Service Coverage - AWS & AWS GovCloud¶
Note
For supported Azure services, see Service Coverage - Azure & Azure Government.
Tip
To interact with the API using query parameters, use the Fugue resource names as formatted below (the Terraform resource name is also acceptable). When using request body parameters, add quotation marks around each resource name like this: "AWS.AutoScaling.AutoScalingGroup", "AWS.SNS.Topic", etc.
The following services and resources are supported in the latest version of Fugue.
(beta) denotes resources with beta support. To request access, contact support@fugue.co.
Each resource is listed with its Terraform type in parentheses for the purpose of writing custom rules.
AWS Standard Regions: Supported Resource Types and Fugue-Recommended Resource Types
AWS GovCloud: Supported Resource Types and Fugue-Recommended Resource Types
For more information about resources and regions, see details here.
AWS Standard Regions¶
AWS Certificate Manager (ACM)¶
AWS.ACM.Certificate (aws_acm_certificate)
ACM Private Certificate Authority (ACM PCA)¶
AWS.ACMPCA.CertificateAuthority (aws_acmpca_certificate_authority)
API Gateway¶
AWS.ApiGateway.Authorizer (aws_api_gateway_authorizer)
AWS.ApiGateway.ClientCertificate (aws_api_gateway_client_certificate)
AWS.ApiGateway.Deployment (aws_api_gateway_deployment)
AWS.ApiGateway.DomainName (aws_api_gateway_domain_name)
AWS.ApiGateway.RequestValidator (aws_api_gateway_request_validator)
AWS.ApiGateway.Resource (aws_api_gateway_resource)
AWS.ApiGateway.RestApi (aws_api_gateway_rest_api)
AWS.ApiGateway.Stage (aws_api_gateway_stage)
AWS.ApiGateway.UsagePlan (aws_api_gateway_usage_plan)
AWS.ApiGateway.VpcLink (aws_api_gateway_vpc_link)
Auto Scaling¶
AWS.AutoScaling.AutoScalingGroup (aws_autoscaling_group)
AWS.AutoScaling.LaunchConfiguration (aws_launch_configuration)
AWS.AutoScaling.LaunchTemplate (aws_launch_template)
AWS.AutoScaling.LifecycleHook (aws_autoscaling_lifecycle_hook)
AWS.AutoScaling.Policy (aws_autoscaling_policy)
AWS.AutoScaling.Schedule (aws_autoscaling_schedule)
CloudFront¶
AWS.CloudFront.Distribution (aws_cloudfront_distribution)
CloudTrail¶
AWS.CloudTrail.Trail (aws_cloudtrail)
CloudWatch¶
AWS.CloudWatch.Dashboard (aws_cloudwatch_dashboard)
AWS.CloudWatch.MetricAlarm (aws_cloudwatch_metric_alarm)
AWS.CloudWatchEvents.Rule (aws_cloudwatch_event_rule)
AWS.CloudWatchEvents.Target (aws_cloudwatch_event_target)
AWS.CloudWatchLogs.Destination (aws_cloudwatch_log_destination)
AWS.CloudWatchLogs.DestinationPolicy (aws_cloudwatch_log_destination_policy)
AWS.CloudWatchLogs.LogGroup (aws_cloudwatch_log_group)
AWS.CloudWatchLogs.MetricFilter (aws_cloudwatch_log_metric_filter)
AWS.CloudWatchLogs.ResourcePolicy (aws_cloudwatch_log_resource_policy)
AWS.CloudWatchLogs.SubscriptionFilter (aws_cloudwatch_log_subscription_filter)
Cognito¶
AWS.Cognito.IdentityProvider (aws_cognito_identity_provider)
AWS.Cognito.ResourceServer (aws_cognito_resource_server)
AWS.Cognito.UserGroup (aws_cognito_user_group)
AWS.Cognito.UserPool (aws_cognito_user_pool)
AWS.Cognito.UserPoolClient (aws_cognito_user_pool_client)
AWS.Cognito.UserPoolDomain (aws_cognito_user_pool_domain)
Config¶
AWS.Config.AggregationAuthorization (aws_config_aggregate_authorization)
AWS.Config.ConfigurationAggregator (aws_config_configuration_aggregator)
AWS.Config.ConfigurationRecorder (aws_config_configuration_recorder)
AWS.Config.ConfigurationRecorderStatus (aws_config_configuration_recorder_status)
AWS.Config.DeliveryChannel (aws_config_delivery_channel)
AWS.Config.Rule (aws_config_config_rule)
Directory Service¶
AWS.DirectoryService.ConditionalForwarder (aws_directory_service_conditional_forwarder)
AWS.DirectoryService.Directory (aws_directory_service_directory)
DynamoDB¶
AWS.DynamoDB.Table (aws_dynamodb_table)
EC2¶
Note
Fugue does not support the legacy EC2-Classic platform.
AWS.EC2.CustomerGateway (aws_customer_gateway)
AWS.EC2.DhcpOptions (aws_vpc_dhcp_options)
AWS.EC2.DhcpOptionsAssociation (aws_vpc_dhcp_options_association)
AWS.EC2.EgressOnlyInternetGateway (aws_egress_only_internet_gateway)
AWS.EC2.ElasticIP (aws_eip)
AWS.EC2.FlowLog (aws_flow_log)
AWS.EC2.Image (aws_ami)
AWS.EC2.Instance (aws_instance)
AWS.EC2.InternetGateway (aws_internet_gateway)
AWS.EC2.KeyPair (aws_key_pair)
AWS.EC2.NATGateway (aws_nat_gateway)
AWS.EC2.NetworkACL (aws_network_acl)
AWS.EC2.NetworkInterface (aws_network_interface)
AWS.EC2.PlacementGroup (aws_placement_group)
AWS.EC2.RouteTable (aws_route_table)
AWS.EC2.RouteTableAssociation (aws_route_table_association)
AWS.EC2.SecurityGroup (aws_security_group)
AWS.EC2.SpotFleetRequest (aws_spot_fleet_request)
AWS.EC2.Subnet (aws_subnet)
AWS.EC2.Volume (aws_ebs_volume)
AWS.EC2.Vpc (aws_vpc)
AWS.EC2.VpcEndpoint (aws_vpc_endpoint)
AWS.EC2.VpcEndpointConnectionNotification (aws_vpc_endpoint_connection_notification)
AWS.EC2.VpcEndpointService (aws_vpc_endpoint_service)
AWS.EC2.VpcIpv4CidrBlockAssociation (aws_vpc_ipv4_cidr_block_association)
AWS.EC2.VpcPeeringConnection (aws_vpc_peering_connection)
AWS.EC2.VpnConnection (aws_vpn_connection)
AWS.EC2.VpnConnectionRoute (aws_vpn_connection_route)
AWS.EC2.VpnGateway (aws_vpn_gateway)
ECR¶
AWS.ECR.Repository (aws_ecr_repository)
ECS¶
AWS.ECS.Cluster (aws_ecs_cluster)
AWS.ECS.Service (aws_ecs_service)
AWS.ECS.Task (aws_ecs_task)
AWS.ECS.TaskDefinition (aws_ecs_task_definition)
EFS¶
AWS.EFS.FileSystem (aws_efs_file_system)
AWS.EFS.MountTarget (aws_efs_mount_target)
EKS¶
AWS.EKS.Cluster (aws_eks_cluster)
ELB (Elastic Load Balancing)¶
AWS.ELB.BackendServerPolicy (aws_load_balancer_backend_server_policy)
AWS.ELB.ListenerPolicy (aws_load_balancer_listener_policy)
AWS.ELB.LoadBalancer (aws_elb)
AWS.ELB.Policy (aws_load_balancer_policy)
ELBv2 (Elastic Load Balancing v2)¶
AWS.ELBv2.Listener (aws_lb_listener)
AWS.ELBv2.ListenerRule (aws_lb_listener_rule)
AWS.ELBv2.LoadBalancer (aws_lb)
