Service Coverage

The following services and resources are supported in the latest version of Fugue.

Note

To interact with the API using query parameters, use the resource names as formatted below. When using request body parameters, add quotation marks around each resource name like this: "AWS.AutoScaling.AutoScalingGroup", "AWS.SNS.Topic", etc.

AWS Standard Regions

ACM

  • AWS.ACM.Certificate

API Gateway

  • AWS.ApiGateway.Authorizer

  • AWS.ApiGateway.ClientCertificate

  • AWS.ApiGateway.Deployment

  • AWS.ApiGateway.DomainName

  • AWS.ApiGateway.RequestValidator

  • AWS.ApiGateway.Resource

  • AWS.ApiGateway.RestApi

  • AWS.ApiGateway.Stage

  • AWS.ApiGateway.UsagePlan

  • AWS.ApiGateway.VpcLink

AutoScaling

  • AWS.AutoScaling.AutoScalingGroup

  • AWS.AutoScaling.LaunchConfiguration

  • AWS.AutoScaling.LaunchTemplate

  • AWS.AutoScaling.LifecycleHook

  • AWS.AutoScaling.Policy

  • AWS.AutoScaling.Schedule

CloudFront

  • AWS.CloudFront.Distribution

CloudTrail

  • AWS.CloudTrail.Trail

CloudWatch

  • AWS.CloudWatch.Dashboard

  • AWS.CloudWatch.MetricAlarm

  • AWS.CloudWatchEvents.Rule

  • AWS.CloudWatchEvents.Target

  • AWS.CloudWatchLogs.Destination

  • AWS.CloudWatchLogs.DestinationPolicy

  • AWS.CloudWatchLogs.LogGroup

  • AWS.CloudWatchLogs.MetricFilter

  • AWS.CloudWatchLogs.ResourcePolicy

  • AWS.CloudWatchLogs.SubscriptionFilter

Cognito

  • AWS.Cognito.IdentityProvider

  • AWS.Cognito.ResourceServer

  • AWS.Cognito.UserGroup

  • AWS.Cognito.UserPool

  • AWS.Cognito.UserPoolClient

  • AWS.Cognito.UserPoolDomain

Config

  • AWS.Config.AggregationAuthorization

  • AWS.Config.ConfigurationAggregator

  • AWS.Config.ConfigurationRecorder

  • AWS.Config.ConfigurationRecorderStatus

  • AWS.Config.DeliveryChannel

  • AWS.Config.Rule

DynamoDB

  • AWS.DynamoDB.Table

EC2

  • AWS.EC2.CustomerGateway

  • AWS.EC2.DhcpOptions

  • AWS.EC2.DhcpOptionsAssociation

  • AWS.EC2.EgressOnlyInternetGateway

  • AWS.EC2.ElasticIP

  • AWS.EC2.FlowLog

  • AWS.EC2.Instance

  • AWS.EC2.InternetGateway

  • AWS.EC2.KeyPair

  • AWS.EC2.NATGateway

  • AWS.EC2.NetworkACL

  • AWS.EC2.NetworkInterface

  • AWS.EC2.PlacementGroup

  • AWS.EC2.RouteTable

  • AWS.EC2.RouteTableAssociation

  • AWS.EC2.SecurityGroup

  • AWS.EC2.SpotFleetRequest

  • AWS.EC2.Subnet

  • AWS.EC2.Volume

  • AWS.EC2.Vpc

  • AWS.EC2.VpcEndpoint

  • AWS.EC2.VpcEndpointConnectionNotification

  • AWS.EC2.VpcEndpointService

  • AWS.EC2.VpcIpv4CidrBlockAssociation

  • AWS.EC2.VpcPeeringConnection

  • AWS.EC2.VpnConnection

  • AWS.EC2.VpnConnectionRoute

  • AWS.EC2.VpnGateway

ECR

  • AWS.ECR.Repository

ECS

  • AWS.ECS.Cluster

  • AWS.ECS.Service

  • AWS.ECS.TaskDefinition

EKS

  • AWS.EKS.Cluster

ELB

  • AWS.ELB.BackendServerPolicy

  • AWS.ELB.ListenerPolicy

  • AWS.ELB.LoadBalancer

  • AWS.ELB.Policy

ELBv2

  • AWS.ELBv2.Listener

  • AWS.ELBv2.ListenerRule

  • AWS.ELBv2.LoadBalancer

  • AWS.ELBv2.TargetGroup

ElastiCache

Note

When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.

