Visualizer

The Fugue visualizer creates detailed interactive diagrams of the cloud infrastructure in an AWS, AWS GovCloud, or Azure environment. The diagrams are automatically generated and updated, allowing users to easily visualize resource configurations, relationships, and compliance state for current or previous scans.

_images/VizDashboard1.png

Users can access the visualizer from the environment dashboard by selecting the “Visualizer” link in the header near the top of the page:

_images/viz-link.png

By default, the diagram is zoomed out to show all resources in the graph. You can zoom in or view in full screen to more closely inspect the resources:

_images/VizZoomed.png

Compliance state visualization is enabled by default and noncompliant resources are shown in red. For more information about compliance visualization, see Visualizing Resource Compliance State.

_images/viz-compliance-state-example.png

Environment resources from the latest scan are displayed by default and the diagram is automatically updated after future scans. If you change the resource types that Fugue scans, the visualizer will reflect the updated types after the next scan. You can visualize previous scans by using the date picker.

For a list of the resources the visualizer supports, see Which Resources are Visualized? For a list of resources that also support compliance visualization, see Resources Supporting Compliance State Visualization.

Visualization Components

The visualizer is composed of many different elements, which are labeled below:

_images/VizAnnotatedNumbers.png
  1. Each circular node represents a single resource

  2. …Or a resource group bounded by a box.

  3. Expanded resource groups allow you to view each individual resource.

  4. Lines between resources represent resource connections. There are three types:

    1. Security group connections between resources

    2. Connections to the internet from internet gateways (IGWs) and S3 buckets with website configurations

    3. Connections from S3 buckets to log buckets

  5. A network (such as a VPC, above) is depicted as a set of brackets [ ]. Resources in the network are depicted as nodes inside the brackets.

  6. The internet is depicted as an I-beam symbol . A resource connected to this symbol is connected to the internet.

  7. Unconnected resources appear on the right side of the visualization.

  8. Labels and configuration information, such as the name Example EC2 Instance below, are shown when you zoom in closely and are hidden when you zoom farther out.

_images/VizLabel.png

Noncompliant resources appear in red. Below, the EC2 instance is compliant, and the noncompliant ELB and example-sg security group are shown in red. For more details, see Visualizing Resource Compliance State.

_images/VizNoncomplianceSmall1.png

For a list of resources that can currently be visualized, see Which Resources are Visualized? For a list of resources that support compliance visualization, see Resources Supporting Compliance State Visualization.

Security Group Connections Between Resources

A security group connection between resources occurs when one resource has a security group that accepts traffic from resources in a second security group. The connection is represented as a line between the resource nodes.

For example, the diagram below shows two resources, Example LB and Example AutoScalingGroup:

  • security-group-1 is associated with Example LB.

  • security-group-2 is associated with Example AutoScalingGroup.

As you can see from the direction of the arrow, security-group-2 allows traffic from security-group-1, so a line is drawn from Example LB to Example AutoScalingGroup.

_images/VizSGConnection.png

Visualizing Resource Compliance State

Compliance state visualization is enabled by default, and can be toggled off or on with the v symbol at the bottom right of the graph. Noncompliant resource nodes are red. If a resource type supports compliance visualization, and it is not red, it is compliant. For a list of resources that support compliance visualization, see Compliance State Visualization.

Below, the ELB node, CloudFront distribution node, example-sg security group, and three of the four DDB nodes are noncompliant and shown in red. The EC2 node and the DDB node named Example DDB Table are both compliant.

_images/VizNoncompliance1.png

If you click on the red viz-warning (warning) symbol next to the noncompliant node, you’ll see a list of failed compliance rules and why they failed. This modal is the same one you’d see under the Compliance by Resource tab in the environment dashboard. In the animation below, you can see that the DDB table named dev-database is noncompliant with a number of compliance controls:

_images/VizNoncomplianceModal1.gif

All circles in a collapsed resource group are black when all resources are compliant and all circles are red when all resources are noncompliant. Groups with both compliant and noncompliant resources are shown in both black and red. When any resource in a resource group is noncompliant, the top node in the collapsed group is shown as noncompliant. To see the compliance state for each individual resource, expand the group.

For a list of resources that support compliance visualization, see Compliance State Visualization.

