Setup - AWS & AWS GovCloud


Looking for Azure setup instructions? To get started with Fugue on Microsoft Azure, see Setup - Azure.

Fugue setup is simple. First, sign up here. Once you’ve registered, you’ll be able to set up your first AWS environment and start scanning for compliance state, drift detection, and baseline enforcement (auto-remediation) of resources. (For Azure setup, see Setup - Azure.)

Step 1: Define your AWS environment

One of the first actions you’ll take in Fugue will be to define your environment. An environment represents cloud infrastructure in a provider account and includes resource configuration, compliance state, and more. After you log in, select the “Define Your Environment” button (which appears by default for new users) and you’ll be prompted to provide an environment name and select a cloud service provider – in this case, Amazon Web Services:


Step 2: Set Region, Resource Types, IAM Role

Next, select a region, choose resources to be scanned or enforced, and specify an IAM role ARN with the appropriate permissions:



Providing your AWS IAM role ARN and region will configure Fugue to scan the infrastructure in the account associated with that role and region.

Step 2a: Select Region

Select the desired region from the drop-down menu. You’ll see a list of supported AWS standard and GovCloud regions:

  • US East (N. Virginia) - us-east-1

  • US East (Ohio) - us-east-2

  • US West (N. California) - us-west-1

  • US West (Oregon) - us-west-2

  • Asia Pacific (Mumbai) - ap-south-1

  • Asia Pacific (Seoul) - ap-northeast-2

  • Asia Pacific (Singapore) - ap-southeast-1

  • Asia Pacific (Sydney) - ap-southeast-2

  • Asia Pacific (Tokyo) - ap-northeast-1

  • Canada (Central) - ca-central-1

  • EU (Frankfurt) - eu-central-1

  • EU (Ireland) - eu-west-1

  • EU (London) - eu-west-2

  • EU (Paris) - eu-west-3

  • South America (São Paulo) - sa-east-1

  • AWS GovCloud (US-East) - us-gov-east-1

  • AWS GovCloud (US) - us-gov-west-1

Step 2b: Select resources

Next, specify the cloud resources you want Fugue to scan and enforce in the “Resources to Include” section:


In the “Scan Access” or “Enforce Access” column, check the box next to the name of the resource you want included in scans or enforcement.

To select or deselect all resources for scan or enforce access, check the box next to the “Scan Access” or “Enforce Access” heading. To select or deselect all resources for a service, check the box next to the service heading (e.g., S3).

An asterisk * indicates that a resource has a dependency that will automatically be included when selecting the resource. This means both resources will be included in the IAM role policy.

Enforcement access (write permission) requires scan access (read permission). If you select enforcement access for a resource, scan access will automatically be selected.

To expand the list and display all resources, select “Expand Resources” below the list. Then, to shorten the list, select “Contract Resources.”


If you change resource types or permissions later, you must also update Fugue’s IAM role or scans will fail. For instructions, see Update IAM Role.

AWS GovCloud Resources

If you’ve selected a GovCloud region, the list of available resources shows only the resources that are supported in GovCloud. To view the list of resources Fugue supports in AWS standard regions vs. in AWS GovCloud, see Service Coverage.

For more details on the differences between the standard AWS regions and AWS GovCloud regions, refer to Amazon’s documentation about service-specific differences and general differences.


Fugue scans and enforces AWS GovCloud environments but is itself hosted in an AWS standard region. It uses a cross-account role that exists in a Fugue-owned GovCloud account.

Step 2c: Specify IAM Role

Before you can run Fugue, you will need to create an AWS IAM role with the appropriate permissions in an inline policy. (Read more about IAM roles here.)

Create IAM Role Via CloudFormation Stack


If you’re setting up your first environment in an account, keep reading. However, if you are setting up a new environment to scan/enforce different resources in the same AWS account, you need to create the IAM role manually.

