Use Cases

AWS Scanning Compliance

As a best practice, Fugue recommends scanning your entire AWS account for compliance across all regions in a single environment. Additionally, Fugue recommends starting with the recommended resource types (AWS, AWS GovCloud). We’ve chosen these resources because of their high impact on security, and they include security groups, IAM roles, S3 buckets, and more. Refer to Setup - AWS & AWS GovCloud for more information.

AWS Scanning Compliance - Existing Environments

If you have multiple existing environments in the same AWS account with one region selected for each, you should consider creating a new environment for compliance scanning with all regions/resource types selected. Once you create an environment, you cannot remove or add regions through the UI, but you can update the regions via the API. For more information about using Fugue refer to Setup - AWS & AWS GovCloud and Environment Configuration.

If you have drift detection and optionally enforcement enabled for an environment, you should keep that environment rather than create a new environment that scans multiple regions.

Drift

Fugue recommends creating a new environment for the resources in which you want to enable drift detection. In Fugue, you must establish a baseline to enable drift detection. We recommend creating a new environment for this subset, so it is easier to monitor and be notified if any of these resources drifted. Fugue only needs read permissions to detect drift within your environment. For more information on enabling drift detection within your environment, refer to Setting or Updating a Baseline.

Enforcement

Fugue recommends creating a new environment for the resources in which you want to enable drift detection and enforcement. Enforcement is an action taken without human intervention by Fugue to revert any configuration drift back to the established baseline without the need for external remediation scripts or “bots.” As a best practice, you should not enable enforcement for the same set of resources across multiple environments, as enabling enforcement in the same region multiple times can introduce enforcement conflicts.

To enable enforcement in Fugue, you need to:

  1. Create a new environment with the resources in which you want to enable enforcement. As a best practice, Fugue recommends you enable enforcement on business-critical resources, such as S3 buckets or security groups. For more information, refer to Recommended AWS Resource Types to Enforce (AWS, AWS GovCloud).

  2. You need to update your IAM role policy to include read and write permissions for the resources you want to enable enforcement. Fugue needs the write permissions to automatically revert any configuration drift back to the established baseline. Refer to How To: Update the Fugue IAM Role and AWS IAM Policy Permissions for more information.

  3. Establish a baseline, which acts as a “contract” between you and your various stakeholders on the known good state of the selected resources. Refer to Setting or Updating a Baseline for more information.

  4. Enable enforcement in your environment. Once enforcement is enabled, Fugue automatically reverts any configuration drift back to the established baseline without the need for external remediation scripts or “bots.” Refer to Enabling Enforcement for more information.