AWS.ELBv2.TargetGroup (aws_lb_target_group)
ElastiCache¶
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
AWS.ElastiCache.Cluster (aws_elasticache_cluster)
AWS.ElastiCache.ParameterGroup (aws_elasticache_parameter_group)
AWS.ElastiCache.ReplicationGroup (aws_elasticache_replication_group)
Glacier (S3 Glacier)¶
AWS.Glacier.Vault (aws_glacier_vault)
GuardDuty¶
AWS.GuardDuty.Detector (aws_guardduty_detector)
AWS.GuardDuty.Member (aws_guardduty_member)
IAM (Identity & Access Management)¶
AWS.IAM.AccessKey (aws_iam_access_key)
AWS.IAM.AccountPasswordPolicy (aws_iam_account_password_policy)
AWS.IAM.CredentialReport (aws_iam_credential_report)
AWS.IAM.Group (aws_iam_group)
AWS.IAM.GroupMembership (aws_iam_group_membership)
AWS.IAM.GroupPolicy (aws_iam_group_policy)
AWS.IAM.GroupPolicyAttachment (aws_iam_group_policy_attachment)
AWS.IAM.InstanceProfile (aws_iam_instance_profile)
AWS.IAM.OpenIDConnectProvider (aws_iam_openid_connect_provider)
AWS.IAM.Policy (aws_iam_policy)
AWS.IAM.Role (aws_iam_role)
AWS.IAM.RolePolicy (aws_iam_role_policy)
AWS.IAM.RolePolicyAttachment (aws_iam_role_policy_attachment)
AWS.IAM.SAMLProvider (aws_iam_saml_provider)
AWS.IAM.User (aws_iam_user)
AWS.IAM.UserPolicy (aws_iam_user_policy)
AWS.IAM.UserPolicyAttachment (aws_iam_user_policy_attachment)
IAM Access Analyzer (beta)¶
AWS.AccessAnalyzer.Analyzer (aws_accessanalyzer_analyzer)
Inspector¶
AWS.Inspector.AssessmentTarget (aws_inspector_assessment_target)
AWS.Inspector.AssessmentTemplate (aws_inspector_assessment_template)
KMS (Key Management Service)¶
AWS.KMS.Alias (aws_kms_alias)
AWS.KMS.Grant (aws_kms_grant)
AWS.KMS.Key (aws_kms_key)
Kinesis¶
AWS.Kinesis.Stream (aws_kinesis_stream)
AWS.KinesisFirehose.DeliveryStream (aws_kinesis_firehose_delivery_stream)
Lambda¶
AWS.Lambda.Alias (aws_lambda_alias)
AWS.Lambda.EventSourceMapping (aws_lambda_event_source_mapping)
AWS.Lambda.Function (aws_lambda_function)
Macie¶
AWS.Macie.MemberAccountAssociation (aws_macie_member_account_association)
AWS.Macie.S3BucketAssociation (aws_macie_s3_bucket_association)
MediaStore (Elemental MediaStore)¶
AWS.MediaStore.Container (aws_media_store_container)
AWS.MediaStore.ContainerPolicy (aws_media_store_container_policy)
Organizations¶
AWS.Organizations.Organization (aws_organizations_organization)
RDS¶
AWS.RDS.Cluster (aws_rds_cluster)
AWS.RDS.ClusterParameterGroup (aws_rds_cluster_parameter_group)
AWS.RDS.EventSubscription (aws_db_event_subscription)
AWS.RDS.Instance (aws_db_instance)
AWS.RDS.OptionGroup (aws_db_option_group)
AWS.RDS.ParameterGroup (aws_db_parameter_group)
AWS.RDS.SubnetGroup (aws_db_subnet_group)
Redshift¶
AWS.Redshift.Cluster (aws_redshift_cluster)
AWS.Redshift.ParameterGroup (aws_redshift_parameter_group)
AWS.Redshift.SubnetGroup (aws_redshift_subnet_group)
Route 53¶
AWS.Route53.DelegationSet (aws_route53_delegation_set)
AWS.Route53.HealthCheck (aws_route53_health_check)
AWS.Route53.QueryLog (aws_route53_query_log)
AWS.Route53.Record (aws_route53_record)
AWS.Route53.Zone (aws_route53_zone)
AWS.Route53.ZoneAssociation (aws_route53_zone_association)
S3¶
AWS.S3.Bucket (aws_s3_bucket)
AWS.S3.BucketInventory (aws_s3_bucket_inventory)
AWS.S3.BucketMetric (aws_s3_bucket_metric)
AWS.S3.BucketNotification (aws_s3_bucket_notification)
AWS.S3.BucketPolicy (aws_s3_bucket_policy)
AWS.S3.BucketPublicAccessBlock (aws_s3_bucket_public_access_block)
Step Functions (SFN)¶
AWS.SFN.StateMachine (aws_sfn_state_machine)
SNS¶
AWS.SNS.Subscription (aws_sns_topic_subscription)
AWS.SNS.Topic (aws_sns_topic)
SQS¶
AWS.SQS.Queue (aws_sqs_queue)
Systems Manager (SSM)¶
AWS.SSM.Activation (aws_ssm_activation)
AWS.SSM.Association (aws_ssm_association)
AWS.SSM.Document (aws_ssm_document)
AWS.SSM.MaintenanceWindow (aws_ssm_maintenance_window)
AWS.SSM.MaintenanceWindowTarget (aws_ssm_maintenance_window_target)
AWS.SSM.MaintenanceWindowTask (aws_ssm_maintenance_window_task)
AWS.SSM.Parameter (aws_ssm_parameter)
AWS.SSM.PatchBaseline (aws_ssm_patch_baseline)
AWS.SSM.PatchGroup (aws_ssm_patch_group)
AWS.SSM.ResourceDataSync (aws_ssm_resource_data_sync)
Secrets Manager¶
AWS.SecretsManager.Secret (aws_secretsmanager_secret)
WAF¶
AWS.WAF.ByteMatchSet (aws_waf_byte_match_set)
AWS.WAF.GeoMatchSet (aws_waf_geo_match_set)
AWS.WAF.RateBasedRule (aws_waf_rate_based_rule)
AWS.WAF.RegexMatchSet (aws_waf_regex_match_set)
AWS.WAF.RegexPatternSet (aws_waf_regex_pattern_set)
AWS.WAF.Rule (aws_waf_rule)
AWS.WAF.RuleGroup (aws_waf_rule_group)
AWS.WAF.SQLInjectionMatchSet (aws_waf_sql_injection_match_set)
AWS.WAF.SizeConstraintSet (aws_waf_size_constraint_set)
AWS.WAF.WebACL (aws_waf_web_acl)
AWS.WAF.XSSMatchSet (aws_waf_xss_match_set)
WAFRegional¶
AWS.WAFRegional.ByteMatchSet (aws_wafregional_byte_match_set)
AWS.WAFRegional.GeoMatchSet (aws_wafregional_geo_match_set)
AWS.WAFRegional.RateBasedRule (aws_wafregional_rate_based_rule)
AWS.WAFRegional.RegexMatchSet (aws_wafregional_regex_match_set)
AWS.WAFRegional.RegexPatternSet (aws_wafregional_regex_pattern_set)
AWS.WAFRegional.Rule (aws_wafregional_rule)
AWS.WAFRegional.RuleGroup (aws_wafregional_rule_group)
AWS.WAFRegional.SQLInjectionMatchSet (aws_wafregional_sql_injection_match_set)
AWS.WAFRegional.SizeConstraintSet (aws_wafregional_size_constraint_set)
AWS.WAFRegional.WebACL (aws_wafregional_web_acl)
AWS.WAFRegional.XSSMatchSet (aws_wafregional_xss_match_set)
WAFv2¶
AWS.WAFv2.LoggingConfiguration (aws_wafv2_logging_configuration)
AWS.WAFv2.RegexPatternSet (aws_wafv2_regex_pattern_set)
AWS.WAFv2.RuleGroup (aws_wafv2_rule_group)
AWS.WAFv2.WebACL (aws_wafv2_web_acl)
AWS.WAFv2.WebACLAssociation (aws_wafv2_web_acl_association)
Recommended Resource Types: AWS¶
In order to get the most out of Fugue, you can opt to scan a Fugue-recommended set of resource types. We’ve chosen these resources because of their high impact on security, and they include security groups, IAM roles, S3 buckets, and more.
