Service Coverage¶
The following services and resources are supported in the latest version of Fugue.
(beta) denotes resources with beta support. To request access, contact support@fugue.co.
See a list of supported AWS and AWS GovCloud regions here.
See a list of resource types that do not report drift here.
Note
To interact with the API using query parameters, use the resource names as formatted below. When using request body parameters, add quotation marks around each resource name like this: "AWS.AutoScaling.AutoScalingGroup", "AWS.SNS.Topic", etc.
AWS Standard Regions¶
AWS Certificate Manager (ACM)¶
AWS.ACM.Certificate
ACM Private Certificate Authority (ACM PCA) – beta¶
AWS.ACMPCA.CertificateAuthority
API Gateway¶
AWS.ApiGateway.Authorizer
AWS.ApiGateway.ClientCertificate
AWS.ApiGateway.Deployment
AWS.ApiGateway.DomainName
AWS.ApiGateway.RequestValidator
AWS.ApiGateway.Resource
AWS.ApiGateway.RestApi
AWS.ApiGateway.Stage
AWS.ApiGateway.UsagePlan
AWS.ApiGateway.VpcLink
AutoScaling¶
AWS.AutoScaling.AutoScalingGroup
AWS.AutoScaling.LaunchConfiguration
AWS.AutoScaling.LaunchTemplate
AWS.AutoScaling.LifecycleHook
AWS.AutoScaling.Policy
AWS.AutoScaling.Schedule
CloudFront¶
AWS.CloudFront.Distribution
CloudTrail¶
AWS.CloudTrail.Trail
CloudWatch¶
AWS.CloudWatch.Dashboard
AWS.CloudWatch.MetricAlarm
AWS.CloudWatchEvents.Rule
AWS.CloudWatchEvents.Target
AWS.CloudWatchLogs.Destination
AWS.CloudWatchLogs.DestinationPolicy
AWS.CloudWatchLogs.LogGroup
AWS.CloudWatchLogs.MetricFilter
AWS.CloudWatchLogs.ResourcePolicy
AWS.CloudWatchLogs.SubscriptionFilter
Cognito¶
AWS.Cognito.IdentityProvider
AWS.Cognito.ResourceServer
AWS.Cognito.UserGroup
AWS.Cognito.UserPool
AWS.Cognito.UserPoolClient
AWS.Cognito.UserPoolDomain
Config¶
AWS.Config.AggregationAuthorization
AWS.Config.ConfigurationAggregator
AWS.Config.ConfigurationRecorder
AWS.Config.ConfigurationRecorderStatus
AWS.Config.DeliveryChannel
AWS.Config.Rule
Directory Service – beta¶
AWS.DirectoryService.ConditionalForwarder
AWS.DirectoryService.Directory
DynamoDB¶
AWS.DynamoDB.Table
EC2¶
AWS.EC2.CustomerGateway
AWS.EC2.DhcpOptions
AWS.EC2.DhcpOptionsAssociation
AWS.EC2.EgressOnlyInternetGateway
AWS.EC2.ElasticIP
AWS.EC2.FlowLog
AWS.EC2.Instance
AWS.EC2.InternetGateway
AWS.EC2.KeyPair
AWS.EC2.NATGateway
AWS.EC2.NetworkACL
AWS.EC2.NetworkInterface
AWS.EC2.PlacementGroup
AWS.EC2.RouteTable
AWS.EC2.RouteTableAssociation
AWS.EC2.SecurityGroup
AWS.EC2.SpotFleetRequest
AWS.EC2.Subnet
AWS.EC2.Volume
AWS.EC2.Vpc
AWS.EC2.VpcEndpoint
AWS.EC2.VpcEndpointConnectionNotification
AWS.EC2.VpcEndpointService
AWS.EC2.VpcIpv4CidrBlockAssociation
AWS.EC2.VpcPeeringConnection
AWS.EC2.VpnConnection
AWS.EC2.VpnConnectionRoute
AWS.EC2.VpnGateway
ECR¶
AWS.ECR.Repository
ECS¶
AWS.ECS.Cluster
AWS.ECS.Service
AWS.ECS.Task
AWS.ECS.TaskDefinition
EFS – beta¶
AWS.EFS.FileSystem
AWS.EFS.MountTarget
EKS¶
AWS.EKS.Cluster
ELB¶
AWS.ELB.BackendServerPolicy
AWS.ELB.ListenerPolicy
