Service Coverage - AWS & AWS GovCloud¶
Note
For supported Azure services, see Service Coverage - Azure & Azure Government.
Tip
To interact with the API using query parameters, use the Fugue resource names as formatted below (the Terraform resource name is also acceptable). When using request body parameters, add quotation marks around each resource name like this: "AWS.AutoScaling.AutoScalingGroup", "AWS.SNS.Topic", etc.
The following services and resources are supported in the latest version of Fugue.
(beta) denotes resources with beta support. To request access, contact support@fugue.co.
Each resource is listed with its Terraform type in parentheses for the purpose of writing custom rules.
AWS Standard Regions: Supported Resource Types and Fugue-Recommended Resource Types
AWS GovCloud: Supported Resource Types and Fugue-Recommended Resource Types
For more information about resources and regions, see details here.
AWS Standard Regions¶
AWS Certificate Manager (ACM)¶
AWS.ACM.Certificate (aws_acm_certificate)
ACM Private Certificate Authority (ACM PCA)¶
AWS.ACMPCA.CertificateAuthority (aws_acmpca_certificate_authority)
API Gateway¶
AWS.ApiGateway.Authorizer (aws_api_gateway_authorizer)
AWS.ApiGateway.ClientCertificate (aws_api_gateway_client_certificate)
AWS.ApiGateway.Deployment (aws_api_gateway_deployment)
AWS.ApiGateway.DomainName (aws_api_gateway_domain_name)
AWS.ApiGateway.RequestValidator (aws_api_gateway_request_validator)
AWS.ApiGateway.Resource (aws_api_gateway_resource)
AWS.ApiGateway.RestApi (aws_api_gateway_rest_api)
AWS.ApiGateway.Stage (aws_api_gateway_stage)
AWS.ApiGateway.UsagePlan (aws_api_gateway_usage_plan)
AWS.ApiGateway.VpcLink (aws_api_gateway_vpc_link)
Auto Scaling¶
AWS.AutoScaling.AutoScalingGroup (aws_autoscaling_group)
AWS.AutoScaling.LaunchConfiguration (aws_launch_configuration)
AWS.AutoScaling.LaunchTemplate (aws_launch_template)
AWS.AutoScaling.LifecycleHook (aws_autoscaling_lifecycle_hook)
AWS.AutoScaling.Policy (aws_autoscaling_policy)
AWS.AutoScaling.Schedule (aws_autoscaling_schedule)
CloudFront¶
AWS.CloudFront.Distribution (aws_cloudfront_distribution)
CloudTrail¶
AWS.CloudTrail.Trail (aws_cloudtrail)
CloudWatch¶
AWS.CloudWatch.Dashboard (aws_cloudwatch_dashboard)
AWS.CloudWatch.MetricAlarm (aws_cloudwatch_metric_alarm)
AWS.CloudWatchEvents.Rule (aws_cloudwatch_event_rule)
AWS.CloudWatchEvents.Target (aws_cloudwatch_event_target)
AWS.CloudWatchLogs.Destination (aws_cloudwatch_log_destination)
AWS.CloudWatchLogs.DestinationPolicy (aws_cloudwatch_log_destination_policy)
AWS.CloudWatchLogs.LogGroup (aws_cloudwatch_log_group)
AWS.CloudWatchLogs.MetricFilter (aws_cloudwatch_log_metric_filter)
AWS.CloudWatchLogs.ResourcePolicy (aws_cloudwatch_log_resource_policy)
AWS.CloudWatchLogs.SubscriptionFilter (aws_cloudwatch_log_subscription_filter)
Cognito¶
AWS.Cognito.IdentityProvider (aws_cognito_identity_provider)
AWS.Cognito.ResourceServer (aws_cognito_resource_server)
AWS.Cognito.UserGroup (aws_cognito_user_group)
AWS.Cognito.UserPool (aws_cognito_user_pool)
AWS.Cognito.UserPoolClient (aws_cognito_user_pool_client)
AWS.Cognito.UserPoolDomain (aws_cognito_user_pool_domain)
Config¶
AWS.Config.AggregationAuthorization (aws_config_aggregate_authorization)
AWS.Config.ConfigurationAggregator (aws_config_configuration_aggregator)
AWS.Config.ConfigurationRecorder (aws_config_configuration_recorder)
AWS.Config.ConfigurationRecorderStatus (aws_config_configuration_recorder_status)
AWS.Config.DeliveryChannel (aws_config_delivery_channel)
AWS.Config.Rule (aws_config_config_rule)
Directory Service¶
AWS.DirectoryService.ConditionalForwarder (aws_directory_service_conditional_forwarder)
AWS.DirectoryService.Directory (aws_directory_service_directory)
DynamoDB¶
AWS.DynamoDB.Table (aws_dynamodb_table)
EC2¶
Note
Fugue does not support the legacy EC2-Classic platform.
