How To: Create a Fugue IAM Role

This quick tutorial shows how to create the Fugue IAM role to scan an AWS or AWS GovCloud environment by launching a CloudFormation stack in your AWS account.


See a list of all possible IAM permissions here.

If you’d prefer to create the role manually, see Create Rule Manually.

What’s Going to Happen?

When you launch a stack to create an IAM role in your account, Fugue creates the role with permissions according to the resource types you selected. It assigns two roles:

  1. The AWS-managed SecurityAudit read-only policy

  2. An inline role granting any required permissions not covered by SecurityAudit, if needed

If you’d like to see the permissions tailored to your selected resource types, follow the instructions here. For a list of all possible permissions Fugue might need, see Setup.

Let’s Go!

From the Create New Environment workflow, proceed to step 2 (Resources) and select the region and resource types to be scanned, then scroll down to Connect to AWS Resources:


Launch CloudFormation Stack


(Click the image for the full-size GIF!)

  1. Select Launch Stack in AWS Console.

  2. Select Next on the next three pages, keeping defaults.

  3. Check the box to acknowledge that CloudFormation may create IAM resources with custom names.

  4. Select Create Stack.

  5. On the created stack page, select the Outputs tab.

  6. Copy the IAM role ARN from the Value column after it appears (this may take a few seconds and require refreshing).

  7. Paste the IAM role ARN in the AWS IAM Role ARN field in Fugue.

That’s it – you’re done! You just created an IAM role for Fugue.

_images/tut-create-role-copy-arn.png _images/hello-paste-arn.png

How do I see the role permissions before creating the role?

You can inspect the exact permissions Fugue will grant the role by viewing the stack template in the AWS console without actually creating the role. Simply exit the AWS console workflow at any time before launching the Create Stack button in step 4 above. Follow the instructions below:


(Click the image for the full-size GIF!)

  1. In Fugue, the Create New AWS IAM Role tab is selected by default, so select the Launch Stack in AWS Console button underneath it to access the CloudFormation Stack Designer.

  2. In the AWS console, select View In Designer.

  3. The Template tab at the bottom of the page is selected by default, so scroll down to see the exact list of permissions that will be assigned to the role.

  4. Because Fugue also attaches the AWS-managed SecurityAudit read-only policy, see the list of SecurityAudit permissions here.

What’s Next?

Check out our Hello World AWS tutorial to continue getting started with Fugue. You can also jump ahead to one of our other examples.

Or, if you’d prefer, learn how to: