

5. Under Email addresses, specify the recipient(s).

6. Under Format, select PDF, CSV zip file, or PNG visualization.

7. Optionally, in the Filters tab, specify any desired filters.

8. Optionally, configure additional settings in Advanced options. Available options vary based on data format.

9. Optionally, select Test now. This sends a test email to all of the specified addresses.

10. Select Save.

How to Edit, Duplicate, or Delete a Scheduled Email

1. Select the ellipsis next to the Reload/Update button in the upper right:

_images/report-button-ellipsis.png

2. Select Schedule delivery.

3. Select the ellipsis next to the scheduled report you want to edit, duplicate, or delete.

4. Select Edit, Duplicate, or Delete.

5. If editing or duplicating, make your changes and select Save.

6. If deleting, select Delete.

How to Unsubscribe from a Scheduled Email

Users can unsubscribe to scheduled emails by selecting the “unsubscribe” link in the email body.

Sending the Report to an Amazon S3 Bucket Using an IAM Role

Fugue provides the ability to send and schedule report data to Amazon S3 using a trusted IAM role. This prevents the need to generate long-standing AWS Access Keys, instead relying on a trusted IAM policy to delegate access to your S3 bucket to Fugue, a general best practice when dealing with credentials.

Note

Fugue recommends that you create a separate S3 bucket for receiving data deliveries, if possible. See Creating a Bucket.

You can schedule reports to be delivered to an Amazon S3 bucket of your choice using an IAM Role. This is a two step process.

Create a Sufficently Permissioned IAM role

To provide the required parameters, you will need to create an S3 Bucket and associated IAM role in the same AWS Account to grant permissions to Fugue to upload data when your data send or schedule is executed.

This IAM role should specify the following IAM Policy and Trust Relationship, replacing the following placeholders:

  • bucket-name: Name of the S3 Bucket where files should be uploaded. See Creating a Bucket.

  • optional-s3-path: Optional path where files should be placed. Leave this empty to have them placed in the root of the bucket.

  • aws-kms-key-arn: The ARN of the AWS Key Management Service used to encrypt data within your S3 bucket. Fugue strongly recommends you utilize an SSE-KMS encryption when creating S3 Buckets, with a specific key being created and only used for this bucket. This will ensure your S3 Buckets will be compliant with various Fugue Rules and general S3 best practices. If your target S3 Bucket utilizes Amazon S3 key (SSE-S3) or no encryption, you may omit the entire “KMS” section of this policy when creating your IAM role.

  • external-id-value: When assuming your Role, Fugue will utilize this External ID value in the same way it does for AWS Environment Role Assumption. You can learn more about External IDs here, but in general, they prevent others from assuming this role and using it for other purposes. Instructions for retrieving your External ID value in Fugue can be found here.

To create a sufficiently permissioned IAM role:

1. Navigate to IAM.

2. In the left navigation, select Roles.

3. Click Create role.

4. In select type of trusted entity, select AWS service > S3 > S3 (Allows S3 to call AWS services on your behalf). Click Next: Permissions.

5. Select Create policy. The Create policy workflow opens in a new tab.

6. In Create policy, select the JSON tab.

7. Enter the following information:

  • Replace #<your-bucket-name>/<optional-s3-path> with your S3 bucket name and optionally, include the path (line 13).

  • Replace #<aws-kms-key-arn> with your KMS Key encrypted for objects stored in your S3 bucket. If you did not use SSE-KMS on your S3 bucket, delete this section of the policy (line 28).

  • Replace #<your-bucket-name> with your S3 bucket name (line 33).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3Object",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::<your-bucket-name>/<optional-s3-path>/*"            ]
        },
        {
            "Sid": "KMS",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:GenerateDataKeyPairWithoutPlaintext",
                "kms:GenerateDataKeyPair"
            ],
            "Resource": [
                "<aws-kms-key-arn>"            ]
        },
        {
            "Sid": "S3Bucket",
            "Effect": "Allow",
            "Action": "s3:ListBucketMultipartUploads",
            "Resource": "arn:aws:s3:::<your-bucket-name>"        }
    ]
}

8. Click Next: Tags. (Optionally) Add tags and click Next: Review.

9. Enter a Name for your policy. (Optionally) Enter a Description for your policy. Click Create policy.

10. Navigate back to the Roles tab and click the refresh icon.

11. In the search field, enter the name of the newly created policy and select it.

12. Click Next: Tags. (Optionally) Add tags and click Next: Review.

13. Enter a role name and click Create role.

14. On the Roles page, search and select your newly created role.

15. Select Trust relationships > Edit trust relationship.

16. In Edit Trust Relationship, enter the following information in the Policy Document section:

  • Replace #<external-id-value> with your external ID. Instructions for retrieving your External ID value in Fugue can be found here (line 12).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::370134896156:role/ReportIntegrationRole"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<external-id-value>"        }
      }
    }
  ]
}

17. Click Update Trust Policy.

Schedule the Report to be Sent to an AWS S3 Bucket via IAM Role

To schedule the report to be sent to an Amazon S3 bucket via IAM role:

1. Select the ellipsis next to the Reload/Update button in the upper right:

_images/report-button-ellipsis.png

2. Select Schedule delivery.

3. If a previously scheduled report is listed, select New to create a new one.

4. In the Settings tab, set the recurrence (e.g., daily) and time (e.g., 06:00).

5. Under Destination, select Amazon S3 (IAM Role).

6. Specify the following information:

  • In Bucket, enter the bucket name. See Creating a Bucket.