  • AWS.ElastiCache.Cluster

  • AWS.ElastiCache.ParameterGroup

  • AWS.ElastiCache.ReplicationGroup

GuardDuty

  • AWS.GuardDuty.Detector

  • AWS.GuardDuty.Member

IAM

  • AWS.IAM.AccessKey

  • AWS.IAM.AccountPasswordPolicy

  • AWS.IAM.CredentialReport

  • AWS.IAM.Group

  • AWS.IAM.GroupMembership

  • AWS.IAM.GroupPolicy

  • AWS.IAM.GroupPolicyAttachment

  • AWS.IAM.InstanceProfile

  • AWS.IAM.OpenIDConnectProvider

  • AWS.IAM.Policy

  • AWS.IAM.Role

  • AWS.IAM.RolePolicy

  • AWS.IAM.RolePolicyAttachment

  • AWS.IAM.SAMLProvider

  • AWS.IAM.User

  • AWS.IAM.UserPolicy

  • AWS.IAM.UserPolicyAttachment

KMS

  • AWS.KMS.Alias

  • AWS.KMS.Grant

  • AWS.KMS.Key

Lambda

  • AWS.Lambda.Alias

  • AWS.Lambda.EventSourceMapping

  • AWS.Lambda.Function

Macie

  • AWS.Macie.MemberAccountAssociation

  • AWS.Macie.S3BucketAssociation

MediaStore

  • AWS.MediaStore.Container

  • AWS.MediaStore.ContainerPolicy

RDS

  • AWS.RDS.Cluster

  • AWS.RDS.ClusterParameterGroup

  • AWS.RDS.EventSubscription

  • AWS.RDS.Instance

  • AWS.RDS.OptionGroup

  • AWS.RDS.ParameterGroup

  • AWS.RDS.SubnetGroup

Redshift

  • AWS.Redshift.Cluster

  • AWS.Redshift.ParameterGroup

  • AWS.Redshift.SubnetGroup

Route 53

  • AWS.Route53.DelegationSet

  • AWS.Route53.HealthCheck

  • AWS.Route53.QueryLog

  • AWS.Route53.Record

  • AWS.Route53.Zone

S3

  • AWS.S3.Bucket

  • AWS.S3.BucketInventory

  • AWS.S3.BucketMetric

  • AWS.S3.BucketNotification

  • AWS.S3.BucketPolicy

  • AWS.S3.BucketPublicAccessBlock

Step Functions (SFN)

