How To: Update the Fugue IAM Role


See a list of all possible Fugue permissions here.

Fugue only scans or enforces the resource types you select. If you select different resources, you must update the AWS Identity & Access Management (IAM) role so Fugue can access the resource configuration properly. You do this by copying a tightly scoped policy Fugue generates for you and updating the role policy in AWS.

  1. Access Environment Settings by selecting cog Edit Environment from the Actions drop-down in the top right of the page:


2. Select the resources you want to update for scan/enforce access.

3. Scroll down to Connect to AWS Resources and select the Edit Existing AWS IAM Role tab. Below it, Fugue generates a policy based on the resources you chose.


When you add new resources, if all required permissions are already part of the SecurityAudit policy automatically attached to new roles, the generated JSON policy will be empty.

If that’s the case, you’re done – there’s no need to update your role!

4. Hover over the policy to reveal a “Copy to Clipboard” icon, and copy the policy.

5. Select Edit IAM Role In AWS Console to head to the IAM Management Console:


6. Select the role for the given environment.

7. Click the > arrow to expand the Fugue inline policy and select Edit policy.


8. Select the JSON tab.

9. Paste the policy you copied from Fugue and select Review policy.

10. Select Save changes and exit the AWS Console.

11. Return to Fugue and select Save changes.

That’s it – you’re done! You just updated the Fugue IAM role.

Update Role to Enable Enforcement

When you first created the IAM role, you gave Fugue read-only permission to scan the configuration of selected resources. To allow Fugue to automatically revert configuration drift, you must give it write permission to enforce resource configuration. This requires updating the IAM role with a tightly scoped policy that grants Fugue just the permissions it needs to modify the resources you choose. See a list of all possible Fugue permissions here.

The process for adding/updating enforce permissions is the same as for scan permissions, so follow the steps in the previous section.


Don’t forget – this is just step 2 of enabling enforcement. See Enabling Enforcement for the full process.

Update IAM Role Trust Policy


This section is only required if Fugue has instructed you to update the Fugue IAM role trust policy.

In response to a security event, Fugue may direct you to change the trusted entity that can assume the Fugue IAM role. To do so, head to the IAM Management Console and follow these steps:

  1. Select the Fugue IAM role for the given environment.

  2. Select the “Trust relationships” tab.


3. Select “Edit trust relationship.”


4. In the following line of the JSON policy, replace the account number in the role ARN with the trust policy account number Fugue provided you:

"AWS": "arn:aws:iam::TRUST_POLICY_ACCOUNT:role/generate-credentials"

5. Select “Update Trust Policy.”

That’s it – you’re done! You just updated the Fugue IAM role trust policy.