In order to scan or enforce your resources, Fugue needs to create an IAM role in your account. In the “AWS IAM Role” section of the environment setup page, select the “Create New AWS IAM Role” button and then the “Launch Stack in AWS Console” button. You’ll be brought to the CloudFormation “Create stack” page.


Follow the prompts (default settings are fine) by clicking “Next” until you reach a page requesting acknowledgment for the creation of the required IAM resources.


Clicking “Create” will take you to the CloudFormation stacks page and display the stack creation status. (This process typically takes less than a minute.)

Once the stack is created, if you click on the “Outputs” tab, you will see the ARN that you need to copy and paste into the AWS IAM Role ARN field on the Fugue environment setup page.


The next step is to choose compliance standards, so jump ahead to continue setup. Later, you can come back and update your IAM role or trust policy if needed.

Create IAM Role Manually


This section is not part of initial setup and only applies when creating an additional environment in the same AWS account.

If you are setting up a new environment to scan/enforce different resources in the same AWS account, you need to manually create a new IAM role. This is due to the fact that AWS does not allow duplicate CloudFormation stack names or IAM role names in the same account.

Create a New Role

When you set up your new environment, select the desired resources to scan or enforce and select “Edit Existing AWS IAM Role.” We’re actually going to create a new role, but we need Fugue to generate the JSON policy so we can add it to the role later.


For now, just select the “Edit IAM Role in AWS Console” button below the generated policy to navigate to the IAM Management Console. Once you’re in the console, select “Roles” from the list of links on the left, then select the “Create role” button. Choose “Another AWS Account” as the type of trusted entity and paste the Fugue account number corresponding to your cloud provider or region in the Account ID field:

AWS Standard Regions


AWS GovCloud Regions


Here’s an example in an AWS standard region:


Specifying the Fugue account number enables Fugue to scan and enforce resources in your account. Leave the options below the field unchecked for now. Then, select the “Next: Permissions” button.

You’ll add the inline policy after you create the role, so no need to add permissions now – just skip ahead to the “Next: Tags” button. Here, you may optionally add tags to the role. When you’re done, select “Next: Review.”

Enter a role name that is different from the original Fugue IAM role created by the CloudFormation stack you launched for your first Fugue environment. Add a description, too. In the example below, we named the role FugueRiskManager2:


Select the “Create role” button. You’ll see a message that your new role has been created. Now, you can add an inline policy to it.

Add an Inline Policy

Select the new role name and you’ll see the “Summary” page. In the “Permissions policies” section, select the “Add inline policy” link near the right side of the screen:


Now it’s time to grab the IAM policy Fugue generated for you, so return to Fugue’s Settings page and select the “Edit Existing AWS IAM Role” button if you haven’t already. Then, copy the JSON policy by selecting the “Copy to Clipboard” icon:


Back in the AWS Console, on the “Create policy” screen, select the JSON tab:


In the text box, paste the JSON policy you just copied and select the “Review policy” button. Then, enter a policy name, like this:


Select the “Create policy” button. You’ll be returned to the role summary.

Add Trust Policy

There’s just one more thing to do before you can enter the role in the Fugue environment setup: add the trust policy to allow only a specific role within the Fugue account to scan and enforce your resources. The policy allows just one role to be specified. This upholds the security principle of least privilege by preventing the entire Fugue account from accessing your resources.

In the list of IAM roles, select the original role created by the CloudFormation stack you launched for your first Fugue environment. Then, select the “Trust relationships” tab:


Next, select “Edit trust relationship.”


Your new IAM role should use the same trust policy as the original role, so on the “Edit Trust Relationship” screen, copy the entire JSON IAM policy shown. This is important because the trust policy includes your unique external ID, which adds another layer of security by preventing anyone from assuming the role unless they also have your ID.

Below is an example of a trust policy. Note that Fugue’s role ARN has a different account number depending on whether your environment is in an AWS standard region or AWS GovCloud.


After you copy the policy, select “Cancel” at the bottom of the screen to exit.