AWS.EC2.CustomerGateway (aws_customer_gateway)
AWS.EC2.DhcpOptions (aws_vpc_dhcp_options)
AWS.EC2.DhcpOptionsAssociation (aws_vpc_dhcp_options_association)
AWS.EC2.EgressOnlyInternetGateway (aws_egress_only_internet_gateway)
AWS.EC2.ElasticIP (aws_eip)
AWS.EC2.FlowLog (aws_flow_log)
AWS.EC2.Image (aws_ami) (beta)
AWS.EC2.Instance (aws_instance)
AWS.EC2.InternetGateway (aws_internet_gateway)
AWS.EC2.KeyPair (aws_key_pair)
AWS.EC2.NATGateway (aws_nat_gateway)
AWS.EC2.NetworkACL (aws_network_acl)
AWS.EC2.NetworkInterface (aws_network_interface)
AWS.EC2.PlacementGroup (aws_placement_group)
AWS.EC2.RouteTable (aws_route_table)
AWS.EC2.RouteTableAssociation (aws_route_table_association)
AWS.EC2.SecurityGroup (aws_security_group)
AWS.EC2.SpotFleetRequest (aws_spot_fleet_request)
AWS.EC2.Subnet (aws_subnet)
AWS.EC2.Volume (aws_ebs_volume)
AWS.EC2.Vpc (aws_vpc)
AWS.EC2.VpcEndpoint (aws_vpc_endpoint)
AWS.EC2.VpcEndpointConnectionNotification (aws_vpc_endpoint_connection_notification)
AWS.EC2.VpcEndpointService (aws_vpc_endpoint_service)
AWS.EC2.VpcIpv4CidrBlockAssociation (aws_vpc_ipv4_cidr_block_association)
AWS.EC2.VpcPeeringConnection (aws_vpc_peering_connection)
AWS.EC2.VpnConnection (aws_vpn_connection)
AWS.EC2.VpnConnectionRoute (aws_vpn_connection_route)
AWS.EC2.VpnGateway (aws_vpn_gateway)
ECR¶
AWS.ECR.Repository (aws_ecr_repository)
ECS¶
AWS.ECS.Cluster (aws_ecs_cluster)
AWS.ECS.Service (aws_ecs_service)
AWS.ECS.Task (aws_ecs_task)
AWS.ECS.TaskDefinition (aws_ecs_task_definition)
EFS¶
AWS.EFS.FileSystem (aws_efs_file_system)
AWS.EFS.MountTarget (aws_efs_mount_target)
EKS¶
AWS.EKS.Cluster (aws_eks_cluster)
ELB (Elastic Load Balancing)¶
AWS.ELB.BackendServerPolicy (aws_load_balancer_backend_server_policy)
AWS.ELB.ListenerPolicy (aws_load_balancer_listener_policy)
AWS.ELB.LoadBalancer (aws_elb)
AWS.ELB.Policy (aws_load_balancer_policy)
ELBv2 (Elastic Load Balancing v2)¶
AWS.ELBv2.Listener (aws_lb_listener)
AWS.ELBv2.ListenerRule (aws_lb_listener_rule)
AWS.ELBv2.LoadBalancer (aws_lb)
AWS.ELBv2.TargetGroup (aws_lb_target_group)
ElastiCache¶
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
AWS.ElastiCache.Cluster (aws_elasticache_cluster)
AWS.ElastiCache.ParameterGroup (aws_elasticache_parameter_group)
AWS.ElastiCache.ReplicationGroup (aws_elasticache_replication_group)
Glacier (S3 Glacier)¶
AWS.Glacier.Vault (aws_glacier_vault)
GuardDuty¶
AWS.GuardDuty.Detector (aws_guardduty_detector)
AWS.GuardDuty.Member (aws_guardduty_member)
IAM (Identity & Access Management)¶
AWS.IAM.AccessKey (aws_iam_access_key)
AWS.IAM.AccountPasswordPolicy (aws_iam_account_password_policy)
AWS.IAM.CredentialReport (aws_iam_credential_report)
AWS.IAM.Group (aws_iam_group)
AWS.IAM.GroupMembership (aws_iam_group_membership)
AWS.IAM.GroupPolicy (aws_iam_group_policy)
AWS.IAM.GroupPolicyAttachment (aws_iam_group_policy_attachment)
AWS.IAM.InstanceProfile (aws_iam_instance_profile)
AWS.IAM.OpenIDConnectProvider (aws_iam_openid_connect_provider)
AWS.IAM.Policy (aws_iam_policy)
AWS.IAM.Role (aws_iam_role)
AWS.IAM.RolePolicy (aws_iam_role_policy)
AWS.IAM.RolePolicyAttachment (aws_iam_role_policy_attachment)
AWS.IAM.SAMLProvider (aws_iam_saml_provider)
AWS.IAM.User (aws_iam_user)
AWS.IAM.UserPolicy (aws_iam_user_policy)
AWS.IAM.UserPolicyAttachment (aws_iam_user_policy_attachment)
Inspector¶
AWS.Inspector.AssessmentTarget (aws_inspector_assessment_target)
AWS.Inspector.AssessmentTemplate (aws_inspector_assessment_template)
KMS (Key Management Service)¶
AWS.KMS.Alias (aws_kms_alias)
AWS.KMS.Grant (aws_kms_grant)
AWS.KMS.Key (aws_kms_key)
Kinesis¶
AWS.Kinesis.Stream (aws_kinesis_stream)
AWS.KinesisFirehose.DeliveryStream (aws_kinesis_firehose_delivery_stream)
Lambda¶
AWS.Lambda.Alias (aws_lambda_alias)
AWS.Lambda.EventSourceMapping (aws_lambda_event_source_mapping)
AWS.Lambda.Function (aws_lambda_function)
Macie¶
AWS.Macie.MemberAccountAssociation (aws_macie_member_account_association)
AWS.Macie.S3BucketAssociation (aws_macie_s3_bucket_association)
MediaStore (Elemental MediaStore)¶
AWS.MediaStore.Container (aws_media_store_container)
AWS.MediaStore.ContainerPolicy (aws_media_store_container_policy)
Organizations¶
AWS.Organizations.Organization (aws_organizations_organization)
RDS¶
AWS.RDS.Cluster (aws_rds_cluster)
AWS.RDS.ClusterParameterGroup (aws_rds_cluster_parameter_group)
AWS.RDS.EventSubscription (aws_db_event_subscription)
AWS.RDS.Instance (aws_db_instance)
AWS.RDS.OptionGroup (aws_db_option_group)
AWS.RDS.ParameterGroup (aws_db_parameter_group)