Panning, Zooming, and Viewing in Full Screen

You can navigate the visualizer by panning and zooming. You can also reset zoom so all resources are shown, enable/disable full screen mode, and enable/disable compliance visualization.

To pan, click inside the diagram and drag it around:

_images/VizPan.gif

To zoom in:

  • Click the plus sign + in bottom right of graph

  • Or, scroll down with mouse

  • Or, pinch closed with trackpad

To zoom out:

  • Click the minus sign - in bottom right of graph

  • Or, scroll up with mouse

  • Or, pinch open with trackpad

To reset zoom and show all resources:

  • Click the c in bottom right of graph

  • Or, refresh the page

To view in full screen mode:

  • Click the f in bottom right of graph

To exit full screen mode:

  • Click the f symbol again

  • Or, press the Esc key on your keyboard

To view the compliance state of your resources (enabled by default):

  • Click the v in bottom right of graph

To disable compliance state visualization:

  • Click the v symbol again

  • Or, refresh the page

Here’s an example of zooming:

_images/VizZoomDemo.gif

Here’s an example of full screen mode:

_images/VizFullScreen.png

Here’s an example of the compliance view:

_images/VizNoncomplianceToggle1.gif

Viewing Grouped Nodes

Similar resources of the same type are grouped together. The resource group is depicted as a stack of nodes surrounded by a light gray border, and the number of grouped resources is shown in the bottom right corner. Select the outward-arrow icon in the upper right to expand the group and view the individual resources:

_images/VizGroup1.png

Select the inward-arrow icon to contract the group:

_images/VizContractGroup1.png

The animated image below shows expansion/contraction in action:

_images/VizExpandGroup1.gif

Collapsed resource groups are shown as a stack of circles. All circles are black when all resources are compliant and all circles are red when all resources are noncompliant. Groups with both compliant and noncompliant resources are shown in both black and red.

When any resource in a resource group is noncompliant, the top node in the collapsed group is shown as noncompliant. To see the compliance state for each individual resource, expand the group.

_images/viz-collapsed-stacks.png

Which Resources Are Visualized?

For a list of supported AWS and AWS GovCloud resources, see AWS & AWS GovCloud.

For Azure resources, see Azure.

Supported AWS & AWS GovCloud Resources

The visualizer currently supports the following AWS or AWS GovCloud resources. Each abbreviation shows how the resource is labeled in the diagram:

  • ApiGateway.RestApi (API)

  • AutoScaling.AutoScalingGroup (ASG)

  • AutoScaling.LaunchConfiguration (not shown, only used to render ASGs)

  • CloudFront.Distribution (CF)

  • DynamoDB.Table (DDB)

  • EC2.Instance (EC2)

  • EC2.InternetGateway (IGW)

  • EC2.RouteTable (routes shown as connections)

  • EC2.SecurityGroup (only shown as label)

  • EC2.Subnet (only shown as label)

  • EC2.Vpc (VPC)

  • ECR.Repository (ECR)

  • ECS.Service (ECS)

  • EKS.Cluster (EKS)

  • ELB.LoadBalancer (ELB)

  • ELBv2.LoadBalancer (LB)

  • Lambda.Function (λ)

  • RDS.Cluster (RDS)

  • RDS.Instance (RDS)

  • S3.Bucket (S3)

VPC Attributes

Attributes shown for each VPC:

  • CIDR block

  • VPC ID

  • Region

  • Number of security groups

  • Number of subnets

Attributes shown for each subnet:

  • Name, if subnet is named

  • CIDR block, if unnamed

  • Unique label corresponding to resources inside the subnet (purple badge, top)

Attributes shown for each security group:

  • Name

  • Unique label corresponding to resources inside the security group (blue badge, bottom)

Each resource inside the VPC shows an label corresponding to its subnet and security group. The purple subnet label appears above the blue security group label. (If the subnet or security group is noncompliant, the label is red instead.)