  • (Optionally) Enter the path where files should be placed (e.g., folder/sub1/sub2). Leave this empty to have them placed in the root of the bucket.

  • Enter your IAM Role.

  • Select the Region in which your S3 bucket lives.

  • In Send All Results?, select Yes or No. If you select No, only the first 5,000 rows are sent.

  • In Format, select PDF, CSV zip file, or PNG visualization.

7. Optionally, in the Filters tab, specify any desired filters.

8. Optionally, configure additional settings in Advanced options. Available options vary based on data format.

9. Optionally, select Test now. This uploads the report to the specified bucket.

10. Select Save.

The report sent to your AWS S3 bucket includes the date/time.

Sending the Report to an Amazon S3 Bucket Using Access Key

You can schedule reports to be delivered to an Amazon S3 bucket of your choice using an Access Key.

Note

There is a limit of 5,000 rows of data being sent using the Access Key. As a best practice, Fugue recommends using an IAM Role to send/schedule the reports. Refer to Schedule a report to be sent to an AWS S3 bucket using IAM Role for more information.

To schedule the report to be sent to an Amazon S3 bucket:

1. Select the ellipsis next to the Reload/Update button in the upper right:

_images/report-button-ellipsis.png

2. Select Schedule delivery.

3. If a previously scheduled report is listed, select New to create a new one.

4. In the Settings tab, set the recurrence (e.g., daily) and time (e.g., 06:00).

5. Under Destination, select Amazon S3.

6. Specify the following information:

  • In Bucket, enter the bucket name. See Creating a Bucket.

  • (Optionally) Enter the path where files should be placed (e.g., folder/sub1/sub2). Leave this empty to have them placed in the root of the bucket.

  • Enter the AWS Access Key ID and Secret Access Key corresponding to an IAM user that has the appropriate permissions. If your AWS S3 Bucket is encrypted using SSE with a customer managed KMS Key, kms:Encrypt and kms:GenerateDataKey is also required. Refer to Creating a Sufficiently Permissioned IAM User for more information.

  • Enter the S3 bucket region.

  • In Format, select PDF, CSV zip file, or PNG visualization.

7. Optionally, in the Filters tab, specify any desired filters.

8. Optionally, configure additional settings in Advanced options. Available options vary based on data format.

9. Optionally, select Test now. This uploads the report to the specified bucket.

10. Select Save.

The report sent to your AWS S3 bucket includes the date/time, as shown below.

_images/current-rules-report-aws.png

Creating a Sufficiently Permissioned IAM User

The IAM user will need access to a policy with the following permissions:

  • For AWS S3: s3:PutObject (required for all)

  • If the AWS S3 bucket is using SSE with a customer managed KMS key, then kms:Encrypt and kms:GenerateDataKey are also required

Below is an example IAM policy to provide s3:PutObject permissions:

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Action": [
               "s3:PutObject"
           ],
           "Resource": [
               "arn:aws:s3:::YOUR_BUCKET_NAME/OPTIONAL_SUBDIRECTORY/*"
           ],
           "Effect": "Allow",
           "Sid": "S3PutObject"
       }
   ]
}

Below is an example IAM policy to provide KMS permissions:

{
   "Version": "2012-10-17",
   "Statement": {
       "Action": [
           "kms:Encrypt",
           "kms:GenerateDataKey"
       ],
       "Resource": "YOUR_KMS_KEY_ARN",
       "Effect": "Allow"
   }
}

For more information refer to:

How to Drill Down Into a Report

To drill down into a report, select the report/dashboard on the Reports page, then select a chart. Not all charts/reports/dashboards support drills.

Below, we’ve drilled down into the Rule Violations By Severity report in the Compliance Posture Dashboard, selecting only the violations of medium severity:

_images/report-drill-down.gif

You can download the drill data:

_images/report-drill-download-1.png

Resource ID and Resource Native ID

The fields Resource ID and Resource Native ID are identical in Azure and Google environments.

In AWS environments:

  • Resource Native ID is the full ARN (e.g., arn:aws:s3:::my-rad-bucket).

  • Resource ID is the short name for the resource (e.g., my-rad-bucket).

Not all resource types support a native ID. Resources without a native ID will display a blank field in the Resource Native ID column.

The Resource filter accepts both types of ID.