AWS Certificate Manager (ACM)¶
AWS.ACM.Certificate (aws_acm_certificate)
API Gateway¶
AWS.ApiGateway.Authorizer (aws_api_gateway_authorizer)
AWS.ApiGateway.ClientCertificate (aws_api_gateway_client_certificate)
AWS.ApiGateway.Deployment (aws_api_gateway_deployment)
AWS.ApiGateway.DomainName (aws_api_gateway_domain_name)
AWS.ApiGateway.RequestValidator (aws_api_gateway_request_validator)
AWS.ApiGateway.Resource (aws_api_gateway_resource)
AWS.ApiGateway.RestApi (aws_api_gateway_rest_api)
AWS.ApiGateway.Stage (aws_api_gateway_stage)
AWS.ApiGateway.UsagePlan (aws_api_gateway_usage_plan)
AWS.ApiGateway.VpcLink (aws_api_gateway_vpc_link)
API Gateway Version 2 (beta)¶
AWS.ApiGatewayV2.Api (aws_apigatewayv2_api)
AWS.ApiGatewayV2.ApiMapping (aws_apigatewayv2_api_mapping)
AWS.ApiGatewayV2.Authorizer (aws_apigatewayv2_authorizer)
AWS.ApiGatewayV2.Deployment (aws_apigatewayv2_deployment)
AWS.ApiGatewayV2.DomainName (aws_apigatewayv2_domain_name)
AWS.ApiGatewayV2.Integration (aws_apigatewayv2_integration)
AWS.ApiGatewayV2.IntegrationResponse (aws_apigatewayv2_integration_response)
AWS.ApiGatewayV2.Model (aws_apigatewayv2_model)
AWS.ApiGatewayV2.Route (aws_apigatewayv2_route)
AWS.ApiGatewayV2.RouteResponse (aws_apigatewayv2_route_response)
AWS.ApiGatewayV2.Stage (aws_apigatewayv2_stage)
AWS.ApiGatewayV2.VpcLink (aws_apigatewayv2_vpc_link)
Athena (beta)¶
AWS.Athena.Workgroup (aws_athena_workgroup)
Auto Scaling¶
AWS.AutoScaling.AutoScalingGroup (aws_autoscaling_group)
AWS.AutoScaling.LaunchConfiguration (aws_launch_configuration)
AWS.AutoScaling.LaunchTemplate (aws_launch_template)
AWS.AutoScaling.LifecycleHook (aws_autoscaling_lifecycle_hook)
AWS.AutoScaling.Policy (aws_autoscaling_policy)
AWS.AutoScaling.Schedule (aws_autoscaling_schedule)
CloudFormation (beta)¶
AWS.CloudFormation.Stack (aws_cloudformation_stack)
AWS.CloudFormation.StackSet (aws_cloudformation_stack_set)
CloudFront¶
AWS.CloudFront.Distribution (aws_cloudfront_distribution)
CloudTrail¶
AWS.CloudTrail.Trail (aws_cloudtrail)
CloudWatch¶
AWS.CloudWatch.Dashboard (aws_cloudwatch_dashboard)
AWS.CloudWatch.MetricAlarm (aws_cloudwatch_metric_alarm)
AWS.CloudWatchEvents.Rule (aws_cloudwatch_event_rule)
AWS.CloudWatchEvents.Target (aws_cloudwatch_event_target)
AWS.CloudWatchLogs.Destination (aws_cloudwatch_log_destination)
AWS.CloudWatchLogs.DestinationPolicy (aws_cloudwatch_log_destination_policy)
AWS.CloudWatchLogs.LogGroup (aws_cloudwatch_log_group)
AWS.CloudWatchLogs.MetricFilter (aws_cloudwatch_log_metric_filter)
AWS.CloudWatchLogs.ResourcePolicy (aws_cloudwatch_log_resource_policy)
AWS.CloudWatchLogs.SubscriptionFilter (aws_cloudwatch_log_subscription_filter)
Cognito¶
AWS.Cognito.IdentityProvider (aws_cognito_identity_provider)
AWS.Cognito.ResourceServer (aws_cognito_resource_server)
AWS.Cognito.UserGroup (aws_cognito_user_group)
AWS.Cognito.UserPool (aws_cognito_user_pool)
AWS.Cognito.UserPoolClient (aws_cognito_user_pool_client)
AWS.Cognito.UserPoolDomain (aws_cognito_user_pool_domain)
Config¶
AWS.Config.AggregationAuthorization (aws_config_aggregate_authorization)
AWS.Config.ConfigurationAggregator (aws_config_configuration_aggregator)
AWS.Config.ConfigurationRecorder (aws_config_configuration_recorder)
AWS.Config.ConfigurationRecorderStatus (aws_config_configuration_recorder_status)
AWS.Config.DeliveryChannel (aws_config_delivery_channel)
AWS.Config.Rule (aws_config_config_rule)
DynamoDB¶
AWS.DynamoDB.Table (aws_dynamodb_table)
EC2¶
Note
Fugue does not support the legacy EC2-Classic platform.