AWS.RDS.SubnetGroup (aws_db_subnet_group)
Redshift¶
AWS.Redshift.Cluster (aws_redshift_cluster)
AWS.Redshift.ParameterGroup (aws_redshift_parameter_group)
AWS.Redshift.SubnetGroup (aws_redshift_subnet_group)
Route 53¶
AWS.Route53.DelegationSet (aws_route53_delegation_set)
AWS.Route53.HealthCheck (aws_route53_health_check)
AWS.Route53.QueryLog (aws_route53_query_log)
AWS.Route53.Record (aws_route53_record)
AWS.Route53.Zone (aws_route53_zone)
AWS.Route53.ZoneAssociation (aws_route53_zone_association)
S3¶
AWS.S3.Bucket (aws_s3_bucket)
AWS.S3.BucketInventory (aws_s3_bucket_inventory)
AWS.S3.BucketMetric (aws_s3_bucket_metric)
AWS.S3.BucketNotification (aws_s3_bucket_notification)
AWS.S3.BucketPolicy (aws_s3_bucket_policy)
AWS.S3.BucketPublicAccessBlock (aws_s3_bucket_public_access_block)
Step Functions (SFN)¶
AWS.SFN.StateMachine (aws_sfn_state_machine)
SNS¶
AWS.SNS.Subscription (aws_sns_topic_subscription)
AWS.SNS.Topic (aws_sns_topic)
SQS¶
AWS.SQS.Queue (aws_sqs_queue)
Systems Manager (SSM)¶
AWS.SSM.Activation (aws_ssm_activation)
AWS.SSM.Association (aws_ssm_association)
AWS.SSM.Document (aws_ssm_document)
AWS.SSM.MaintenanceWindow (aws_ssm_maintenance_window)
AWS.SSM.MaintenanceWindowTarget (aws_ssm_maintenance_window_target)
AWS.SSM.MaintenanceWindowTask (aws_ssm_maintenance_window_task)
AWS.SSM.Parameter (aws_ssm_parameter)
AWS.SSM.PatchBaseline (aws_ssm_patch_baseline)
AWS.SSM.PatchGroup (aws_ssm_patch_group)
AWS.SSM.ResourceDataSync (aws_ssm_resource_data_sync)
Secrets Manager¶
AWS.SecretsManager.Secret (aws_secretsmanager_secret)
WAF¶
AWS.WAF.WebACL (aws_waf_web_acl)
Recommended Resource Types: AWS¶
In order to get the most out of Fugue, you can opt to scan a Fugue-recommended set of resource types. We’ve chosen these resources because of their high impact on security, and they include security groups, IAM roles, S3 buckets, and more.
AWS Certificate Manager (ACM)¶
AWS.ACM.Certificate (aws_acm_certificate)
API Gateway¶
AWS.ApiGateway.Authorizer (aws_api_gateway_authorizer)
AWS.ApiGateway.ClientCertificate (aws_api_gateway_client_certificate)
AWS.ApiGateway.Deployment (aws_api_gateway_deployment)
AWS.ApiGateway.DomainName (aws_api_gateway_domain_name)
AWS.ApiGateway.RequestValidator (aws_api_gateway_request_validator)
AWS.ApiGateway.Resource (aws_api_gateway_resource)
AWS.ApiGateway.RestApi (aws_api_gateway_rest_api)
AWS.ApiGateway.Stage (aws_api_gateway_stage)
AWS.ApiGateway.UsagePlan (aws_api_gateway_usage_plan)
AWS.ApiGateway.VpcLink (aws_api_gateway_vpc_link)
Auto Scaling¶
AWS.AutoScaling.AutoScalingGroup (aws_autoscaling_group)
AWS.AutoScaling.LaunchConfiguration (aws_launch_configuration)
AWS.AutoScaling.LaunchTemplate (aws_launch_template)
AWS.AutoScaling.LifecycleHook (aws_autoscaling_lifecycle_hook)
AWS.AutoScaling.Policy (aws_autoscaling_policy)
AWS.AutoScaling.Schedule (aws_autoscaling_schedule)
CloudFront¶
AWS.CloudFront.Distribution (aws_cloudfront_distribution)
CloudTrail¶
AWS.CloudTrail.Trail (aws_cloudtrail)
CloudWatch¶
AWS.CloudWatch.Dashboard (aws_cloudwatch_dashboard)
AWS.CloudWatch.MetricAlarm (aws_cloudwatch_metric_alarm)
AWS.CloudWatchEvents.Rule (aws_cloudwatch_event_rule)
AWS.CloudWatchEvents.Target (aws_cloudwatch_event_target)
AWS.CloudWatchLogs.Destination (aws_cloudwatch_log_destination)
AWS.CloudWatchLogs.DestinationPolicy (aws_cloudwatch_log_destination_policy)
AWS.CloudWatchLogs.LogGroup (aws_cloudwatch_log_group)
AWS.CloudWatchLogs.MetricFilter (aws_cloudwatch_log_metric_filter)
AWS.CloudWatchLogs.ResourcePolicy (aws_cloudwatch_log_resource_policy)
AWS.CloudWatchLogs.SubscriptionFilter (aws_cloudwatch_log_subscription_filter)
Cognito¶
AWS.Cognito.IdentityProvider (aws_cognito_identity_provider)
AWS.Cognito.ResourceServer (aws_cognito_resource_server)
AWS.Cognito.UserGroup (aws_cognito_user_group)
AWS.Cognito.UserPool (aws_cognito_user_pool)
AWS.Cognito.UserPoolClient (aws_cognito_user_pool_client)
AWS.Cognito.UserPoolDomain (aws_cognito_user_pool_domain)
Config¶
AWS.Config.AggregationAuthorization (aws_config_aggregate_authorization)
AWS.Config.ConfigurationAggregator (aws_config_configuration_aggregator)
AWS.Config.ConfigurationRecorder (aws_config_configuration_recorder)
AWS.Config.ConfigurationRecorderStatus (aws_config_configuration_recorder_status)
AWS.Config.DeliveryChannel (aws_config_delivery_channel)
AWS.Config.Rule (aws_config_config_rule)
DynamoDB¶
AWS.DynamoDB.Table (aws_dynamodb_table)
EC2¶
Note
Fugue does not support the legacy EC2-Classic platform.