AWS.ELB.LoadBalancer
AWS.ELB.Policy
ELBv2¶
AWS.ELBv2.Listener
AWS.ELBv2.ListenerRule
AWS.ELBv2.LoadBalancer
AWS.ELBv2.TargetGroup
ElastiCache¶
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
AWS.ElastiCache.Cluster
AWS.ElastiCache.ParameterGroup
AWS.ElastiCache.ReplicationGroup
Glacier – beta¶
AWS.Glacier.Vault
GuardDuty¶
AWS.GuardDuty.Detector
AWS.GuardDuty.Member
IAM¶
AWS.IAM.AccessKey
AWS.IAM.AccountPasswordPolicy
AWS.IAM.CredentialReport
AWS.IAM.Group
AWS.IAM.GroupMembership
AWS.IAM.GroupPolicy
AWS.IAM.GroupPolicyAttachment
AWS.IAM.InstanceProfile
AWS.IAM.OpenIDConnectProvider
AWS.IAM.Policy
AWS.IAM.Role
AWS.IAM.RolePolicy
AWS.IAM.RolePolicyAttachment
AWS.IAM.SAMLProvider
AWS.IAM.User
AWS.IAM.UserPolicy
AWS.IAM.UserPolicyAttachment
Inspector – beta¶
AWS.Inspector.AssessmentTarget
AWS.Inspector.AssessmentTemplate
KMS¶
AWS.KMS.Alias
AWS.KMS.Grant
AWS.KMS.Key
Kinesis – beta¶
AWS.Kinesis.Stream
AWS.KinesisFirehose.DeliveryStream
Lambda¶
AWS.Lambda.Alias
AWS.Lambda.EventSourceMapping
AWS.Lambda.Function
Macie¶
AWS.Macie.MemberAccountAssociation
AWS.Macie.S3BucketAssociation
MediaStore¶
AWS.MediaStore.Container
AWS.MediaStore.ContainerPolicy
Organizations – beta¶
AWS.Organizations.Organization
RDS¶
AWS.RDS.Cluster
AWS.RDS.ClusterParameterGroup
AWS.RDS.EventSubscription
AWS.RDS.Instance
AWS.RDS.OptionGroup
AWS.RDS.ParameterGroup
AWS.RDS.SubnetGroup
Redshift¶
AWS.Redshift.Cluster
AWS.Redshift.ParameterGroup
AWS.Redshift.SubnetGroup
Route 53¶
AWS.Route53.DelegationSet
AWS.Route53.HealthCheck
AWS.Route53.QueryLog
AWS.Route53.Record
AWS.Route53.Zone
AWS.Route53.ZoneAssociation
S3¶
AWS.S3.Bucket
AWS.S3.BucketInventory
AWS.S3.BucketMetric
AWS.S3.BucketNotification
AWS.S3.BucketPolicy
AWS.S3.BucketPublicAccessBlock
Step Functions (SFN)¶
AWS.SFN.StateMachine
SNS¶
AWS.SNS.Subscription
AWS.SNS.Topic
SQS¶
AWS.SQS.Queue
Systems Manager (SSM) – beta¶
AWS.SSM.Activation
AWS.SSM.Association
AWS.SSM.Document
AWS.SSM.MaintenanceWindow
AWS.SSM.MaintenanceWindowTarget
AWS.SSM.MaintenanceWindowTask
AWS.SSM.Parameter
AWS.SSM.PatchBaseline
AWS.SSM.PatchGroup
AWS.SSM.ResourceDataSync
Secrets Manager¶
AWS.SecretsManager.Secret
Supported Services: AWS GovCloud¶
AWS Certificate Manager (ACM)¶
AWS.ACM.Certificate
ACM Private Certificate Authority (ACM PCA) – beta¶
AWS.ACMPCA.CertificateAuthority
API Gateway¶
AWS.ApiGateway.Authorizer
AWS.ApiGateway.ClientCertificate
AWS.ApiGateway.Deployment
AWS.ApiGateway.DomainName
AWS.ApiGateway.RequestValidator
AWS.ApiGateway.Resource
AWS.ApiGateway.RestApi
AWS.ApiGateway.Stage
AWS.ApiGateway.UsagePlan
AWS.ApiGateway.VpcLink
AutoScaling¶
AWS.AutoScaling.AutoScalingGroup
AWS.AutoScaling.LaunchConfiguration
AWS.AutoScaling.LaunchTemplate
AWS.AutoScaling.LifecycleHook
AWS.AutoScaling.Policy
AWS.AutoScaling.Schedule
CloudTrail¶
AWS.CloudTrail.Trail
CloudWatch¶
AWS.CloudWatch.Dashboard
AWS.CloudWatch.MetricAlarm
AWS.CloudWatchEvents.Rule