AWS.EC2.CustomerGateway (aws_customer_gateway)
AWS.EC2.DhcpOptions (aws_vpc_dhcp_options)
AWS.EC2.DhcpOptionsAssociation (aws_vpc_dhcp_options_association)
AWS.EC2.EgressOnlyInternetGateway (aws_egress_only_internet_gateway)
AWS.EC2.ElasticIP (aws_eip)
AWS.EC2.FlowLog (aws_flow_log)
AWS.EC2.Instance (aws_instance)
AWS.EC2.InternetGateway (aws_internet_gateway)
AWS.EC2.KeyPair (aws_key_pair)
AWS.EC2.NATGateway (aws_nat_gateway)
AWS.EC2.NetworkACL (aws_network_acl)
AWS.EC2.PlacementGroup (aws_placement_group)
AWS.EC2.RouteTable (aws_route_table)
AWS.EC2.RouteTableAssociation (aws_route_table_association)
AWS.EC2.SecurityGroup (aws_security_group)
AWS.EC2.SpotFleetRequest (aws_spot_fleet_request)
AWS.EC2.Subnet (aws_subnet)
AWS.EC2.Volume (aws_ebs_volume)
AWS.EC2.Vpc (aws_vpc)
AWS.EC2.VpcEndpoint (aws_vpc_endpoint)
AWS.EC2.VpcEndpointConnectionNotification (aws_vpc_endpoint_connection_notification)
AWS.EC2.VpcEndpointService (aws_vpc_endpoint_service)
AWS.EC2.VpcIpv4CidrBlockAssociation (aws_vpc_ipv4_cidr_block_association)
AWS.EC2.VpcPeeringConnection (aws_vpc_peering_connection)
AWS.EC2.VpnConnection (aws_vpn_connection)
AWS.EC2.VpnConnectionRoute (aws_vpn_connection_route)
AWS.EC2.VpnGateway (aws_vpn_gateway)
ECR¶
AWS.ECR.Repository (aws_ecr_repository)
ECS¶
AWS.ECS.Cluster (aws_ecs_cluster)
AWS.ECS.Service (aws_ecs_service)
AWS.ECS.Task (aws_ecs_task)
AWS.ECS.TaskDefinition (aws_ecs_task_definition)
EFS¶
AWS.EFS.FileSystem (aws_efs_file_system)
AWS.EFS.MountTarget (aws_efs_mount_target)
EKS¶
AWS.EKS.Cluster (aws_eks_cluster)
ELB (Elastic Load Balancing)¶
AWS.ELB.BackendServerPolicy (aws_load_balancer_backend_server_policy)
AWS.ELB.ListenerPolicy (aws_load_balancer_listener_policy)
AWS.ELB.LoadBalancer (aws_elb)
AWS.ELB.Policy (aws_load_balancer_policy)
ELBv2 (Elastic Load Balancing v2)¶
AWS.ELBv2.Listener (aws_lb_listener)
AWS.ELBv2.ListenerRule (aws_lb_listener_rule)
AWS.ELBv2.LoadBalancer (aws_lb)
AWS.ELBv2.TargetGroup (aws_lb_target_group)
ElastiCache¶
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
AWS.ElastiCache.Cluster (aws_elasticache_cluster)
AWS.ElastiCache.ParameterGroup (aws_elasticache_parameter_group)
AWS.ElastiCache.ReplicationGroup (aws_elasticache_replication_group)
Glacier (S3 Glacier)¶
AWS.Glacier.Vault (aws_glacier_vault)
GuardDuty¶
AWS.GuardDuty.Detector (aws_guardduty_detector)
AWS.GuardDuty.Member (aws_guardduty_member)
IAM (Identity & Access Management)¶
AWS.IAM.AccessKey (aws_iam_access_key)
AWS.IAM.AccountPasswordPolicy (aws_iam_account_password_policy)
AWS.IAM.CredentialReport (aws_iam_credential_report)
AWS.IAM.Group (aws_iam_group)
AWS.IAM.GroupMembership (aws_iam_group_membership)
AWS.IAM.GroupPolicy (aws_iam_group_policy)
AWS.IAM.GroupPolicyAttachment (aws_iam_group_policy_attachment)
AWS.IAM.InstanceProfile (aws_iam_instance_profile)
AWS.IAM.OpenIDConnectProvider (aws_iam_openid_connect_provider)
AWS.IAM.Policy (aws_iam_policy)
AWS.IAM.Role (aws_iam_role)
AWS.IAM.RolePolicy (aws_iam_role_policy)
AWS.IAM.RolePolicyAttachment (aws_iam_role_policy_attachment)
AWS.IAM.SAMLProvider (aws_iam_saml_provider)
AWS.IAM.User (aws_iam_user)
AWS.IAM.UserPolicy (aws_iam_user_policy)
AWS.IAM.UserPolicyAttachment (aws_iam_user_policy_attachment)
KMS (Key Management Service)¶
AWS.KMS.Alias (aws_kms_alias)
AWS.KMS.Grant (aws_kms_grant)
AWS.KMS.Key (aws_kms_key)
Kinesis¶
AWS.Kinesis.Stream (aws_kinesis_stream)
AWS.KinesisFirehose.DeliveryStream (aws_kinesis_firehose_delivery_stream)
Lambda¶
AWS.Lambda.Alias (aws_lambda_alias)
AWS.Lambda.EventSourceMapping (aws_lambda_event_source_mapping)
AWS.Lambda.Function (aws_lambda_function)
Macie¶
AWS.Macie.MemberAccountAssociation (aws_macie_member_account_association)
AWS.Macie.S3BucketAssociation (aws_macie_s3_bucket_association)
MediaStore (AWS Elemental MediaStore)¶
AWS.MediaStore.Container (aws_media_store_container)
AWS.MediaStore.ContainerPolicy (aws_media_store_container_policy)
RDS¶
AWS.RDS.Cluster (aws_rds_cluster)
AWS.RDS.ClusterParameterGroup (aws_rds_cluster_parameter_group)
AWS.RDS.EventSubscription (aws_db_event_subscription)
AWS.RDS.Instance (aws_db_instance)
AWS.RDS.OptionGroup (aws_db_option_group)
AWS.RDS.ParameterGroup (aws_db_parameter_group)
AWS.RDS.Snapshot (aws_db_snapshot) (beta)
AWS.RDS.SubnetGroup (aws_db_subnet_group)
Redshift¶
AWS.Redshift.Cluster (aws_redshift_cluster)
AWS.Redshift.ParameterGroup (aws_redshift_parameter_group)
AWS.Redshift.SubnetGroup (aws_redshift_subnet_group)
S3¶
AWS.S3.Bucket (aws_s3_bucket)
AWS.S3.BucketInventory (aws_s3_bucket_inventory)
AWS.S3.BucketMetric (aws_s3_bucket_metric)
AWS.S3.BucketNotification (aws_s3_bucket_notification)
AWS.S3.BucketPolicy (aws_s3_bucket_policy)
AWS.S3.BucketPublicAccessBlock (aws_s3_bucket_public_access_block)
Step Functions (SFN)¶
AWS.SFN.StateMachine (aws_sfn_state_machine)
SNS¶
AWS.SNS.Subscription (aws_sns_topic_subscription)
AWS.SNS.Topic (aws_sns_topic)
SQS¶
AWS.SQS.Queue (aws_sqs_queue)
WAF¶
AWS.WAF.ByteMatchSet (aws_waf_byte_match_set)
AWS.WAF.GeoMatchSet (aws_waf_geo_match_set)
AWS.WAF.RateBasedRule (aws_waf_rate_based_rule)
AWS.WAF.RegexMatchSet (aws_waf_regex_match_set)
AWS.WAF.RegexPatternSet (aws_waf_regex_pattern_set)
AWS.WAF.Rule (aws_waf_rule)
AWS.WAF.RuleGroup (aws_waf_rule_group)
AWS.WAF.SQLInjectionMatchSet (aws_waf_sql_injection_match_set)
AWS.WAF.SizeConstraintSet (aws_waf_size_constraint_set)
AWS.WAF.WebACL (aws_waf_web_acl)
AWS.WAF.XSSMatchSet (aws_waf_xss_match_set)
WAFRegional¶
AWS.WAFRegional.ByteMatchSet (aws_wafregional_byte_match_set)
AWS.WAFRegional.GeoMatchSet (aws_wafregional_geo_match_set)
AWS.WAFRegional.RateBasedRule (aws_wafregional_rate_based_rule)
AWS.WAFRegional.RegexMatchSet (aws_wafregional_regex_match_set)
AWS.WAFRegional.RegexPatternSet (aws_wafregional_regex_pattern_set)
AWS.WAFRegional.Rule (aws_wafregional_rule)
AWS.WAFRegional.RuleGroup (aws_wafregional_rule_group)
AWS.WAFRegional.SQLInjectionMatchSet (aws_wafregional_sql_injection_match_set)
AWS.WAFRegional.SizeConstraintSet (aws_wafregional_size_constraint_set)
AWS.WAFRegional.WebACL (aws_wafregional_web_acl)
AWS.WAFRegional.XSSMatchSet (aws_wafregional_xss_match_set)
WAFv2¶
AWS.WAFv2.LoggingConfiguration (aws_wafv2_logging_configuration)
AWS.WAFv2.RegexPatternSet (aws_wafv2_regex_pattern_set)
AWS.WAFv2.RuleGroup (aws_wafv2_rule_group)
AWS.WAFv2.WebACL (aws_wafv2_web_acl)
AWS.WAFv2.WebACLAssociation (aws_wafv2_web_acl_association)
Supported Services: AWS GovCloud¶
AWS Certificate Manager (ACM)¶
AWS.ACM.Certificate (aws_acm_certificate)
ACM Private Certificate Authority (ACM PCA)¶
AWS.ACMPCA.CertificateAuthority (aws_acmpca_certificate_authority)
API Gateway¶
AWS.ApiGateway.Authorizer (aws_api_gateway_authorizer)
AWS.ApiGateway.ClientCertificate (aws_api_gateway_client_certificate)
AWS.ApiGateway.Deployment (aws_api_gateway_deployment)
AWS.ApiGateway.DomainName (aws_api_gateway_domain_name)
AWS.ApiGateway.RequestValidator (aws_api_gateway_request_validator)
AWS.ApiGateway.Resource (aws_api_gateway_resource)
AWS.ApiGateway.RestApi (aws_api_gateway_rest_api)
AWS.ApiGateway.Stage (aws_api_gateway_stage)
AWS.ApiGateway.UsagePlan (aws_api_gateway_usage_plan)
AWS.ApiGateway.VpcLink (aws_api_gateway_vpc_link)
Auto Scaling¶
AWS.AutoScaling.AutoScalingGroup (aws_autoscaling_group)
AWS.AutoScaling.LaunchConfiguration (aws_launch_configuration)
AWS.AutoScaling.LaunchTemplate (aws_launch_template)
AWS.AutoScaling.LifecycleHook (aws_autoscaling_lifecycle_hook)
AWS.AutoScaling.Policy (aws_autoscaling_policy)
AWS.AutoScaling.Schedule (aws_autoscaling_schedule)
CloudTrail¶
AWS.CloudTrail.Trail (aws_cloudtrail)
CloudWatch¶
AWS.CloudWatch.Dashboard (aws_cloudwatch_dashboard)
AWS.CloudWatch.MetricAlarm (aws_cloudwatch_metric_alarm)
AWS.CloudWatchEvents.Rule (aws_cloudwatch_event_rule)
AWS.CloudWatchEvents.Target (aws_cloudwatch_event_target)
AWS.CloudWatchLogs.Destination (aws_cloudwatch_log_destination)
AWS.CloudWatchLogs.DestinationPolicy (aws_cloudwatch_log_destination_policy)
AWS.CloudWatchLogs.LogGroup (aws_cloudwatch_log_group)
AWS.CloudWatchLogs.MetricFilter (aws_cloudwatch_log_metric_filter)
AWS.CloudWatchLogs.ResourcePolicy (aws_cloudwatch_log_resource_policy)
AWS.CloudWatchLogs.SubscriptionFilter (aws_cloudwatch_log_subscription_filter)
Config¶
AWS.Config.ConfigurationRecorder (aws_config_configuration_recorder)
AWS.Config.ConfigurationRecorderStatus (aws_config_configuration_recorder_status)
AWS.Config.DeliveryChannel (aws_config_delivery_channel)
AWS.Config.Rule (aws_config_config_rule)
Directory Service¶
AWS.DirectoryService.ConditionalForwarder (aws_directory_service_conditional_forwarder)
AWS.DirectoryService.Directory (aws_directory_service_directory)
DocumentDB (beta)¶
AWS.DocDB.Cluster (aws_docdb_cluster)
AWS.DocDB.ClusterInstance (aws_docdb_cluster_instance)
AWS.DocDB.ClusterSnapshot (aws_docdb_cluster_snapshot)
DynamoDB¶
AWS.DynamoDB.Table (aws_dynamodb_table)
EC2¶
Note
Fugue does not support the legacy EC2-Classic platform.