AWS.EC2.CustomerGateway (aws_customer_gateway)
AWS.EC2.DhcpOptions (aws_vpc_dhcp_options)
AWS.EC2.DhcpOptionsAssociation (aws_vpc_dhcp_options_association)
AWS.EC2.EgressOnlyInternetGateway (aws_egress_only_internet_gateway)
AWS.EC2.ElasticIP (aws_eip)
AWS.EC2.FlowLog (aws_flow_log)
AWS.EC2.Instance (aws_instance)
AWS.EC2.InternetGateway (aws_internet_gateway)
AWS.EC2.KeyPair (aws_key_pair)
AWS.EC2.NATGateway (aws_nat_gateway)
AWS.EC2.NetworkACL (aws_network_acl)
AWS.EC2.PlacementGroup (aws_placement_group)
AWS.EC2.RouteTable (aws_route_table)
AWS.EC2.RouteTableAssociation (aws_route_table_association)
AWS.EC2.SecurityGroup (aws_security_group)
AWS.EC2.SpotFleetRequest (aws_spot_fleet_request)
AWS.EC2.Subnet (aws_subnet)
AWS.EC2.Volume (aws_ebs_volume)
AWS.EC2.Vpc (aws_vpc)
AWS.EC2.VpcEndpoint (aws_vpc_endpoint)
AWS.EC2.VpcEndpointConnectionNotification (aws_vpc_endpoint_connection_notification)
AWS.EC2.VpcEndpointService (aws_vpc_endpoint_service)
AWS.EC2.VpcIpv4CidrBlockAssociation (aws_vpc_ipv4_cidr_block_association)
AWS.EC2.VpcPeeringConnection (aws_vpc_peering_connection)
AWS.EC2.VpnConnection (aws_vpn_connection)
AWS.EC2.VpnConnectionRoute (aws_vpn_connection_route)
AWS.EC2.VpnGateway (aws_vpn_gateway)
ECR¶
AWS.ECR.Repository (aws_ecr_repository)
ECS¶
AWS.ECS.Cluster (aws_ecs_cluster)
AWS.ECS.Service (aws_ecs_service)
AWS.ECS.Task (aws_ecs_task)
AWS.ECS.TaskDefinition (aws_ecs_task_definition)
EFS¶
AWS.EFS.FileSystem (aws_efs_file_system)
AWS.EFS.MountTarget (aws_efs_mount_target)
EKS¶
AWS.EKS.Cluster (aws_eks_cluster)
ELB (Elastic Load Balancing)¶
AWS.ELB.BackendServerPolicy (aws_load_balancer_backend_server_policy)
AWS.ELB.ListenerPolicy (aws_load_balancer_listener_policy)
AWS.ELB.LoadBalancer (aws_elb)
AWS.ELB.Policy (aws_load_balancer_policy)
ELBv2 (Elastic Load Balancing v2)¶
AWS.ELBv2.Listener (aws_lb_listener)
AWS.ELBv2.ListenerRule (aws_lb_listener_rule)
AWS.ELBv2.LoadBalancer (aws_lb)
AWS.ELBv2.TargetGroup (aws_lb_target_group)
ElastiCache¶
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
AWS.ElastiCache.Cluster (aws_elasticache_cluster)
AWS.ElastiCache.ParameterGroup (aws_elasticache_parameter_group)
AWS.ElastiCache.ReplicationGroup (aws_elasticache_replication_group)
Glacier (S3 Glacier)¶
AWS.Glacier.Vault (aws_glacier_vault)
GuardDuty¶
AWS.GuardDuty.Detector (aws_guardduty_detector)
AWS.GuardDuty.Member (aws_guardduty_member)
IAM (Identity & Access Management)¶
AWS.IAM.AccessKey (aws_iam_access_key)
AWS.IAM.AccountPasswordPolicy (aws_iam_account_password_policy)
AWS.IAM.CredentialReport (aws_iam_credential_report)
AWS.IAM.Group (aws_iam_group)
AWS.IAM.GroupMembership (aws_iam_group_membership)
AWS.IAM.GroupPolicy (aws_iam_group_policy)
AWS.IAM.GroupPolicyAttachment (aws_iam_group_policy_attachment)
AWS.IAM.InstanceProfile (aws_iam_instance_profile)
AWS.IAM.OpenIDConnectProvider (aws_iam_openid_connect_provider)
AWS.IAM.Policy (aws_iam_policy)
AWS.IAM.Role (aws_iam_role)
AWS.IAM.RolePolicy (aws_iam_role_policy)
AWS.IAM.RolePolicyAttachment (aws_iam_role_policy_attachment)
AWS.IAM.SAMLProvider (aws_iam_saml_provider)
AWS.IAM.User (aws_iam_user)
AWS.IAM.UserPolicy (aws_iam_user_policy)
AWS.IAM.UserPolicyAttachment (aws_iam_user_policy_attachment)
KMS (Key Management Service)¶
AWS.KMS.Alias (aws_kms_alias)
AWS.KMS.Grant (aws_kms_grant)
AWS.KMS.Key (aws_kms_key)
Kinesis¶
AWS.Kinesis.Stream (aws_kinesis_stream)
AWS.KinesisFirehose.DeliveryStream (aws_kinesis_firehose_delivery_stream)
Lambda¶
AWS.Lambda.Alias (aws_lambda_alias)
AWS.Lambda.EventSourceMapping (aws_lambda_event_source_mapping)
AWS.Lambda.Function (aws_lambda_function)
Macie¶