Below, Example EC2 Instance is in subnet new-subnet-2 (label B) and the default security group (label C):

_images/VizSubnets1.png

You can click on a label to show all resources in that security group or subnet, and the rest of the visualization is dimmed. For example, the subnet risk-manager-subnet with the label C is highlighted, and you can see that the LB and ASG are both in the subnet:

_images/viz-highlight-subnet.png

AWS & AWS GovCloud Resources Supporting Compliance State Visualization

The visualizer also shows compliance state for the following resources:

  • ApiGateway.RestApi (API)

  • AutoScaling.AutoScalingGroup (ASG)

  • CloudFront.Distribution (CF)

  • DynamoDB.Table (DDB)

  • EC2.Instance (EC2)

  • EC2.SecurityGroup (label)

  • EC2.Subnet (label)

  • EC2.Vpc (VPC)

  • ECR.Repository (ECR)

  • ECS.Service (ECS)

  • EKS.Cluster (EKS)

  • ELB.LoadBalancer (ELB)

  • ELBv2.LoadBalancer (LB)

  • Lambda.Function (λ)

  • RDS.Cluster (RDS)

  • RDS.Instance (RDS)

  • S3.Bucket (S3)

Implicit Resources

Sometimes infrastructure in your environment may refer to a security group or subnet that Fugue doesn’t have access to. For example, if you have a VPC peering connection with an external account, Fugue does not have access to anything inside the external VPC.

In situations like this, the unknown security group and/or subnet is labeled Implicit {RESOURCE}:

_images/VizImplicit.png

AWS & AWS GovCloud Resources Not Shown in Visualization

The visualizer does not currently support the following resources.

Note

If you see a resource below that you would like to be supported, contact support@fugue.co.