AWS.CloudWatchEvents.Target
AWS.CloudWatchLogs.Destination
AWS.CloudWatchLogs.DestinationPolicy
AWS.CloudWatchLogs.LogGroup
AWS.CloudWatchLogs.MetricFilter
AWS.CloudWatchLogs.ResourcePolicy
AWS.CloudWatchLogs.SubscriptionFilter
Config¶
AWS.Config.ConfigurationRecorder
AWS.Config.ConfigurationRecorderStatus
AWS.Config.DeliveryChannel
AWS.Config.Rule
Directory Service – beta¶
AWS.DirectoryService.ConditionalForwarder
AWS.DirectoryService.Directory
DynamoDB¶
AWS.DynamoDB.Table
EC2¶
AWS.EC2.CustomerGateway
AWS.EC2.DhcpOptions
AWS.EC2.DhcpOptionsAssociation
AWS.EC2.EgressOnlyInternetGateway
AWS.EC2.ElasticIP
AWS.EC2.FlowLog
AWS.EC2.Instance
AWS.EC2.InternetGateway
AWS.EC2.KeyPair
AWS.EC2.NATGateway
AWS.EC2.NetworkACL
AWS.EC2.NetworkInterface
AWS.EC2.PlacementGroup
AWS.EC2.RouteTable
AWS.EC2.RouteTableAssociation
AWS.EC2.SecurityGroup
AWS.EC2.Subnet
AWS.EC2.Volume
AWS.EC2.Vpc
AWS.EC2.VpcIpv4CidrBlockAssociation
AWS.EC2.VpcPeeringConnection
AWS.EC2.VpnConnection
AWS.EC2.VpnConnectionRoute
AWS.EC2.VpnGateway
ECR¶
AWS.ECR.Repository
ECS¶
AWS.ECS.Cluster
AWS.ECS.Service
AWS.ECS.Task
AWS.ECS.TaskDefinition
ELB¶
AWS.ELB.BackendServerPolicy
AWS.ELB.ListenerPolicy
AWS.ELB.LoadBalancer
AWS.ELB.Policy
ELBv2¶
AWS.ELBv2.Listener
AWS.ELBv2.ListenerRule
AWS.ELBv2.LoadBalancer
AWS.ELBv2.TargetGroup
ElastiCache¶
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
AWS.ElastiCache.Cluster
AWS.ElastiCache.ParameterGroup
AWS.ElastiCache.ReplicationGroup
Glacier – beta¶
AWS.Glacier.Vault
IAM¶
AWS.IAM.AccessKey
AWS.IAM.AccountPasswordPolicy
AWS.IAM.CredentialReport
AWS.IAM.Group
AWS.IAM.GroupMembership
AWS.IAM.GroupPolicy
AWS.IAM.GroupPolicyAttachment
AWS.IAM.InstanceProfile
AWS.IAM.OpenIDConnectProvider
AWS.IAM.Policy
AWS.IAM.Role
AWS.IAM.RolePolicy
AWS.IAM.RolePolicyAttachment
AWS.IAM.SAMLProvider
AWS.IAM.User
AWS.IAM.UserPolicy
AWS.IAM.UserPolicyAttachment
Inspector – beta¶
AWS.Inspector.AssessmentTarget
AWS.Inspector.AssessmentTemplate
KMS¶
AWS.KMS.Alias
AWS.KMS.Grant
AWS.KMS.Key
Kinesis – beta¶
AWS.Kinesis.Stream
AWS.KinesisFirehose.DeliveryStream
Lambda¶
AWS.Lambda.Alias
AWS.Lambda.EventSourceMapping
AWS.Lambda.Function
Organizations – beta¶
AWS.Organizations.Organization
RDS¶
AWS.RDS.Cluster
AWS.RDS.ClusterParameterGroup
AWS.RDS.EventSubscription
AWS.RDS.Instance
AWS.RDS.OptionGroup
AWS.RDS.ParameterGroup
AWS.RDS.SubnetGroup
Redshift¶
AWS.Redshift.Cluster
AWS.Redshift.ParameterGroup
AWS.Redshift.SubnetGroup
S3¶
AWS.S3.Bucket
AWS.S3.BucketInventory
AWS.S3.BucketMetric
AWS.S3.BucketNotification
AWS.S3.BucketPolicy
AWS.S3.BucketPublicAccessBlock
Step Functions (SFN)¶
AWS.SFN.StateMachine
SNS¶
AWS.SNS.Subscription
AWS.SNS.Topic
SQS¶
AWS.SQS.Queue
Systems Manager (SSM) – beta¶
AWS.SSM.Activation
AWS.SSM.Association
AWS.SSM.Document
AWS.SSM.MaintenanceWindow
AWS.SSM.MaintenanceWindowTarget
AWS.SSM.MaintenanceWindowTask
AWS.SSM.Parameter
AWS.SSM.PatchBaseline
AWS.SSM.PatchGroup
AWS.SSM.ResourceDataSync
