Service Coverage

The following services and resources are supported in the latest version of Fugue.

(beta) denotes resources with beta support. To request access, contact support@fugue.co.

See a list of supported AWS and AWS GovCloud regions here.

See a list of resource types that do not report drift here.

Note

To interact with the API using query parameters, use the resource names as formatted below. When using request body parameters, add quotation marks around each resource name like this: "AWS.AutoScaling.AutoScalingGroup", "AWS.SNS.Topic", etc.

AWS Standard Regions

AWS Certificate Manager (ACM)

  • AWS.ACM.Certificate

ACM Private Certificate Authority (ACM PCA) – beta

  • AWS.ACMPCA.CertificateAuthority

API Gateway

  • AWS.ApiGateway.Authorizer

  • AWS.ApiGateway.ClientCertificate

  • AWS.ApiGateway.Deployment

  • AWS.ApiGateway.DomainName

  • AWS.ApiGateway.RequestValidator

  • AWS.ApiGateway.Resource

  • AWS.ApiGateway.RestApi

  • AWS.ApiGateway.Stage

  • AWS.ApiGateway.UsagePlan

  • AWS.ApiGateway.VpcLink

AutoScaling

  • AWS.AutoScaling.AutoScalingGroup

  • AWS.AutoScaling.LaunchConfiguration

  • AWS.AutoScaling.LaunchTemplate

  • AWS.AutoScaling.LifecycleHook

  • AWS.AutoScaling.Policy

  • AWS.AutoScaling.Schedule

CloudFront

  • AWS.CloudFront.Distribution

CloudTrail

  • AWS.CloudTrail.Trail

CloudWatch

  • AWS.CloudWatch.Dashboard

  • AWS.CloudWatch.MetricAlarm

  • AWS.CloudWatchEvents.Rule

  • AWS.CloudWatchEvents.Target

  • AWS.CloudWatchLogs.Destination

  • AWS.CloudWatchLogs.DestinationPolicy

  • AWS.CloudWatchLogs.LogGroup

  • AWS.CloudWatchLogs.MetricFilter

  • AWS.CloudWatchLogs.ResourcePolicy

  • AWS.CloudWatchLogs.SubscriptionFilter

Cognito

  • AWS.Cognito.IdentityProvider

  • AWS.Cognito.ResourceServer

  • AWS.Cognito.UserGroup

  • AWS.Cognito.UserPool

  • AWS.Cognito.UserPoolClient

  • AWS.Cognito.UserPoolDomain

Config

  • AWS.Config.AggregationAuthorization

  • AWS.Config.ConfigurationAggregator

  • AWS.Config.ConfigurationRecorder

  • AWS.Config.ConfigurationRecorderStatus

  • AWS.Config.DeliveryChannel

  • AWS.Config.Rule

Directory Service – beta

  • AWS.DirectoryService.ConditionalForwarder

  • AWS.DirectoryService.Directory

DynamoDB

  • AWS.DynamoDB.Table

EC2

  • AWS.EC2.CustomerGateway

  • AWS.EC2.DhcpOptions

  • AWS.EC2.DhcpOptionsAssociation

  • AWS.EC2.EgressOnlyInternetGateway

  • AWS.EC2.ElasticIP

  • AWS.EC2.FlowLog

  • AWS.EC2.Instance

  • AWS.EC2.InternetGateway

  • AWS.EC2.KeyPair

  • AWS.EC2.NATGateway

  • AWS.EC2.NetworkACL

  • AWS.EC2.NetworkInterface

  • AWS.EC2.PlacementGroup

  • AWS.EC2.RouteTable

  • AWS.EC2.RouteTableAssociation

  • AWS.EC2.SecurityGroup

  • AWS.EC2.SpotFleetRequest

  • AWS.EC2.Subnet

  • AWS.EC2.Volume

  • AWS.EC2.Vpc

  • AWS.EC2.VpcEndpoint

  • AWS.EC2.VpcEndpointConnectionNotification

  • AWS.EC2.VpcEndpointService

  • AWS.EC2.VpcIpv4CidrBlockAssociation

  • AWS.EC2.VpcPeeringConnection

  • AWS.EC2.VpnConnection

  • AWS.EC2.VpnConnectionRoute

  • AWS.EC2.VpnGateway

ECR

  • AWS.ECR.Repository

ECS

  • AWS.ECS.Cluster

  • AWS.ECS.Service

  • AWS.ECS.Task

  • AWS.ECS.TaskDefinition

EFS – beta

  • AWS.EFS.FileSystem

  • AWS.EFS.MountTarget

EKS

  • AWS.EKS.Cluster

ELB

  • AWS.ELB.BackendServerPolicy

  • AWS.ELB.ListenerPolicy

  • AWS.ELB.LoadBalancer

  • AWS.ELB.Policy

ELBv2

  • AWS.ELBv2.Listener

  • AWS.ELBv2.ListenerRule

  • AWS.ELBv2.LoadBalancer

  • AWS.ELBv2.TargetGroup

ElastiCache

Note

When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.