  • AWS.SFN.StateMachine

SNS

  • AWS.SNS.Subscription

  • AWS.SNS.Topic

SQS

  • AWS.SQS.Queue

Secrets Manager

  • AWS.SecretsManager.Secret

WAF

  • AWS.WAF.WebACL

Supported Services: AWS GovCloud

ACM

  • AWS.ACM.Certificate

API Gateway

  • AWS.ApiGateway.Authorizer

  • AWS.ApiGateway.ClientCertificate

  • AWS.ApiGateway.Deployment

  • AWS.ApiGateway.DomainName

  • AWS.ApiGateway.RequestValidator

  • AWS.ApiGateway.Resource

  • AWS.ApiGateway.RestApi

  • AWS.ApiGateway.Stage

  • AWS.ApiGateway.UsagePlan

  • AWS.ApiGateway.VpcLink

AutoScaling

  • AWS.AutoScaling.AutoScalingGroup

  • AWS.AutoScaling.LaunchConfiguration

  • AWS.AutoScaling.LaunchTemplate

  • AWS.AutoScaling.LifecycleHook

  • AWS.AutoScaling.Policy

  • AWS.AutoScaling.Schedule

CloudTrail

  • AWS.CloudTrail.Trail

CloudWatch

  • AWS.CloudWatch.Dashboard

  • AWS.CloudWatch.MetricAlarm

  • AWS.CloudWatchEvents.Rule

  • AWS.CloudWatchEvents.Target

  • AWS.CloudWatchLogs.Destination

  • AWS.CloudWatchLogs.DestinationPolicy

  • AWS.CloudWatchLogs.LogGroup

  • AWS.CloudWatchLogs.MetricFilter

  • AWS.CloudWatchLogs.ResourcePolicy

  • AWS.CloudWatchLogs.SubscriptionFilter

Config

  • AWS.Config.ConfigurationRecorder

  • AWS.Config.ConfigurationRecorderStatus

  • AWS.Config.DeliveryChannel

  • AWS.Config.Rule

DynamoDB

  • AWS.DynamoDB.Table

EC2

  • AWS.EC2.CustomerGateway

  • AWS.EC2.DhcpOptions

  • AWS.EC2.DhcpOptionsAssociation

  • AWS.EC2.EgressOnlyInternetGateway

  • AWS.EC2.ElasticIP

  • AWS.EC2.FlowLog

  • AWS.EC2.Instance

  • AWS.EC2.InternetGateway

  • AWS.EC2.KeyPair

  • AWS.EC2.NATGateway

  • AWS.EC2.NetworkACL

  • AWS.EC2.NetworkInterface

  • AWS.EC2.PlacementGroup

  • AWS.EC2.RouteTable

  • AWS.EC2.RouteTableAssociation

  • AWS.EC2.SecurityGroup

  • AWS.EC2.Subnet

  • AWS.EC2.Volume

  • AWS.EC2.Vpc

  • AWS.EC2.VpcIpv4CidrBlockAssociation

  • AWS.EC2.VpcPeeringConnection

  • AWS.EC2.VpnConnection

  • AWS.EC2.VpnConnectionRoute

  • AWS.EC2.VpnGateway

ECR

  • AWS.ECR.Repository

ECS

  • AWS.ECS.Cluster

  • AWS.ECS.Service

  • AWS.ECS.TaskDefinition

ELB

  • AWS.ELB.BackendServerPolicy

  • AWS.ELB.ListenerPolicy

  • AWS.ELB.LoadBalancer

  • AWS.ELB.Policy

ELBv2

  • AWS.ELBv2.Listener

  • AWS.ELBv2.ListenerRule

  • AWS.ELBv2.LoadBalancer

  • AWS.ELBv2.TargetGroup

ElastiCache

Note

When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.

  • AWS.ElastiCache.Cluster

  • AWS.ElastiCache.ParameterGroup

  • AWS.ElastiCache.ReplicationGroup

IAM

  • AWS.IAM.AccessKey

  • AWS.IAM.AccountPasswordPolicy

  • AWS.IAM.CredentialReport

  • AWS.IAM.Group

  • AWS.IAM.GroupMembership

  • AWS.IAM.GroupPolicy

  • AWS.IAM.GroupPolicyAttachment

  • AWS.IAM.InstanceProfile

  • AWS.IAM.OpenIDConnectProvider

  • AWS.IAM.Policy

  • AWS.IAM.Role

  • AWS.IAM.RolePolicy

  • AWS.IAM.RolePolicyAttachment

  • AWS.IAM.SAMLProvider

  • AWS.IAM.User

  • AWS.IAM.UserPolicy

  • AWS.IAM.UserPolicyAttachment

KMS

  • AWS.KMS.Alias

  • AWS.KMS.Grant

  • AWS.KMS.Key

Lambda

  • AWS.Lambda.Alias

  • AWS.Lambda.EventSourceMapping

  • AWS.Lambda.Function

RDS

  • AWS.RDS.Cluster

  • AWS.RDS.ClusterParameterGroup

  • AWS.RDS.EventSubscription

  • AWS.RDS.Instance

  • AWS.RDS.OptionGroup

  • AWS.RDS.ParameterGroup

  • AWS.RDS.SubnetGroup

Redshift

  • AWS.Redshift.Cluster

  • AWS.Redshift.ParameterGroup

  • AWS.Redshift.SubnetGroup

S3

  • AWS.S3.Bucket

  • AWS.S3.BucketInventory

  • AWS.S3.BucketMetric

  • AWS.S3.BucketNotification

  • AWS.S3.BucketPolicy

  • AWS.S3.BucketPublicAccessBlock

Step Functions (SFN)

  • AWS.SFN.StateMachine

SNS

  • AWS.SNS.Subscription

  • AWS.SNS.Topic

SQS

  • AWS.SQS.Queue

Supported Services: Microsoft Azure

Compute

  • Azure.Compute.ManagedDisk

  • Azure.Compute.VirtualMachine

Network

  • Azure.Network.LocalNetworkGateway

  • Azure.Network.NetworkInterface

  • Azure.Network.NetworkSecurityGroup

  • Azure.Network.NetworkSecurityRule

  • Azure.Network.NetworkWatcher

  • Azure.Network.PublicIPAddress

  • Azure.Network.Subnet

  • Azure.Network.VirtualNetwork

  • Azure.Network.VirtualNetworkGateway

  • Azure.Network.VirtualNetworkGatewayConnection

SQL

  • Azure.SQL.FirewallRule

  • Azure.SQL.Server

Storage

  • Azure.Storage.Account

Changing Resource Selection

New Environments

  • To set up a new AWS or AWS GovCloud environment to scan/enforce specific resource, see Select Resources.

  • To set up a new Azure environment to scan/enforce specific resource groups, see Select Resource Groups.

Existing Environments

  • To change which AWS & AWS GovCloud services are scanned/enforced, select the desired resources in the Environment Settings dialog (the cog icon cog in the top right of the screen), then update Fugue’s IAM role. See Update IAM Role for details.

  • To remove Azure resource groups from being scanned/enforced in an environment, uncheck the resource groups in the Environment Settings dialog (the cog icon cog in the top right of the screen). To add new resource groups to an environment, you must use the Fugue API. See Updating Selected Resource Groups for details.

Resources Under Management

Fugue determines the number of resources under management (RUM) for customers based on the AWS and Azure resource types as specified above. The following exceptions apply:

  • AWS.IAM.Policy: AWS managed IAM policies are excluded when determining RUM.