Back in the list of IAM roles, select your new IAM role and select the “Trust relationships” tab, then the “Edit trust relationship” button. Paste the JSON policy into the text box, and this time select the “Update Trust Policy” button at the bottom of the screen. When you return to the IAM role details, the “Trusted entities” should list the Fugue role arn:aws:iam::TRUST_POLICY_ACCOUNT:role/generate-credentials, where TRUST_POLICY_ACCOUNT is one of the following:

AWS Standard Regions


AWS GovCloud Regions


Here’s an example in an AWS standard region:


Select the “Update Trust Policy” button to return to the summary page for your new role. You can now copy the role’s ARN near the top of the page and enter it into the “AWS IAM Role ARN” field in the Fugue environment setup.

All done! You’ve manually created an IAM role for Fugue. Now, you can jump ahead to select compliance standards for your environment.

Update IAM Role


This section is not part of initial setup and is only necessary if you change the resources Fugue scans or enforces.

To update an IAM role’s scan and/or enforce access permissions, select “Edit Existing AWS IAM Role.” The IAM policy generated for the permissions chosen in “Resources to Include” is displayed. Hover over the policy to reveal a “Copy to Clipboard” icon. To display all of the JSON, you can select “Expand JSON.” Then, to shorten the JSON, select “Contract JSON.”

Once you’ve copied the policy to your clipboard, select “Edit IAM Role In AWS Console” to head to the IAM Management Console and follow these steps:

  1. Navigate to “Roles” in the left sidebar and look for FugueRiskManager, then select the role.

  2. Expand the RiskManager inline policy.

  3. Select “Edit policy.”


4. Select the JSON tab.

5. Replace the existing policy with the updated policy and select “Review policy.”

6. Select “Save changes.”

7. Back in Fugue, select “Continue.”

Update IAM Role Trust Policy


This section is not part of initial setup and is only required if Fugue has instructed you to update the Fugue IAM role trust policy.

In response to a security event, Fugue may direct you to change the trusted entity that can assume the Fugue IAM role. To do so, head to the IAM Management Console and follow these steps:

  1. Navigate to “Roles” in the left sidebar and look for FugueRiskManager, then select the role.

  2. Select the “Trust relationships” tab.


3. Select “Edit trust relationship.”


4. In the following line of the JSON policy, replace the account number in the role ARN with the trust policy account number Fugue provided you:

"AWS": "arn:aws:iam::TRUST_POLICY_ACCOUNT:role/generate-credentials"

5. Select “Update Trust Policy.”

Step 3: Select Compliance Libraries

To assess your cloud environment for compliance, select one or more of these standard compliance libraries:

You may also select none and instead add them at a later date via the environment settings.


AWS GovCloud Compliance Standards

AWS and AWS GovCloud environments offer the same list of compliance standards. However, AWS GovCloud regions only support a subset of the services available in standard regions, so GovCloud regions support a subset of available compliance controls. For rules that require service coverage that is not supported in GovCloud, the compliance state is listed as Unknown. To view the list of resources Fugue supports in AWS GovCloud, see Service Coverage.

Step 4: Review Environment Details

Finally, you may review the details for your environment, including environment name, region, AWS IAM role ARN, the selected compliance standards, and the selected resource types to scan and enforce:


Note that if anything needs to be changed, you can revisit the appropriate step by selecting the step number near the upper right of your screen:



You can revisit previous steps at any point in the setup process – not just during the final step.

If the review looks good, select the “Approve and Begin Initial Scan” button. Fugue will create your environment and start to scan your infrastructure.

What is supported?


Supported browsers include the latest versions of Chrome, Safari, Edge, Firefox, and Opera.


Internet Explorer is not supported.

Cloud Providers

Fugue currently supports AWS standard and GovCloud regions in addition to Microsoft Azure. If there’s a cloud provider you’d like Fugue to support, we’d love to hear from you. Reach out to us at

Supported AWS Services

For a list of currently supported AWS and AWS GovCloud services and resources, see Service Coverage. If you have questions about specific services or resources, reach out to us at