Service Coverage - AWS & AWS GovCloud¶
Note
For supported Azure services, see Service Coverage - Azure & Azure Government. For Google, see Service Coverage - Google Cloud.
Tip
To interact with the API using query parameters, use the Fugue resource names as formatted below (the Terraform resource name is also acceptable). When using request body parameters, add quotation marks around each resource name like this: "AWS.AutoScaling.AutoScalingGroup"
, "AWS.SNS.Topic"
, etc.
The following services and resources are supported in the latest version of Fugue.
(beta) denotes resources with beta support. To request access, contact support@fugue.co.
(G) denotes resources supported in AWS GovCloud.
(R) denotes resources included in the Fugue Recommended Resource Types list.
Each resource is listed with its Terraform type in parentheses for the purpose of writing custom rules.
For more information about resources and regions, see details here.
AWS Account Management (beta)¶
ACM Private Certificate Authority (ACM PCA)¶
AWS.ACMPCA.CertificateAuthority (aws_acmpca_certificate_authority) (G)
API Gateway¶
AWS.ApiGateway.Authorizer (aws_api_gateway_authorizer) (G) (R)
AWS.ApiGateway.ClientCertificate (aws_api_gateway_client_certificate) (G) (R)
AWS.ApiGateway.Deployment (aws_api_gateway_deployment) (G) (R)
AWS.ApiGateway.DomainName (aws_api_gateway_domain_name) (G) (R)
AWS.ApiGateway.RequestValidator (aws_api_gateway_request_validator) (G) (R)
AWS.ApiGateway.UsagePlan (aws_api_gateway_usage_plan) (G) (R)
API Gateway Version 2 (beta)¶
AWS.ApiGatewayV2.ApiMapping (aws_apigatewayv2_api_mapping) (beta) (G) (R)
AWS.ApiGatewayV2.Authorizer (aws_apigatewayv2_authorizer) (beta) (G) (R)
AWS.ApiGatewayV2.Deployment (aws_apigatewayv2_deployment) (beta) (G) (R)
AWS.ApiGatewayV2.DomainName (aws_apigatewayv2_domain_name) (beta) (G) (R)
AWS.ApiGatewayV2.Integration (aws_apigatewayv2_integration) (beta) (G) (R)
AWS.ApiGatewayV2.IntegrationResponse (aws_apigatewayv2_integration_response) (beta) (G) (R)
AWS.ApiGatewayV2.Model (aws_apigatewayv2_model) (beta) (G) (R)
AWS.ApiGatewayV2.Route (aws_apigatewayv2_route) (beta) (G) (R)
AWS.ApiGatewayV2.RouteResponse (aws_apigatewayv2_route_response) (beta) (G) (R)
AWS.ApiGatewayV2.Stage (aws_apigatewayv2_stage) (beta) (G) (R)
AWS.ApiGatewayV2.VpcLink (aws_apigatewayv2_vpc_link) (beta) (G) (R)
Auto Scaling¶
CloudFormation (beta)¶
CloudWatch¶
AWS.CloudWatch.MetricAlarm (aws_cloudwatch_metric_alarm) (G) (R)
AWS.CloudWatchEvents.Rule (aws_cloudwatch_event_rule) (G) (R)
AWS.CloudWatchEvents.Target (aws_cloudwatch_event_target) (G) (R)
AWS.CloudWatchLogs.Destination (aws_cloudwatch_log_destination) (G) (R)
AWS.CloudWatchLogs.DestinationPolicy (aws_cloudwatch_log_destination_policy) (G) (R)
AWS.CloudWatchLogs.LogGroup (aws_cloudwatch_log_group) (G) (R)
AWS.CloudWatchLogs.MetricFilter (aws_cloudwatch_log_metric_filter) (G) (R)
AWS.CloudWatchLogs.ResourcePolicy (aws_cloudwatch_log_resource_policy) (G) (R)
AWS.CloudWatchLogs.SubscriptionFilter (aws_cloudwatch_log_subscription_filter) (G) (R)
Cognito¶
AWS.Cognito.IdentityProvider (aws_cognito_identity_provider) (R)
AWS.Cognito.ResourceServer (aws_cognito_resource_server) (R)
AWS.Cognito.UserGroup (aws_cognito_user_group) (R)
AWS.Cognito.UserPool (aws_cognito_user_pool) (R)
AWS.Cognito.UserPoolClient (aws_cognito_user_pool_client) (R)
AWS.Cognito.UserPoolDomain (aws_cognito_user_pool_domain) (R)
Config¶
AWS.Config.AggregationAuthorization (aws_config_aggregate_authorization) (G) (R)
AWS.Config.ConfigurationAggregator (aws_config_configuration_aggregator) (G) (R)
AWS.Config.ConfigurationRecorder (aws_config_configuration_recorder) (G) (R)
AWS.Config.ConfigurationRecorderStatus (aws_config_configuration_recorder_status) (G) (R)
AWS.Config.DeliveryChannel (aws_config_delivery_channel) (G) (R)
Directory Service¶
DocumentDB (beta)¶
EC2¶
Note
Fugue does not support the legacy EC2-Classic platform.
AWS.EC2.DhcpOptionsAssociation (aws_vpc_dhcp_options_association) (G) (R)
AWS.EC2.EgressOnlyInternetGateway (aws_egress_only_internet_gateway) (G) (R)
AWS.EC2.NetworkInterface (aws_network_interface) (G)
AWS.EC2.RouteTableAssociation (aws_route_table_association) (G) (R)
AWS.EC2.VpcEndpointConnectionNotification (aws_vpc_endpoint_connection_notification) (G) (R)
AWS.EC2.VpcEndpointService (aws_vpc_endpoint_service) (G) (R)
AWS.EC2.VpcIpv4CidrBlockAssociation (aws_vpc_ipv4_cidr_block_association) (G) (R)
AWS.EC2.VpcPeeringConnection (aws_vpc_peering_connection) (G) (R)
AWS.EC2.VpnConnectionRoute (aws_vpn_connection_route) (G) (R)
ECR¶
ECS¶
EFS¶
ELB (Elastic Load Balancing)¶
ELBv2 (Elastic Load Balancing v2)¶
ElastiCache¶
Note
When ElastiCache.Cluster
resources belong to an ElastiCache.ReplicationGroup
, the clusters themselves are not scanned but the replication group is. The replication group manages the clusters and contains all of the relevant settings, so there is no need to scan the clusters individually. In contrast, ElastiCache clusters that do not belong to a replication group are scanned individually.
Glue (beta)¶
GuardDuty¶
IAM (Identity & Access Management)¶
AWS.IAM.AccountPasswordPolicy (aws_iam_account_password_policy) (G) (R)
AWS.IAM.CredentialReport (aws_iam_credential_report) (G) (R)
AWS.IAM.GroupPolicyAttachment (aws_iam_group_policy_attachment) (G) (R)
AWS.IAM.OpenIDConnectProvider (aws_iam_openid_connect_provider) (G) (R)
AWS.IAM.RolePolicyAttachment (aws_iam_role_policy_attachment) (G) (R)
AWS.IAM.ServerCertificate (aws_iam_server_certificate) (beta) (G) (R)
AWS.IAM.UserPolicyAttachment (aws_iam_user_policy_attachment) (G) (R)
IAM Access Analyzer (beta)¶
Inspector¶
KMS (Key Management Service)¶
Kinesis¶
Lambda¶
MediaStore (Elemental MediaStore)¶
Neptune (beta)¶
Organizations¶
Resource Access Manager (RAM) (beta)¶
RDS¶
Redshift¶
Route 53¶
AWS.Route53.DelegationSet (aws_route53_delegation_set)
AWS.Route53.HealthCheck (aws_route53_health_check)
AWS.Route53.QueryLog (aws_route53_query_log)
AWS.Route53.Record (aws_route53_record)
AWS.Route53.Zone (aws_route53_zone)
AWS.Route53.ZoneAssociation (aws_route53_zone_association)
S3¶
SageMaker (beta)¶
SNS¶
Systems Manager (SSM)¶
AWS.SSM.Activation (aws_ssm_activation) (G)
AWS.SSM.Association (aws_ssm_association) (G)
AWS.SSM.Document (aws_ssm_document) (G)
AWS.SSM.MaintenanceWindow (aws_ssm_maintenance_window) (G)
AWS.SSM.MaintenanceWindowTarget (aws_ssm_maintenance_window_target) (G)
AWS.SSM.MaintenanceWindowTask (aws_ssm_maintenance_window_task) (G)
AWS.SSM.Parameter (aws_ssm_parameter) (G)
AWS.SSM.PatchBaseline (aws_ssm_patch_baseline) (G)
AWS.SSM.PatchGroup (aws_ssm_patch_group) (G)
AWS.SSM.ResourceDataSync (aws_ssm_resource_data_sync) (G)
WAF¶
AWS.WAF.ByteMatchSet (aws_waf_byte_match_set) (R)
AWS.WAF.GeoMatchSet (aws_waf_geo_match_set) (R)
AWS.WAF.RateBasedRule (aws_waf_rate_based_rule) (R)
AWS.WAF.RegexMatchSet (aws_waf_regex_match_set) (R)
AWS.WAF.RegexPatternSet (aws_waf_regex_pattern_set) (R)
AWS.WAF.Rule (aws_waf_rule) (R)
AWS.WAF.RuleGroup (aws_waf_rule_group) (R)
AWS.WAF.SQLInjectionMatchSet (aws_waf_sql_injection_match_set) (R)
AWS.WAF.SizeConstraintSet (aws_waf_size_constraint_set) (R)
AWS.WAF.WebACL (aws_waf_web_acl) (R)
AWS.WAF.XSSMatchSet (aws_waf_xss_match_set) (R)
WAFRegional¶
AWS.WAFRegional.ByteMatchSet (aws_wafregional_byte_match_set) (G) (R)
AWS.WAFRegional.GeoMatchSet (aws_wafregional_geo_match_set) (G) (R)
AWS.WAFRegional.RateBasedRule (aws_wafregional_rate_based_rule) (G) (R)
AWS.WAFRegional.RegexMatchSet (aws_wafregional_regex_match_set) (G) (R)
AWS.WAFRegional.RegexPatternSet (aws_wafregional_regex_pattern_set) (G) (R)
AWS.WAFRegional.RuleGroup (aws_wafregional_rule_group) (G) (R)
AWS.WAFRegional.SQLInjectionMatchSet (aws_wafregional_sql_injection_match_set) (G) (R)
AWS.WAFRegional.SizeConstraintSet (aws_wafregional_size_constraint_set) (G) (R)
AWS.WAFRegional.XSSMatchSet (aws_wafregional_xss_match_set) (G) (R)