AWS.EC2.CustomerGateway (aws_customer_gateway)
AWS.EC2.DhcpOptions (aws_vpc_dhcp_options)
AWS.EC2.DhcpOptionsAssociation (aws_vpc_dhcp_options_association)
AWS.EC2.EgressOnlyInternetGateway (aws_egress_only_internet_gateway)
AWS.EC2.ElasticIP (aws_eip)
AWS.EC2.FlowLog (aws_flow_log)
AWS.EC2.Image (aws_ami)
AWS.EC2.Instance (aws_instance)
AWS.EC2.InternetGateway (aws_internet_gateway)
AWS.EC2.KeyPair (aws_key_pair)
AWS.EC2.NATGateway (aws_nat_gateway)
AWS.EC2.NetworkACL (aws_network_acl)
AWS.EC2.NetworkInterface (aws_network_interface)
AWS.EC2.PlacementGroup (aws_placement_group)
AWS.EC2.RouteTable (aws_route_table)
AWS.EC2.RouteTableAssociation (aws_route_table_association)
AWS.EC2.SecurityGroup (aws_security_group)
AWS.EC2.Snapshot (aws_ebs_snapshot) (beta)
AWS.EC2.Subnet (aws_subnet)
AWS.EC2.Volume (aws_ebs_volume)
AWS.EC2.Vpc (aws_vpc)
AWS.EC2.VpcIpv4CidrBlockAssociation (aws_vpc_ipv4_cidr_block_association)
AWS.EC2.VpcPeeringConnection (aws_vpc_peering_connection)
AWS.EC2.VpnConnection (aws_vpn_connection)
AWS.EC2.VpnConnectionRoute (aws_vpn_connection_route)
AWS.EC2.VpnGateway (aws_vpn_gateway)
ECR¶
AWS.ECR.LifecyclePolicy (aws_ecr_lifecycle_policy) (beta)
AWS.ECR.Repository (aws_ecr_repository)
AWS.ECR.RepositoryPolicy (aws_ecr_repository_policy) (beta)
ECS¶
AWS.ECS.Cluster (aws_ecs_cluster)
AWS.ECS.Service (aws_ecs_service)
AWS.ECS.Task (aws_ecs_task)
AWS.ECS.TaskDefinition (aws_ecs_task_definition)
ELB (Elastic Load Balancing)¶
AWS.ELB.BackendServerPolicy (aws_load_balancer_backend_server_policy)
AWS.ELB.ListenerPolicy (aws_load_balancer_listener_policy)
AWS.ELB.LoadBalancer (aws_elb)
AWS.ELB.Policy (aws_load_balancer_policy)
ELBv2 (Elastic Load Balancing v2)¶
AWS.ELBv2.Listener (aws_lb_listener)
AWS.ELBv2.ListenerRule (aws_lb_listener_rule)
AWS.ELBv2.LoadBalancer (aws_lb)
AWS.ELBv2.TargetGroup (aws_lb_target_group)
ElastiCache¶
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
AWS.ElastiCache.Cluster (aws_elasticache_cluster)
AWS.ElastiCache.ParameterGroup (aws_elasticache_parameter_group)
AWS.ElastiCache.ReplicationGroup (aws_elasticache_replication_group)
Elasticsearch (beta)¶
AWS.Elasticsearch.Domain (aws_elasticsearch_domain)
Glacier (S3 Glacier)¶
AWS.Glacier.Vault (aws_glacier_vault)
Glue (beta)¶
AWS.Glue.CatalogDatabase (aws_glue_catalog_database)
AWS.Glue.CatalogTable (aws_glue_catalog_table)
AWS.Glue.Connection (aws_glue_connection)
AWS.Glue.Crawler (aws_glue_crawler)
AWS.Glue.Job (aws_glue_job)
AWS.Glue.SecurityConfiguration (aws_glue_security_configuration)
AWS.Glue.Trigger (aws_glue_trigger)
AWS.Glue.Workflow (aws_glue_workflow)
IAM (Identity & Access Management)¶
AWS.IAM.AccessKey (aws_iam_access_key)
AWS.IAM.AccountPasswordPolicy (aws_iam_account_password_policy)
AWS.IAM.CredentialReport (aws_iam_credential_report)
AWS.IAM.Group (aws_iam_group)
AWS.IAM.GroupMembership (aws_iam_group_membership)
AWS.IAM.GroupPolicy (aws_iam_group_policy)
AWS.IAM.GroupPolicyAttachment (aws_iam_group_policy_attachment)
AWS.IAM.InstanceProfile (aws_iam_instance_profile)
AWS.IAM.OpenIDConnectProvider (aws_iam_openid_connect_provider)
AWS.IAM.Policy (aws_iam_policy)
AWS.IAM.Role (aws_iam_role)
AWS.IAM.RolePolicy (aws_iam_role_policy)
AWS.IAM.RolePolicyAttachment (aws_iam_role_policy_attachment)
AWS.IAM.SAMLProvider (aws_iam_saml_provider)
AWS.IAM.ServerCertificate (aws_iam_server_certificate) (beta)
AWS.IAM.User (aws_iam_user)
AWS.IAM.UserPolicy (aws_iam_user_policy)
AWS.IAM.UserPolicyAttachment (aws_iam_user_policy_attachment)
Inspector¶
AWS.Inspector.AssessmentTarget (aws_inspector_assessment_target)
AWS.Inspector.AssessmentTemplate (aws_inspector_assessment_template)
KMS (Key Management Service)¶
AWS.KMS.Alias (aws_kms_alias)
AWS.KMS.Grant (aws_kms_grant)
AWS.KMS.Key (aws_kms_key)
Kinesis¶
AWS.Kinesis.Stream (aws_kinesis_stream)
AWS.KinesisFirehose.DeliveryStream (aws_kinesis_firehose_delivery_stream)
Lambda¶
AWS.Lambda.Alias (aws_lambda_alias)
AWS.Lambda.EventSourceMapping (aws_lambda_event_source_mapping)
AWS.Lambda.Function (aws_lambda_function)
AWS.Lambda.Permission (aws_lambda_permission) (beta)
Neptune (beta)¶
AWS.Neptune.Cluster (aws_neptune_cluster)
AWS.Neptune.ClusterInstance (aws_neptune_cluster_instance)
AWS.Neptune.ClusterSnapshot (aws_neptune_cluster_snapshot)
Organizations¶
AWS.Organizations.Organization (aws_organizations_organization)
Resource Acccess Manager (RAM) (beta)¶
AWS.RAM.PrincipalAssociation (aws_ram_principal_association)
AWS.RAM.ResourceAssociation (aws_ram_resource_association)
AWS.RAM.ResourceShare (aws_ram_resource_share)
RDS¶
AWS.RDS.Cluster (aws_rds_cluster)
AWS.RDS.ClusterInstance (aws_rds_cluster_instance) (beta)
AWS.RDS.ClusterParameterGroup (aws_rds_cluster_parameter_group)
AWS.RDS.EventSubscription (aws_db_event_subscription)
AWS.RDS.Instance (aws_db_instance)
AWS.RDS.OptionGroup (aws_db_option_group)
AWS.RDS.ParameterGroup (aws_db_parameter_group)
AWS.RDS.Snapshot (aws_db_snapshot) (beta)
AWS.RDS.SubnetGroup (aws_db_subnet_group)
Redshift¶
AWS.Redshift.Cluster (aws_redshift_cluster)
AWS.Redshift.ParameterGroup (aws_redshift_parameter_group)
AWS.Redshift.SubnetGroup (aws_redshift_subnet_group)
SageMaker (beta)¶
AWS.Sagemaker.Endpoint (aws_sagemaker_endpoint)
AWS.Sagemaker.EndpointConfiguration (aws_sagemaker_endpoint_configuration)
AWS.Sagemaker.Model (aws_sagemaker_model)
AWS.Sagemaker.NotebookInstance (aws_sagemaker_notebook_instance)
AWS.Sagemaker.NotebookInstanceLifecycleConfiguration (aws_sagemaker_notebook_instance_lifecycle_configuration)
S3¶
AWS.S3.AccountPublicAccessBlock (aws_s3_account_public_access_block) (beta)
AWS.S3.Bucket (aws_s3_bucket)
AWS.S3.BucketInventory (aws_s3_bucket_inventory)
AWS.S3.BucketMetric (aws_s3_bucket_metric)
AWS.S3.BucketNotification (aws_s3_bucket_notification)
AWS.S3.BucketPolicy (aws_s3_bucket_policy)
AWS.S3.BucketPublicAccessBlock (aws_s3_bucket_public_access_block)
Step Functions (SFN)¶
AWS.SFN.StateMachine (aws_sfn_state_machine)
SNS¶
AWS.SNS.Subscription (aws_sns_topic_subscription)
AWS.SNS.Topic (aws_sns_topic)
SQS¶
AWS.SQS.Queue (aws_sqs_queue)
Systems Manager (SSM)¶
AWS.SSM.Activation (aws_ssm_activation)
AWS.SSM.Association (aws_ssm_association)
AWS.SSM.Document (aws_ssm_document)
AWS.SSM.MaintenanceWindow (aws_ssm_maintenance_window)
AWS.SSM.MaintenanceWindowTarget (aws_ssm_maintenance_window_target)
AWS.SSM.MaintenanceWindowTask (aws_ssm_maintenance_window_task)
AWS.SSM.Parameter (aws_ssm_parameter)
AWS.SSM.PatchBaseline (aws_ssm_patch_baseline)
AWS.SSM.PatchGroup (aws_ssm_patch_group)
AWS.SSM.ResourceDataSync (aws_ssm_resource_data_sync)
WAFRegional¶
AWS.WAFRegional.ByteMatchSet (aws_wafregional_byte_match_set)
AWS.WAFRegional.GeoMatchSet (aws_wafregional_geo_match_set)
AWS.WAFRegional.RateBasedRule (aws_wafregional_rate_based_rule)
AWS.WAFRegional.RegexMatchSet (aws_wafregional_regex_match_set)
AWS.WAFRegional.RegexPatternSet (aws_wafregional_regex_pattern_set)
AWS.WAFRegional.Rule (aws_wafregional_rule)
AWS.WAFRegional.RuleGroup (aws_wafregional_rule_group)
AWS.WAFRegional.SQLInjectionMatchSet (aws_wafregional_sql_injection_match_set)
AWS.WAFRegional.SizeConstraintSet (aws_wafregional_size_constraint_set)
AWS.WAFRegional.WebACL (aws_wafregional_web_acl)
AWS.WAFRegional.XSSMatchSet (aws_wafregional_xss_match_set)
WAFv2¶
AWS.WAFv2.LoggingConfiguration (aws_wafv2_logging_configuration)
AWS.WAFv2.RegexPatternSet (aws_wafv2_regex_pattern_set)
AWS.WAFv2.RuleGroup (aws_wafv2_rule_group)
AWS.WAFv2.WebACL (aws_wafv2_web_acl)
AWS.WAFv2.WebACLAssociation (aws_wafv2_web_acl_association)
WorkSpaces (beta)¶
AWS.Workspaces.Directory (aws_workspaces_directory)
AWS.Workspaces.IPGroup (aws_workspaces_ip_group)
AWS.Workspaces.Workspace (aws_workspaces_workspace)
Recommended Resource Types: AWS GovCloud¶
In order to get the most out of Fugue, you can opt to scan a Fugue-recommended set of resource types. We’ve chosen these resources because of their high impact on security, and they include security groups, IAM roles, S3 buckets, and more.