AWS.Macie.MemberAccountAssociation (aws_macie_member_account_association)
AWS.Macie.S3BucketAssociation (aws_macie_s3_bucket_association)
MediaStore (AWS Elemental MediaStore)¶
AWS.MediaStore.Container (aws_media_store_container)
AWS.MediaStore.ContainerPolicy (aws_media_store_container_policy)
RDS¶
AWS.RDS.Cluster (aws_rds_cluster)
AWS.RDS.ClusterParameterGroup (aws_rds_cluster_parameter_group)
AWS.RDS.EventSubscription (aws_db_event_subscription)
AWS.RDS.Instance (aws_db_instance)
AWS.RDS.OptionGroup (aws_db_option_group)
AWS.RDS.ParameterGroup (aws_db_parameter_group)
AWS.RDS.SubnetGroup (aws_db_subnet_group)
Redshift¶
AWS.Redshift.Cluster (aws_redshift_cluster)
AWS.Redshift.ParameterGroup (aws_redshift_parameter_group)
AWS.Redshift.SubnetGroup (aws_redshift_subnet_group)
S3¶
AWS.S3.Bucket (aws_s3_bucket)
AWS.S3.BucketInventory (aws_s3_bucket_inventory)
AWS.S3.BucketMetric (aws_s3_bucket_metric)
AWS.S3.BucketNotification (aws_s3_bucket_notification)
AWS.S3.BucketPolicy (aws_s3_bucket_policy)
AWS.S3.BucketPublicAccessBlock (aws_s3_bucket_public_access_block)
Step Functions (SFN)¶
AWS.SFN.StateMachine (aws_sfn_state_machine)
SNS¶
AWS.SNS.Subscription (aws_sns_topic_subscription)
AWS.SNS.Topic (aws_sns_topic)
SQS¶
AWS.SQS.Queue (aws_sqs_queue)
Supported Services: AWS GovCloud¶
AWS Certificate Manager (ACM)¶
AWS.ACM.Certificate (aws_acm_certificate)
ACM Private Certificate Authority (ACM PCA)¶
AWS.ACMPCA.CertificateAuthority (aws_acmpca_certificate_authority)
API Gateway¶
AWS.ApiGateway.Authorizer (aws_api_gateway_authorizer)
AWS.ApiGateway.ClientCertificate (aws_api_gateway_client_certificate)
AWS.ApiGateway.Deployment (aws_api_gateway_deployment)
AWS.ApiGateway.DomainName (aws_api_gateway_domain_name)
AWS.ApiGateway.RequestValidator (aws_api_gateway_request_validator)
AWS.ApiGateway.Resource (aws_api_gateway_resource)
AWS.ApiGateway.RestApi (aws_api_gateway_rest_api)
AWS.ApiGateway.Stage (aws_api_gateway_stage)
AWS.ApiGateway.UsagePlan (aws_api_gateway_usage_plan)
AWS.ApiGateway.VpcLink (aws_api_gateway_vpc_link)
Auto Scaling¶
AWS.AutoScaling.AutoScalingGroup (aws_autoscaling_group)
AWS.AutoScaling.LaunchConfiguration (aws_launch_configuration)
AWS.AutoScaling.LaunchTemplate (aws_launch_template)
AWS.AutoScaling.LifecycleHook (aws_autoscaling_lifecycle_hook)
AWS.AutoScaling.Policy (aws_autoscaling_policy)
AWS.AutoScaling.Schedule (aws_autoscaling_schedule)
CloudTrail¶
AWS.CloudTrail.Trail (aws_cloudtrail)
CloudWatch¶
AWS.CloudWatch.Dashboard (aws_cloudwatch_dashboard)
AWS.CloudWatch.MetricAlarm (aws_cloudwatch_metric_alarm)
AWS.CloudWatchEvents.Rule (aws_cloudwatch_event_rule)
AWS.CloudWatchEvents.Target (aws_cloudwatch_event_target)
AWS.CloudWatchLogs.Destination (aws_cloudwatch_log_destination)
AWS.CloudWatchLogs.DestinationPolicy (aws_cloudwatch_log_destination_policy)
AWS.CloudWatchLogs.LogGroup (aws_cloudwatch_log_group)
AWS.CloudWatchLogs.MetricFilter (aws_cloudwatch_log_metric_filter)
AWS.CloudWatchLogs.ResourcePolicy (aws_cloudwatch_log_resource_policy)
AWS.CloudWatchLogs.SubscriptionFilter (aws_cloudwatch_log_subscription_filter)
Config¶
AWS.Config.ConfigurationRecorder (aws_config_configuration_recorder)
AWS.Config.ConfigurationRecorderStatus (aws_config_configuration_recorder_status)
AWS.Config.DeliveryChannel (aws_config_delivery_channel)
AWS.Config.Rule (aws_config_config_rule)
Directory Service¶
AWS.DirectoryService.ConditionalForwarder (aws_directory_service_conditional_forwarder)
AWS.DirectoryService.Directory (aws_directory_service_directory)
DynamoDB¶
AWS.DynamoDB.Table (aws_dynamodb_table)
EC2¶
Note
Fugue does not support the legacy EC2-Classic platform.