Supported Services: Microsoft Azure¶
Compute¶
Azure.Compute.ManagedDisk
Azure.Compute.VirtualMachine
Network¶
Azure.Network.LocalNetworkGateway
Azure.Network.NetworkInterface
Azure.Network.NetworkSecurityGroup
Azure.Network.NetworkSecurityRule
Azure.Network.NetworkWatcher
Azure.Network.PublicIPAddress
Azure.Network.Subnet
Azure.Network.VirtualNetwork
Azure.Network.VirtualNetworkGateway
Azure.Network.VirtualNetworkGatewayConnection
SQL¶
Azure.SQL.FirewallRule
Azure.SQL.Server
Storage¶
Azure.Storage.Account
Changing Resource Selection¶
New Environments¶
To set up a new AWS or AWS GovCloud environment to scan/enforce specific resource, see Select Resources.
To set up a new Azure environment to scan/enforce specific resource groups, see Select Resource Groups.
Existing Environments¶
To change which AWS & AWS GovCloud services are scanned/enforced, select the desired resources in the Environment Settings dialog (the cog icon
in the top right of the screen), then update Fugue’s IAM role. See Update IAM Role for details.To remove Azure resource groups from being scanned/enforced in an environment, uncheck the resource groups in the Environment Settings dialog (the cog icon
in the top right of the screen). To add new resource groups to an environment, you must use the Fugue API. See Updating Selected Resource Groups for details.
Resources Under Management¶
Fugue determines the number of resources under management (RUM) for customers based on the AWS and Azure resource types as specified above. The following exceptions apply:
Duplicate resources are excluded when determining RUM.
AWS.IAM.Policy: AWS managed IAM policies are excluded when determining RUM.
Supported AWS and AWS GovCloud regions¶
Fugue supports the following regions:
US East (N. Virginia) - us-east-1
US East (Ohio) - us-east-2
US West (N. California) - us-west-1
US West (Oregon) - us-west-2
Asia Pacific (Mumbai) - ap-south-1
Asia Pacific (Seoul) - ap-northeast-2
Asia Pacific (Singapore) - ap-southeast-1
Asia Pacific (Sydney) - ap-southeast-2
Asia Pacific (Tokyo) - ap-northeast-1
Canada (Central) - ca-central-1
EU (Frankfurt) - eu-central-1
EU (Ireland) - eu-west-1
EU (London) - eu-west-2
EU (Paris) - eu-west-3
South America (São Paulo) - sa-east-1
AWS GovCloud (US-East) - us-gov-east-1
AWS GovCloud (US) - us-gov-west-1
Resource Types That Don’t Report Drift¶
By design, Fugue does not report drift for certain resource types, such as those that are dynamic, AWS-managed, or manually tagged with a fugue:transient tag:
AWS.EC2.ElasticIP
AWS.EC2.Instance if it is in an autoscaling group
AWS.EC2.NetworkInterface
AWS.EC2.SpotFleetRequest
AWS.EC2.Volume
AWS.ECS.Task
AWS.ELBv2.ListenerRule
AWS.IAM.CredentialReport
AWS.IAM.Policy if it is owned and managed by AWS (see AWS docs)
AWS.Inspector.AssessmentTarget
AWS.Inspector.AssessmentTemplate
AWS.SSM.Association
AWS.SSM.Document
Any AWS or Azure resource with a fugue:transient tag