AWS Certificate Manager (ACM)¶
AWS.ACM.Certificate (aws_acm_certificate)
API Gateway¶
AWS.ApiGateway.Authorizer (aws_api_gateway_authorizer)
AWS.ApiGateway.ClientCertificate (aws_api_gateway_client_certificate)
AWS.ApiGateway.Deployment (aws_api_gateway_deployment)
AWS.ApiGateway.DomainName (aws_api_gateway_domain_name)
AWS.ApiGateway.RequestValidator (aws_api_gateway_request_validator)
AWS.ApiGateway.Resource (aws_api_gateway_resource)
AWS.ApiGateway.RestApi (aws_api_gateway_rest_api)
AWS.ApiGateway.Stage (aws_api_gateway_stage)
AWS.ApiGateway.UsagePlan (aws_api_gateway_usage_plan)
AWS.ApiGateway.VpcLink (aws_api_gateway_vpc_link)
Auto Scaling¶
AWS.AutoScaling.AutoScalingGroup (aws_autoscaling_group)
AWS.AutoScaling.LaunchConfiguration (aws_launch_configuration)
AWS.AutoScaling.LaunchTemplate (aws_launch_template)
AWS.AutoScaling.LifecycleHook (aws_autoscaling_lifecycle_hook)
AWS.AutoScaling.Policy (aws_autoscaling_policy)
AWS.AutoScaling.Schedule (aws_autoscaling_schedule)
CloudTrail¶
AWS.CloudTrail.Trail (aws_cloudtrail)
CloudWatch¶
AWS.CloudWatch.Dashboard (aws_cloudwatch_dashboard)
AWS.CloudWatch.MetricAlarm (aws_cloudwatch_metric_alarm)
AWS.CloudWatchEvents.Rule (aws_cloudwatch_event_rule)
AWS.CloudWatchEvents.Target (aws_cloudwatch_event_target)
AWS.CloudWatchLogs.Destination (aws_cloudwatch_log_destination)
AWS.CloudWatchLogs.DestinationPolicy (aws_cloudwatch_log_destination_policy)
AWS.CloudWatchLogs.LogGroup (aws_cloudwatch_log_group)
AWS.CloudWatchLogs.MetricFilter (aws_cloudwatch_log_metric_filter)
AWS.CloudWatchLogs.ResourcePolicy (aws_cloudwatch_log_resource_policy)
AWS.CloudWatchLogs.SubscriptionFilter (aws_cloudwatch_log_subscription_filter)
Config¶
AWS.Config.ConfigurationRecorder (aws_config_configuration_recorder)
AWS.Config.ConfigurationRecorderStatus (aws_config_configuration_recorder_status)
AWS.Config.DeliveryChannel (aws_config_delivery_channel)
AWS.Config.Rule (aws_config_config_rule)
DynamoDB¶
AWS.DynamoDB.Table (aws_dynamodb_table)
EC2¶
Note
Fugue does not support the legacy EC2-Classic platform.
AWS.EC2.CustomerGateway (aws_customer_gateway)
AWS.EC2.DhcpOptions (aws_vpc_dhcp_options)
AWS.EC2.DhcpOptionsAssociation (aws_vpc_dhcp_options_association)
AWS.EC2.EgressOnlyInternetGateway (aws_egress_only_internet_gateway)
AWS.EC2.ElasticIP (aws_eip)
AWS.EC2.FlowLog (aws_flow_log)
AWS.EC2.Instance (aws_instance)
AWS.EC2.InternetGateway (aws_internet_gateway)
AWS.EC2.KeyPair (aws_key_pair)
AWS.EC2.NATGateway (aws_nat_gateway)
AWS.EC2.NetworkACL (aws_network_acl)
AWS.EC2.PlacementGroup (aws_placement_group)
AWS.EC2.RouteTable (aws_route_table)
AWS.EC2.RouteTableAssociation (aws_route_table_association)
AWS.EC2.SecurityGroup (aws_security_group)
AWS.EC2.Subnet (aws_subnet)
AWS.EC2.Volume (aws_ebs_volume)
AWS.EC2.Vpc (aws_vpc)
AWS.EC2.VpcIpv4CidrBlockAssociation (aws_vpc_ipv4_cidr_block_association)
AWS.EC2.VpcPeeringConnection (aws_vpc_peering_connection)
AWS.EC2.VpnConnection (aws_vpn_connection)
AWS.EC2.VpnConnectionRoute (aws_vpn_connection_route)
AWS.EC2.VpnGateway (aws_vpn_gateway)
ECR¶
AWS.ECR.Repository (aws_ecr_repository)
ECS¶
AWS.ECS.Cluster (aws_ecs_cluster)
AWS.ECS.Service (aws_ecs_service)
AWS.ECS.Task (aws_ecs_task)
AWS.ECS.TaskDefinition (aws_ecs_task_definition)
ELB (Elastic Load Balancing)¶
AWS.ELB.BackendServerPolicy (aws_load_balancer_backend_server_policy)
AWS.ELB.ListenerPolicy (aws_load_balancer_listener_policy)
AWS.ELB.LoadBalancer (aws_elb)
AWS.ELB.Policy (aws_load_balancer_policy)
ELBv2 (Elastic Load Balancing v2)¶
AWS.ELBv2.Listener (aws_lb_listener)
AWS.ELBv2.ListenerRule (aws_lb_listener_rule)
AWS.ELBv2.LoadBalancer (aws_lb)
AWS.ELBv2.TargetGroup (aws_lb_target_group)
ElastiCache¶
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
AWS.ElastiCache.Cluster (aws_elasticache_cluster)
AWS.ElastiCache.ParameterGroup (aws_elasticache_parameter_group)
AWS.ElastiCache.ReplicationGroup (aws_elasticache_replication_group)
Glacier (S3 Glacier)¶
AWS.Glacier.Vault (aws_glacier_vault)
IAM (Identity & Access Management)¶
AWS.IAM.AccessKey (aws_iam_access_key)
AWS.IAM.AccountPasswordPolicy (aws_iam_account_password_policy)
AWS.IAM.CredentialReport (aws_iam_credential_report)
AWS.IAM.Group (aws_iam_group)
AWS.IAM.GroupMembership (aws_iam_group_membership)
AWS.IAM.GroupPolicy (aws_iam_group_policy)
AWS.IAM.GroupPolicyAttachment (aws_iam_group_policy_attachment)
AWS.IAM.InstanceProfile (aws_iam_instance_profile)
AWS.IAM.OpenIDConnectProvider (aws_iam_openid_connect_provider)
AWS.IAM.Policy (aws_iam_policy)
AWS.IAM.Role (aws_iam_role)
AWS.IAM.RolePolicy (aws_iam_role_policy)
AWS.IAM.RolePolicyAttachment (aws_iam_role_policy_attachment)
AWS.IAM.SAMLProvider (aws_iam_saml_provider)
AWS.IAM.User (aws_iam_user)
AWS.IAM.UserPolicy (aws_iam_user_policy)
AWS.IAM.UserPolicyAttachment (aws_iam_user_policy_attachment)
KMS (Key Management Service)¶
AWS.KMS.Alias (aws_kms_alias)
AWS.KMS.Grant (aws_kms_grant)
AWS.KMS.Key (aws_kms_key)
Kinesis¶
AWS.Kinesis.Stream (aws_kinesis_stream)
AWS.KinesisFirehose.DeliveryStream (aws_kinesis_firehose_delivery_stream)
Lambda¶
AWS.Lambda.Alias (aws_lambda_alias)
AWS.Lambda.EventSourceMapping (aws_lambda_event_source_mapping)
AWS.Lambda.Function (aws_lambda_function)
RDS¶
AWS.RDS.Cluster (aws_rds_cluster)
AWS.RDS.ClusterParameterGroup (aws_rds_cluster_parameter_group)
AWS.RDS.EventSubscription (aws_db_event_subscription)
AWS.RDS.Instance (aws_db_instance)
AWS.RDS.OptionGroup (aws_db_option_group)
AWS.RDS.ParameterGroup (aws_db_parameter_group)
AWS.RDS.SubnetGroup (aws_db_subnet_group)
Redshift¶
AWS.Redshift.Cluster (aws_redshift_cluster)
AWS.Redshift.ParameterGroup (aws_redshift_parameter_group)
AWS.Redshift.SubnetGroup (aws_redshift_subnet_group)
S3¶
AWS.S3.Bucket (aws_s3_bucket)
AWS.S3.BucketInventory (aws_s3_bucket_inventory)
AWS.S3.BucketMetric (aws_s3_bucket_metric)
AWS.S3.BucketNotification (aws_s3_bucket_notification)
AWS.S3.BucketPolicy (aws_s3_bucket_policy)
AWS.S3.BucketPublicAccessBlock (aws_s3_bucket_public_access_block)
Step Functions (SFN)¶
AWS.SFN.StateMachine (aws_sfn_state_machine)
SNS¶
AWS.SNS.Subscription (aws_sns_topic_subscription)
AWS.SNS.Topic (aws_sns_topic)
SQS¶
AWS.SQS.Queue (aws_sqs_queue)
WAFRegional¶
AWS.WAFRegional.ByteMatchSet (aws_wafregional_byte_match_set)
AWS.WAFRegional.GeoMatchSet (aws_wafregional_geo_match_set)
AWS.WAFRegional.RateBasedRule (aws_wafregional_rate_based_rule)
AWS.WAFRegional.RegexMatchSet (aws_wafregional_regex_match_set)
AWS.WAFRegional.RegexPatternSet (aws_wafregional_regex_pattern_set)
AWS.WAFRegional.Rule (aws_wafregional_rule)
AWS.WAFRegional.RuleGroup (aws_wafregional_rule_group)
AWS.WAFRegional.SQLInjectionMatchSet (aws_wafregional_sql_injection_match_set)
AWS.WAFRegional.SizeConstraintSet (aws_wafregional_size_constraint_set)
AWS.WAFRegional.WebACL (aws_wafregional_web_acl)
AWS.WAFRegional.XSSMatchSet (aws_wafregional_xss_match_set)
WAFv2¶
AWS.WAFv2.LoggingConfiguration (aws_wafv2_logging_configuration)
AWS.WAFv2.RegexPatternSet (aws_wafv2_regex_pattern_set)
AWS.WAFv2.RuleGroup (aws_wafv2_rule_group)
AWS.WAFv2.WebACL (aws_wafv2_web_acl)
AWS.WAFv2.WebACLAssociation (aws_wafv2_web_acl_association)
Resources Not Included In Fugue-Recommended List¶
The following is the list of resources that are not included in the Fugue’s recommended list of resource types to scan.
ACM Private Certificate Authority (ACM PCA)¶
AWS.ACMPCA.CertificateAuthority (aws_acmpca_certificate_authority)
Directory Service¶
AWS.DirectoryService.ConditionalForwarder (aws_directory_service_conditional_forwarder)
AWS.DirectoryService.Directory (aws_directory_service_directory)
EC2¶
AWS.EC2.Image (aws_ami)
AWS.EC2.NetworkInterface (aws_network_interface)
Inspector¶
AWS.Inspector.AssessmentTarget (aws_inspector_assessment_target)
AWS.Inspector.AssessmentTemplate (aws_inspector_assessment_template)
Organizations¶
AWS.Organizations.Organization (aws_organizations_organization)
Route 53¶
AWS.Route53.DelegationSet (aws_route53_delegation_set)
AWS.Route53.HealthCheck (aws_route53_health_check)
AWS.Route53.QueryLog (aws_route53_query_log)
AWS.Route53.Record (aws_route53_record)
AWS.Route53.Zone (aws_route53_zone)
AWS.Route53.ZoneAssociation (aws_route53_zone_association)
Systems Manager (SSM)¶
AWS.SSM.Activation (aws_ssm_activation)
AWS.SSM.Association (aws_ssm_association)
AWS.SSM.Document (aws_ssm_document)
AWS.SSM.MaintenanceWindow (aws_ssm_maintenance_window)
AWS.SSM.MaintenanceWindowTarget (aws_ssm_maintenance_window_target)
AWS.SSM.MaintenanceWindowTask (aws_ssm_maintenance_window_task)
AWS.SSM.Parameter (aws_ssm_parameter)
AWS.SSM.PatchBaseline (aws_ssm_patch_baseline)
AWS.SSM.PatchGroup (aws_ssm_patch_group)
AWS.SSM.ResourceDataSync (aws_ssm_resource_data_sync)
Secrets Manager¶
AWS.SecretsManager.Secret (aws_secretsmanager_secret)