AWS.EC2.CustomerGateway (aws_customer_gateway)
AWS.EC2.DhcpOptions (aws_vpc_dhcp_options)
AWS.EC2.DhcpOptionsAssociation (aws_vpc_dhcp_options_association)
AWS.EC2.EgressOnlyInternetGateway (aws_egress_only_internet_gateway)
AWS.EC2.ElasticIP (aws_eip)
AWS.EC2.FlowLog (aws_flow_log)
AWS.EC2.Image (aws_ami) (beta)
AWS.EC2.Instance (aws_instance)
AWS.EC2.InternetGateway (aws_internet_gateway)
AWS.EC2.KeyPair (aws_key_pair)
AWS.EC2.NATGateway (aws_nat_gateway)
AWS.EC2.NetworkACL (aws_network_acl)
AWS.EC2.NetworkInterface (aws_network_interface)
AWS.EC2.PlacementGroup (aws_placement_group)
AWS.EC2.RouteTable (aws_route_table)
AWS.EC2.RouteTableAssociation (aws_route_table_association)
AWS.EC2.SecurityGroup (aws_security_group)
AWS.EC2.Subnet (aws_subnet)
AWS.EC2.Volume (aws_ebs_volume)
AWS.EC2.Vpc (aws_vpc)
AWS.EC2.VpcIpv4CidrBlockAssociation (aws_vpc_ipv4_cidr_block_association)
AWS.EC2.VpcPeeringConnection (aws_vpc_peering_connection)
AWS.EC2.VpnConnection (aws_vpn_connection)
AWS.EC2.VpnConnectionRoute (aws_vpn_connection_route)
AWS.EC2.VpnGateway (aws_vpn_gateway)
ECR¶
AWS.ECR.Repository (aws_ecr_repository)
ECS¶
AWS.ECS.Cluster (aws_ecs_cluster)
AWS.ECS.Service (aws_ecs_service)
AWS.ECS.Task (aws_ecs_task)
AWS.ECS.TaskDefinition (aws_ecs_task_definition)
ELB (Elastic Load Balancing)¶
AWS.ELB.BackendServerPolicy (aws_load_balancer_backend_server_policy)
AWS.ELB.ListenerPolicy (aws_load_balancer_listener_policy)
AWS.ELB.LoadBalancer (aws_elb)
AWS.ELB.Policy (aws_load_balancer_policy)
ELBv2 (Elastic Load Balancing v2)¶
AWS.ELBv2.Listener (aws_lb_listener)
AWS.ELBv2.ListenerRule (aws_lb_listener_rule)
AWS.ELBv2.LoadBalancer (aws_lb)
AWS.ELBv2.TargetGroup (aws_lb_target_group)
ElastiCache¶
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
AWS.ElastiCache.Cluster (aws_elasticache_cluster)
AWS.ElastiCache.ParameterGroup (aws_elasticache_parameter_group)
AWS.ElastiCache.ReplicationGroup (aws_elasticache_replication_group)
Glacier (S3 Glacier)¶
AWS.Glacier.Vault (aws_glacier_vault)
IAM (Identity & Access Management)¶
AWS.IAM.AccessKey (aws_iam_access_key)
AWS.IAM.AccountPasswordPolicy (aws_iam_account_password_policy)
AWS.IAM.CredentialReport (aws_iam_credential_report)
AWS.IAM.Group (aws_iam_group)
AWS.IAM.GroupMembership (aws_iam_group_membership)
AWS.IAM.GroupPolicy (aws_iam_group_policy)
AWS.IAM.GroupPolicyAttachment (aws_iam_group_policy_attachment)
AWS.IAM.InstanceProfile (aws_iam_instance_profile)
AWS.IAM.OpenIDConnectProvider (aws_iam_openid_connect_provider)
AWS.IAM.Policy (aws_iam_policy)
AWS.IAM.Role (aws_iam_role)
AWS.IAM.RolePolicy (aws_iam_role_policy)
AWS.IAM.RolePolicyAttachment (aws_iam_role_policy_attachment)
AWS.IAM.SAMLProvider (aws_iam_saml_provider)
AWS.IAM.User (aws_iam_user)
AWS.IAM.UserPolicy (aws_iam_user_policy)
AWS.IAM.UserPolicyAttachment (aws_iam_user_policy_attachment)
Inspector¶
AWS.Inspector.AssessmentTarget (aws_inspector_assessment_target)
AWS.Inspector.AssessmentTemplate (aws_inspector_assessment_template)
KMS (Key Management Service)¶
AWS.KMS.Alias (aws_kms_alias)
AWS.KMS.Grant (aws_kms_grant)
AWS.KMS.Key (aws_kms_key)
Kinesis¶
AWS.Kinesis.Stream (aws_kinesis_stream)
AWS.KinesisFirehose.DeliveryStream (aws_kinesis_firehose_delivery_stream)
Lambda¶
AWS.Lambda.Alias (aws_lambda_alias)
AWS.Lambda.EventSourceMapping (aws_lambda_event_source_mapping)
AWS.Lambda.Function (aws_lambda_function)
Organizations¶
AWS.Organizations.Organization (aws_organizations_organization)
RDS¶
AWS.RDS.Cluster (aws_rds_cluster)
AWS.RDS.ClusterParameterGroup (aws_rds_cluster_parameter_group)
AWS.RDS.EventSubscription (aws_db_event_subscription)
AWS.RDS.Instance (aws_db_instance)
AWS.RDS.OptionGroup (aws_db_option_group)
AWS.RDS.ParameterGroup (aws_db_parameter_group)
AWS.RDS.SubnetGroup (aws_db_subnet_group)
Redshift¶
AWS.Redshift.Cluster (aws_redshift_cluster)
AWS.Redshift.ParameterGroup (aws_redshift_parameter_group)
AWS.Redshift.SubnetGroup (aws_redshift_subnet_group)
S3¶
AWS.S3.Bucket (aws_s3_bucket)
AWS.S3.BucketInventory (aws_s3_bucket_inventory)
AWS.S3.BucketMetric (aws_s3_bucket_metric)
AWS.S3.BucketNotification (aws_s3_bucket_notification)
AWS.S3.BucketPolicy (aws_s3_bucket_policy)
AWS.S3.BucketPublicAccessBlock (aws_s3_bucket_public_access_block)
Step Functions (SFN)¶
AWS.SFN.StateMachine (aws_sfn_state_machine)
SNS¶
AWS.SNS.Subscription (aws_sns_topic_subscription)
AWS.SNS.Topic (aws_sns_topic)
SQS¶
AWS.SQS.Queue (aws_sqs_queue)
Systems Manager (SSM)¶
AWS.SSM.Activation (aws_ssm_activation)
AWS.SSM.Association (aws_ssm_association)
AWS.SSM.Document (aws_ssm_document)
AWS.SSM.MaintenanceWindow (aws_ssm_maintenance_window)
AWS.SSM.MaintenanceWindowTarget (aws_ssm_maintenance_window_target)
AWS.SSM.MaintenanceWindowTask (aws_ssm_maintenance_window_task)
AWS.SSM.Parameter (aws_ssm_parameter)
AWS.SSM.PatchBaseline (aws_ssm_patch_baseline)
AWS.SSM.PatchGroup (aws_ssm_patch_group)
AWS.SSM.ResourceDataSync (aws_ssm_resource_data_sync)
Recommended Resource Types: AWS GovCloud¶
In order to get the most out of Fugue, you can opt to scan a Fugue-recommended set of resource types. We’ve chosen these resources because of their high impact on security, and they include security groups, IAM roles, S3 buckets, and more.