  • AWS.ElastiCache.Cluster

  • AWS.ElastiCache.ParameterGroup

  • AWS.ElastiCache.ReplicationGroup

Glacier – beta

  • AWS.Glacier.Vault

GuardDuty

  • AWS.GuardDuty.Detector

  • AWS.GuardDuty.Member

IAM

  • AWS.IAM.AccessKey

  • AWS.IAM.AccountPasswordPolicy

  • AWS.IAM.CredentialReport

  • AWS.IAM.Group

  • AWS.IAM.GroupMembership

  • AWS.IAM.GroupPolicy

  • AWS.IAM.GroupPolicyAttachment

  • AWS.IAM.InstanceProfile

  • AWS.IAM.OpenIDConnectProvider

  • AWS.IAM.Policy

  • AWS.IAM.Role

  • AWS.IAM.RolePolicy

  • AWS.IAM.RolePolicyAttachment

  • AWS.IAM.SAMLProvider

  • AWS.IAM.User

  • AWS.IAM.UserPolicy

  • AWS.IAM.UserPolicyAttachment

Inspector – beta

  • AWS.Inspector.AssessmentTarget

  • AWS.Inspector.AssessmentTemplate

KMS

  • AWS.KMS.Alias

  • AWS.KMS.Grant

  • AWS.KMS.Key

Kinesis – beta

  • AWS.Kinesis.Stream

  • AWS.KinesisFirehose.DeliveryStream

Lambda

  • AWS.Lambda.Alias

  • AWS.Lambda.EventSourceMapping

  • AWS.Lambda.Function

Macie

  • AWS.Macie.MemberAccountAssociation

  • AWS.Macie.S3BucketAssociation

MediaStore

  • AWS.MediaStore.Container

  • AWS.MediaStore.ContainerPolicy

Organizations – beta

  • AWS.Organizations.Organization

RDS

  • AWS.RDS.Cluster

  • AWS.RDS.ClusterParameterGroup

  • AWS.RDS.EventSubscription

  • AWS.RDS.Instance

  • AWS.RDS.OptionGroup

  • AWS.RDS.ParameterGroup

  • AWS.RDS.SubnetGroup

Redshift

  • AWS.Redshift.Cluster

  • AWS.Redshift.ParameterGroup

  • AWS.Redshift.SubnetGroup

Route 53

  • AWS.Route53.DelegationSet

  • AWS.Route53.HealthCheck

  • AWS.Route53.QueryLog

  • AWS.Route53.Record

  • AWS.Route53.Zone

  • AWS.Route53.ZoneAssociation

S3

  • AWS.S3.Bucket

  • AWS.S3.BucketInventory

  • AWS.S3.BucketMetric

  • AWS.S3.BucketNotification

  • AWS.S3.BucketPolicy

  • AWS.S3.BucketPublicAccessBlock

Step Functions (SFN)

  • AWS.SFN.StateMachine

SNS

  • AWS.SNS.Subscription

  • AWS.SNS.Topic

SQS

  • AWS.SQS.Queue

Systems Manager (SSM) – beta

  • AWS.SSM.Activation

  • AWS.SSM.Association

  • AWS.SSM.Document

  • AWS.SSM.MaintenanceWindow

  • AWS.SSM.MaintenanceWindowTarget

  • AWS.SSM.MaintenanceWindowTask

  • AWS.SSM.Parameter

  • AWS.SSM.PatchBaseline

  • AWS.SSM.PatchGroup

  • AWS.SSM.ResourceDataSync

Secrets Manager

  • AWS.SecretsManager.Secret

WAF

  • AWS.WAF.WebACL

Supported Services: AWS GovCloud

AWS Certificate Manager (ACM)