  • ACM.Certificate

  • ApiGateway.Authorizer

  • ApiGateway.ClientCertificate

  • ApiGateway.Deployment

  • ApiGateway.DomainName

  • ApiGateway.RequestValidator

  • ApiGateway.Resource

  • ApiGateway.Stage

  • ApiGateway.UsagePlan

  • ApiGateway.VpcLink

  • AutoScaling.LaunchTemplate

  • AutoScaling.LifecycleHook

  • AutoScaling.Policy

  • AutoScaling.Schedule

  • CloudTrail.Trail

  • CloudWatch.Dashboard

  • CloudWatch.MetricAlarm

  • CloudWatchEvents.Rule

  • CloudWatchEvents.Target

  • CloudWatchLogs.Destination

  • CloudWatchLogs.DestinationPolicy

  • CloudWatchLogs.LogGroup

  • CloudWatchLogs.MetricFilter

  • CloudWatchLogs.ResourcePolicy

  • CloudWatchLogs.SubscriptionFilter

  • Cognito.IdentityProvider

  • Cognito.ResourceServer

  • Cognito.UserGroup

  • Cognito.UserPool

  • Cognito.UserPoolClient

  • Cognito.UserPoolDomain

  • Config.AggregationAuthorization

  • Config.ConfigurationAggregator

  • Config.ConfigurationRecorder

  • Config.ConfigurationRecorderStatus

  • Config.DeliveryChannel

  • Config.Rule

  • EC2.CustomerGateway

  • EC2.DhcpOptions

  • EC2.DhcpOptionsAssociation

  • EC2.ElasticIP

  • EC2.FlowLog

  • EC2.KeyPair

  • EC2.NATGateway

  • EC2.NetworkACL

  • EC2.NetworkInterface

  • EC2.PlacementGroup

  • EC2.RouteTableAssociation

  • EC2.SpotFleetRequest

  • EC2.Volume

  • EC2.VpcEndpoint

  • EC2.VpcEndpointConnectionNotification

  • EC2.VpcEndpointService

  • EC2.VpcIpv4CidrBlockAssociation

  • EC2.VpcPeeringConnection

  • EC2.VpnConnection

  • EC2.VpnConnectionRoute

  • EC2.VpnGateway

  • ECS.Cluster

  • ECS.TaskDefinition

  • ELB.BackendServerPolicy

  • ELB.ListenerPolicy

  • ELB.Policy

  • ELBv2.Listener

  • ELBv2.ListenerRule

  • ELBv2.TargetGroup

  • ElastiCache.Cluster

  • ElastiCache.ParameterGroup

  • ElastiCache.ReplicationGroup

  • GuardDuty.Detector

  • GuardDuty.Member

  • IAM.AccessKey

  • IAM.AccountPasswordPolicy

  • IAM.CredentialReport

  • IAM.Group

  • IAM.GroupMembership

  • IAM.GroupPolicy

  • IAM.GroupPolicyAttachment

  • IAM.InstanceProfile

  • IAM.OpenIDConnectProvider

  • IAM.Policy

  • IAM.RolePolicy

  • IAM.RolePolicyAttachment

  • IAM.SAMLProvider

  • IAM.User

  • IAM.UserPolicy

  • IAM.UserPolicyAttachment

  • KMS.Alias

  • KMS.Grant

  • KMS.Key

  • Lambda.Alias

  • Lambda.EventSourceMapping

  • Macie.MemberAccountAssociation

  • Macie.S3BucketAssociation

  • MediaStore.Container

  • MediaStore.ContainerPolicy

  • RDS.ClusterParameterGroup

  • RDS.EventSubscription

  • RDS.OptionGroup

  • RDS.ParameterGroup

  • RDS.SubnetGroup

  • Redshift.Cluster

  • Redshift.ParameterGroup

  • Redshift.SubnetGroup

  • Route53.DelegationSet

  • Route53.HealthCheck

  • Route53.QueryLog

  • Route53.Record

  • Route53.Zone

  • S3.BucketInventory

  • S3.BucketMetric

  • S3.BucketNotification

  • S3.BucketPolicy

  • S3.BucketPublicAccessBlock

  • SecretsManager.Secret

  • SFN.StateMachine

  • SNS.Subscription

  • SNS.Topic

  • SQS.Queue

  • WAF.WebACL

Supported Azure Resources

The visualizer currently supports the following Azure resources. Each abbreviation shows how the resource is labeled in the diagram:

  • Azure.Compute.VirtualMachine (VM)

  • Azure.Network.NetworkInterface (not shown, used to link VMs with Subnets and Security Groups)

  • Azure.Network.NetworkSecurityGroup (only shown as label)

  • Azure.Network.Subnet (only shown as label)

  • Azure.Network.VirtualNetwork (VNET)

  • Azure.SQL.Server (SQL)

  • Azure.Storage.Account (STOR)

VNet Attributes

Attributes shown for each Azure Virtual Network:

  • Name

  • Region

  • Number of security groups

  • Number of subnets

Attributes shown for each subnet:

  • Name

  • Unique label corresponding to resources inside the subnet (purple badge, top)

Attributes shown for each security group:

  • Name

  • Unique label corresponding to resources inside the security group (blue badge, bottom)

Each resource inside the VNet shows an label corresponding to its subnet and security group. The purple subnet label appears above the blue security group label.

Below, virtual machine dev-east-vm is in subnet default (label A, top) and security group dev-east-vm-nsg (label A, bottom):

_images/VNetSubnets.png

Azure Resources Supporting Compliance State Visualization

The visualizer also shows compliance state for the following resources:

  • Azure.Compute.VirtualMachine (VM)

  • Azure.SQL.Server (SQL)

  • Azure.Storage.Account (STOR)

Azure Resources Not Shown in Visualization

The visualizer does not currently support the following resources.

Note

If you see a resource below that you would like to be supported, contact support@fugue.co.

  • Azure.Compute.ManagedDisk

  • Azure.Network.LocalNetworkGateway

  • Azure.Network.NetworkSecurityRule

  • Azure.Network.NetworkWatcher

  • Azure.Network.PublicIPAddress

  • Azure.Network.VirtualNetworkGateway

  • Azure.Network.VirtualNetworkGatewayConnection

  • Azure.SQL.FirewallRule

Visualizing Previous Scans

To visualize resources from a previous scan, select a scan date and time from the date picker on the visualizer page:

_images/VizHistoricScan.png

The page will automatically refresh with an updated visualization. You can continue to select other scans from the date picker to visualize resources from past scans as desired. To reset to the most recent scan, simply refresh the page. If you leave the page, the diagram will be reset to the most recent scan when you return.

Warning

Do not select the Establish Baseline button unless you intend to set the baseline to the selected scan.

Saving a Diagram

To save the visualization for a particular scan, simply take a screenshot of the diagram. To save the visualization of a historic scan, see Visualizing Previous Scans.

Supported Browsers

The visualizer is supported in the following browsers:

  • Chrome

  • Firefox

  • Opera

  • Safari

The visualizer is not currently supported in Microsoft Edge.

Note

The Fugue API does not support visualization.

WebGL is Required

Hardware acceleration must be enabled in your browser to use WebGL.

Chrome and Opera:

  • Preferences > Advanced > System > Use hardware acceleration when available

Firefox:

  • Preferences > Performance > Use recommended performance settings > Use hardware acceleration when available