AWS Certificate Manager (ACM)¶
AWS.ACM.Certificate (aws_acm_certificate)
API Gateway¶
AWS.ApiGateway.Authorizer (aws_api_gateway_authorizer)
AWS.ApiGateway.ClientCertificate (aws_api_gateway_client_certificate)
AWS.ApiGateway.Deployment (aws_api_gateway_deployment)
AWS.ApiGateway.DomainName (aws_api_gateway_domain_name)
AWS.ApiGateway.RequestValidator (aws_api_gateway_request_validator)
AWS.ApiGateway.Resource (aws_api_gateway_resource)
AWS.ApiGateway.RestApi (aws_api_gateway_rest_api)
AWS.ApiGateway.Stage (aws_api_gateway_stage)
AWS.ApiGateway.UsagePlan (aws_api_gateway_usage_plan)
AWS.ApiGateway.VpcLink (aws_api_gateway_vpc_link)
Auto Scaling¶
AWS.AutoScaling.AutoScalingGroup (aws_autoscaling_group)
AWS.AutoScaling.LaunchConfiguration (aws_launch_configuration)
AWS.AutoScaling.LaunchTemplate (aws_launch_template)
AWS.AutoScaling.LifecycleHook (aws_autoscaling_lifecycle_hook)
AWS.AutoScaling.Policy (aws_autoscaling_policy)
AWS.AutoScaling.Schedule (aws_autoscaling_schedule)
CloudTrail¶
AWS.CloudTrail.Trail (aws_cloudtrail)
CloudWatch¶
AWS.CloudWatch.Dashboard (aws_cloudwatch_dashboard)
AWS.CloudWatch.MetricAlarm (aws_cloudwatch_metric_alarm)
AWS.CloudWatchEvents.Rule (aws_cloudwatch_event_rule)
AWS.CloudWatchEvents.Target (aws_cloudwatch_event_target)
AWS.CloudWatchLogs.Destination (aws_cloudwatch_log_destination)
AWS.CloudWatchLogs.DestinationPolicy (aws_cloudwatch_log_destination_policy)
AWS.CloudWatchLogs.LogGroup (aws_cloudwatch_log_group)
AWS.CloudWatchLogs.MetricFilter (aws_cloudwatch_log_metric_filter)
AWS.CloudWatchLogs.ResourcePolicy (aws_cloudwatch_log_resource_policy)
AWS.CloudWatchLogs.SubscriptionFilter (aws_cloudwatch_log_subscription_filter)
Config¶
AWS.Config.ConfigurationRecorder (aws_config_configuration_recorder)
AWS.Config.ConfigurationRecorderStatus (aws_config_configuration_recorder_status)
AWS.Config.DeliveryChannel (aws_config_delivery_channel)
AWS.Config.Rule (aws_config_config_rule)
DynamoDB¶
AWS.DynamoDB.Table (aws_dynamodb_table)
EC2¶
Note
Fugue does not support the legacy EC2-Classic platform.
AWS.EC2.CustomerGateway (aws_customer_gateway)
AWS.EC2.DhcpOptions (aws_vpc_dhcp_options)
AWS.EC2.DhcpOptionsAssociation (aws_vpc_dhcp_options_association)
AWS.EC2.EgressOnlyInternetGateway (aws_egress_only_internet_gateway)
AWS.EC2.ElasticIP (aws_eip)
AWS.EC2.FlowLog (aws_flow_log)
AWS.EC2.Instance (aws_instance)
AWS.EC2.InternetGateway (aws_internet_gateway)
AWS.EC2.KeyPair (aws_key_pair)
AWS.EC2.NATGateway (aws_nat_gateway)
AWS.EC2.NetworkACL (aws_network_acl)
AWS.EC2.PlacementGroup (aws_placement_group)
AWS.EC2.RouteTable (aws_route_table)
AWS.EC2.RouteTableAssociation (aws_route_table_association)
AWS.EC2.SecurityGroup (aws_security_group)
AWS.EC2.Subnet (aws_subnet)
AWS.EC2.Volume (aws_ebs_volume)
AWS.EC2.Vpc (aws_vpc)
AWS.EC2.VpcIpv4CidrBlockAssociation (aws_vpc_ipv4_cidr_block_association)
AWS.EC2.VpcPeeringConnection (aws_vpc_peering_connection)
AWS.EC2.VpnConnection (aws_vpn_connection)
AWS.EC2.VpnConnectionRoute (aws_vpn_connection_route)
AWS.EC2.VpnGateway (aws_vpn_gateway)
ECR¶
AWS.ECR.Repository (aws_ecr_repository)
ECS¶
AWS.ECS.Cluster (aws_ecs_cluster)
AWS.ECS.Service (aws_ecs_service)
AWS.ECS.Task (aws_ecs_task)
AWS.ECS.TaskDefinition (aws_ecs_task_definition)
ELB (Elastic Load Balancing)¶
AWS.ELB.BackendServerPolicy (aws_load_balancer_backend_server_policy)
AWS.ELB.ListenerPolicy (aws_load_balancer_listener_policy)
AWS.ELB.LoadBalancer (aws_elb)
AWS.ELB.Policy (aws_load_balancer_policy)
ELBv2 (Elastic Load Balancing v2)¶
AWS.ELBv2.Listener (aws_lb_listener)
AWS.ELBv2.ListenerRule (aws_lb_listener_rule)
AWS.ELBv2.LoadBalancer (aws_lb)
AWS.ELBv2.TargetGroup (aws_lb_target_group)
ElastiCache¶
Note
When ElastiCache.Cluster resources belong to an ElastiCache.ReplicationGroup, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
AWS.ElastiCache.Cluster (aws_elasticache_cluster)
AWS.ElastiCache.ParameterGroup (aws_elasticache_parameter_group)
AWS.ElastiCache.ReplicationGroup (aws_elasticache_replication_group)
Glacier (S3 Glacier)¶
AWS.Glacier.Vault (aws_glacier_vault)
IAM (Identity & Access Management)¶
AWS.IAM.AccessKey (aws_iam_access_key)
AWS.IAM.AccountPasswordPolicy (aws_iam_account_password_policy)
AWS.IAM.CredentialReport (aws_iam_credential_report)
AWS.IAM.Group (aws_iam_group)
AWS.IAM.GroupMembership (aws_iam_group_membership)
AWS.IAM.GroupPolicy (aws_iam_group_policy)
AWS.IAM.GroupPolicyAttachment (aws_iam_group_policy_attachment)
AWS.IAM.InstanceProfile (aws_iam_instance_profile)
AWS.IAM.OpenIDConnectProvider (aws_iam_openid_connect_provider)
AWS.IAM.Policy (aws_iam_policy)
AWS.IAM.Role (aws_iam_role)
AWS.IAM.RolePolicy (aws_iam_role_policy)
AWS.IAM.RolePolicyAttachment (aws_iam_role_policy_attachment)
AWS.IAM.SAMLProvider (aws_iam_saml_provider)
AWS.IAM.User (aws_iam_user)
AWS.IAM.UserPolicy (aws_iam_user_policy)
AWS.IAM.UserPolicyAttachment (aws_iam_user_policy_attachment)
KMS (Key Management Service)¶
AWS.KMS.Alias (aws_kms_alias)
AWS.KMS.Grant (aws_kms_grant)
AWS.KMS.Key (aws_kms_key)
Kinesis¶
AWS.Kinesis.Stream (aws_kinesis_stream)
AWS.KinesisFirehose.DeliveryStream (aws_kinesis_firehose_delivery_stream)
Lambda¶
AWS.Lambda.Alias (aws_lambda_alias)
AWS.Lambda.EventSourceMapping (aws_lambda_event_source_mapping)
AWS.Lambda.Function (aws_lambda_function)
RDS¶
AWS.RDS.Cluster (aws_rds_cluster)
AWS.RDS.ClusterParameterGroup (aws_rds_cluster_parameter_group)
AWS.RDS.EventSubscription (aws_db_event_subscription)
AWS.RDS.Instance (aws_db_instance)
AWS.RDS.OptionGroup (aws_db_option_group)
AWS.RDS.ParameterGroup (aws_db_parameter_group)
AWS.RDS.SubnetGroup (aws_db_subnet_group)
Redshift¶
AWS.Redshift.Cluster (aws_redshift_cluster)
AWS.Redshift.ParameterGroup (aws_redshift_parameter_group)
AWS.Redshift.SubnetGroup (aws_redshift_subnet_group)
S3¶
AWS.S3.Bucket (aws_s3_bucket)
AWS.S3.BucketInventory (aws_s3_bucket_inventory)
AWS.S3.BucketMetric (aws_s3_bucket_metric)
AWS.S3.BucketNotification (aws_s3_bucket_notification)
AWS.S3.BucketPolicy (aws_s3_bucket_policy)
AWS.S3.BucketPublicAccessBlock (aws_s3_bucket_public_access_block)
Step Functions (SFN)¶
AWS.SFN.StateMachine (aws_sfn_state_machine)
SNS¶
AWS.SNS.Subscription (aws_sns_topic_subscription)
AWS.SNS.Topic (aws_sns_topic)
SQS¶
AWS.SQS.Queue (aws_sqs_queue)
Resources Not Included In Fugue-Recommended List¶
The following is the list of resources that are not included in the Fugue’s recommended list of resource types to scan.
ACM Private Certificate Authority (ACM PCA)¶
AWS.ACMPCA.CertificateAuthority (aws_acmpca_certificate_authority)
Directory Service¶
AWS.DirectoryService.ConditionalForwarder (aws_directory_service_conditional_forwarder)
AWS.DirectoryService.Directory (aws_directory_service_directory)
EC2¶
AWS.EC2.Image (aws_ami) (beta)
AWS.EC2.NetworkInterface (aws_network_interface)
Inspector¶
AWS.Inspector.AssessmentTarget (aws_inspector_assessment_target)
AWS.Inspector.AssessmentTemplate (aws_inspector_assessment_template)
Organizations¶
AWS.Organizations.Organization (aws_organizations_organization)
Route 53¶
AWS.Route53.DelegationSet (aws_route53_delegation_set)
AWS.Route53.HealthCheck (aws_route53_health_check)
AWS.Route53.QueryLog (aws_route53_query_log)
AWS.Route53.Record (aws_route53_record)
AWS.Route53.Zone (aws_route53_zone)
AWS.Route53.ZoneAssociation (aws_route53_zone_association)
Systems Manager (SSM)¶
AWS.SSM.Activation (aws_ssm_activation)
AWS.SSM.Association (aws_ssm_association)
AWS.SSM.Document (aws_ssm_document)
AWS.SSM.MaintenanceWindow (aws_ssm_maintenance_window)
AWS.SSM.MaintenanceWindowTarget (aws_ssm_maintenance_window_target)
AWS.SSM.MaintenanceWindowTask (aws_ssm_maintenance_window_task)
AWS.SSM.Parameter (aws_ssm_parameter)
AWS.SSM.PatchBaseline (aws_ssm_patch_baseline)
AWS.SSM.PatchGroup (aws_ssm_patch_group)
AWS.SSM.ResourceDataSync (aws_ssm_resource_data_sync)
Secrets Manager¶
AWS.SecretsManager.Secret (aws_secretsmanager_secret)