  • AWS.ACM.Certificate

ACM Private Certificate Authority (ACM PCA) – beta

  • AWS.ACMPCA.CertificateAuthority

API Gateway

  • AWS.ApiGateway.Authorizer

  • AWS.ApiGateway.ClientCertificate

  • AWS.ApiGateway.Deployment

  • AWS.ApiGateway.DomainName

  • AWS.ApiGateway.RequestValidator

  • AWS.ApiGateway.Resource

  • AWS.ApiGateway.RestApi

  • AWS.ApiGateway.Stage

  • AWS.ApiGateway.UsagePlan

  • AWS.ApiGateway.VpcLink

AutoScaling

  • AWS.AutoScaling.AutoScalingGroup

  • AWS.AutoScaling.LaunchConfiguration

  • AWS.AutoScaling.LaunchTemplate

  • AWS.AutoScaling.LifecycleHook

  • AWS.AutoScaling.Policy

  • AWS.AutoScaling.Schedule

CloudTrail

  • AWS.CloudTrail.Trail

CloudWatch

  • AWS.CloudWatch.Dashboard

  • AWS.CloudWatch.MetricAlarm

  • AWS.CloudWatchEvents.Rule

  • AWS.CloudWatchEvents.Target

  • AWS.CloudWatchLogs.Destination

  • AWS.CloudWatchLogs.DestinationPolicy

  • AWS.CloudWatchLogs.LogGroup

  • AWS.CloudWatchLogs.MetricFilter

  • AWS.CloudWatchLogs.ResourcePolicy

  • AWS.CloudWatchLogs.SubscriptionFilter

Config

  • AWS.Config.ConfigurationRecorder

  • AWS.Config.ConfigurationRecorderStatus

  • AWS.Config.DeliveryChannel

  • AWS.Config.Rule

Directory Service – beta

  • AWS.DirectoryService.ConditionalForwarder

  • AWS.DirectoryService.Directory

DynamoDB

  • AWS.DynamoDB.Table

EC2

  • AWS.EC2.CustomerGateway

  • AWS.EC2.DhcpOptions

  • AWS.EC2.DhcpOptionsAssociation

  • AWS.EC2.EgressOnlyInternetGateway

  • AWS.EC2.ElasticIP

  • AWS.EC2.FlowLog

  • AWS.EC2.Instance

  • AWS.EC2.InternetGateway

  • AWS.EC2.KeyPair

  • AWS.EC2.NATGateway

  • AWS.EC2.NetworkACL

  • AWS.EC2.NetworkInterface

  • AWS.EC2.PlacementGroup

  • AWS.EC2.RouteTable

  • AWS.EC2.RouteTableAssociation

  • AWS.EC2.SecurityGroup

  • AWS.EC2.Subnet

  • AWS.EC2.Volume

  • AWS.EC2.Vpc

  • AWS.EC2.VpcIpv4CidrBlockAssociation

  • AWS.EC2.VpcPeeringConnection

  • AWS.EC2.VpnConnection

  • AWS.EC2.VpnConnectionRoute

  • AWS.EC2.VpnGateway

ECR

  • AWS.ECR.Repository

ECS

  • AWS.ECS.Cluster

  • AWS.ECS.Service

  • AWS.ECS.Task

  • AWS.ECS.TaskDefinition

ELB

  • AWS.ELB.BackendServerPolicy

  • AWS.ELB.ListenerPolicy

  • AWS.ELB.LoadBalancer

  • AWS.ELB.Policy

ELBv2

  • AWS.ELBv2.Listener

  • AWS.ELBv2.ListenerRule

  • AWS.ELBv2.LoadBalancer

  • AWS.ELBv2.TargetGroup

ElastiCache

Note

When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.

  • AWS.ElastiCache.Cluster

  • AWS.ElastiCache.ParameterGroup

  • AWS.ElastiCache.ReplicationGroup

Glacier – beta

  • AWS.Glacier.Vault

IAM

  • AWS.IAM.AccessKey

  • AWS.IAM.AccountPasswordPolicy

  • AWS.IAM.CredentialReport

  • AWS.IAM.Group

  • AWS.IAM.GroupMembership

  • AWS.IAM.GroupPolicy

  • AWS.IAM.GroupPolicyAttachment

  • AWS.IAM.InstanceProfile

  • AWS.IAM.OpenIDConnectProvider

  • AWS.IAM.Policy

  • AWS.IAM.Role

  • AWS.IAM.RolePolicy

  • AWS.IAM.RolePolicyAttachment

  • AWS.IAM.SAMLProvider

  • AWS.IAM.User

  • AWS.IAM.UserPolicy

  • AWS.IAM.UserPolicyAttachment

Inspector – beta

  • AWS.Inspector.AssessmentTarget

  • AWS.Inspector.AssessmentTemplate

KMS

  • AWS.KMS.Alias

  • AWS.KMS.Grant

  • AWS.KMS.Key

Kinesis – beta

  • AWS.Kinesis.Stream

  • AWS.KinesisFirehose.DeliveryStream

Lambda

  • AWS.Lambda.Alias

  • AWS.Lambda.EventSourceMapping

  • AWS.Lambda.Function

Organizations – beta

  • AWS.Organizations.Organization

RDS

  • AWS.RDS.Cluster

  • AWS.RDS.ClusterParameterGroup

  • AWS.RDS.EventSubscription

  • AWS.RDS.Instance

  • AWS.RDS.OptionGroup

  • AWS.RDS.ParameterGroup

  • AWS.RDS.SubnetGroup

Redshift

  • AWS.Redshift.Cluster

  • AWS.Redshift.ParameterGroup

  • AWS.Redshift.SubnetGroup

S3

  • AWS.S3.Bucket

  • AWS.S3.BucketInventory

  • AWS.S3.BucketMetric

  • AWS.S3.BucketNotification

  • AWS.S3.BucketPolicy

  • AWS.S3.BucketPublicAccessBlock

Step Functions (SFN)

  • AWS.SFN.StateMachine

SNS

  • AWS.SNS.Subscription

  • AWS.SNS.Topic

SQS

  • AWS.SQS.Queue

Systems Manager (SSM) – beta

  • AWS.SSM.Activation

  • AWS.SSM.Association

  • AWS.SSM.Document

  • AWS.SSM.MaintenanceWindow

  • AWS.SSM.MaintenanceWindowTarget

  • AWS.SSM.MaintenanceWindowTask

  • AWS.SSM.Parameter

  • AWS.SSM.PatchBaseline

  • AWS.SSM.PatchGroup

  • AWS.SSM.ResourceDataSync

Supported Services: Microsoft Azure

Compute

  • Azure.Compute.ManagedDisk

  • Azure.Compute.VirtualMachine

Network

  • Azure.Network.LocalNetworkGateway

  • Azure.Network.NetworkInterface

  • Azure.Network.NetworkSecurityGroup

  • Azure.Network.NetworkSecurityRule

  • Azure.Network.NetworkWatcher

  • Azure.Network.PublicIPAddress

  • Azure.Network.Subnet

  • Azure.Network.VirtualNetwork

  • Azure.Network.VirtualNetworkGateway

  • Azure.Network.VirtualNetworkGatewayConnection

SQL

  • Azure.SQL.FirewallRule

  • Azure.SQL.Server

Storage

  • Azure.Storage.Account

Changing Resource Selection

New Environments

  • To set up a new AWS or AWS GovCloud environment to scan/enforce specific resource, see Select Resources.

  • To set up a new Azure environment to scan/enforce specific resource groups, see Select Resource Groups.

Existing Environments

  • To change which AWS & AWS GovCloud services are scanned/enforced, select the desired resources in the Environment Settings dialog (the cog icon cog in the top right of the screen), then update Fugue’s IAM role. See Update IAM Role for details.

  • To remove Azure resource groups from being scanned/enforced in an environment, uncheck the resource groups in the Environment Settings dialog (the cog icon cog in the top right of the screen). To add new resource groups to an environment, you must use the Fugue API. See Updating Selected Resource Groups for details.

Resources Under Management

Fugue determines the number of resources under management (RUM) for customers based on the AWS and Azure resource types as specified above. The following exceptions apply:

  • Duplicate resources are excluded when determining RUM.

  • AWS.IAM.Policy: AWS managed IAM policies are excluded when determining RUM.

Supported AWS and AWS GovCloud regions

Fugue supports the following regions:

  • US East (N. Virginia) - us-east-1

  • US East (Ohio) - us-east-2

  • US West (N. California) - us-west-1

  • US West (Oregon) - us-west-2

  • Asia Pacific (Mumbai) - ap-south-1

  • Asia Pacific (Seoul) - ap-northeast-2

  • Asia Pacific (Singapore) - ap-southeast-1

  • Asia Pacific (Sydney) - ap-southeast-2

  • Asia Pacific (Tokyo) - ap-northeast-1

  • Canada (Central) - ca-central-1

  • EU (Frankfurt) - eu-central-1

  • EU (Ireland) - eu-west-1

  • EU (London) - eu-west-2

  • EU (Paris) - eu-west-3

  • South America (São Paulo) - sa-east-1

  • AWS GovCloud (US-East) - us-gov-east-1

  • AWS GovCloud (US) - us-gov-west-1

Resource Types That Don’t Report Drift

By design, Fugue does not report drift for certain resource types, such as those that are dynamic, AWS-managed, or manually tagged with a fugue:transient tag:

  • AWS.EC2.ElasticIP

  • AWS.EC2.Instance if it is in an autoscaling group

  • AWS.EC2.NetworkInterface

  • AWS.EC2.SpotFleetRequest

  • AWS.EC2.Volume

  • AWS.ECS.Task

  • AWS.ELBv2.ListenerRule

  • AWS.IAM.CredentialReport

  • AWS.IAM.Policy if it is owned and managed by AWS (see AWS docs)

  • AWS.Inspector.AssessmentTarget

  • AWS.Inspector.AssessmentTemplate

  • AWS.SSM.Association

  • AWS.SSM.Document

  • Any AWS or Azure resource with a fugue:transient tag