How To: Manually Create a Fugue IAM Role

When setting up an AWS or AWS GovCloud environment, you can create the AWS Identity & Access Management (IAM) role and policy for Fugue manually. For example, you might want to select more fine-grained read-only permissions than the AWS-managed SecurityAudit policy provides. See a list of all possible Fugue permissions here.


Looking for an easier method of creating a role? You can launch a CloudFormation stack (default) or run an AWS CLI command.

Create a New Role

During environment setup, you’re given the option to create an IAM role and policy by launching a CloudFormation stack (default) or running an AWS CLI command. Instead, you’ll copy the CloudFormation template and modify it as desired, then launch a stack to create the resources.

  1. Click the view template link:


You’ll see a modal containing the CloudFormation template Fugue generated for you based on the resource types you selected for scanning. The template includes the AWS-managed read-only SecurityAudit policy and a tightly-scoped supplemental policy to cover any additional permissions.

2. Copy the template:


3. Navigate to CloudFormation in the AWS Management Console and select Create stack.

4. In the dropdown, select With new resources (standard).


5. Select the Create template in Designer radio button.

6. Click the Create template in designer button that appears beneath the radio button.


7. Select the Template tab in the bottom left of the Designer.

8. Paste the CloudFormation template you copied into the text box.

9. Modify the template as desired.

10. Click the cloud-shaped Create stack icon in the upper left to return to the Create Stack workflow.



If you remove the SecurityAudit policy, be sure to add the necessary permissions for the resource types you’ve selected. For reference, see the list of all possible read-only (scan) permissions and write (enforce) permissions (enforce) when the policy is created manually. See also the SecurityAudit permissions.

11. Click the Next button and enter a stack name.

12. Select Next on the next two steps of the workflow.

13. On the third page, check the box to acknowledge that CloudFormation may create IAM resources with custom names.

14. Select Create stack.

15. Once the stack is created, click on the Outputs tab and copy the role ARN.


16. Paste the ARN into the ARN of created IAM role field on the Fugue environment setup page.


All done! You’ve manually created an IAM role for Fugue. Now, you can move on to the next step of setting up your environment: selecting compliance standards.


If you create or edit a CloudFormation stack through CloudFormation Designer or by uploading a CloudFormation template through the AWS Console or CLI, AWS stores the template files in an S3 bucket created for the purpose of holding all templates in a given region.