Visualizer

The Fugue visualizer creates detailed interactive diagrams of the infrastructure in an AWS, AWS GovCloud, Azure, Azure Government, Google, or repository environment. The diagrams are automatically generated and updated, allowing users to easily visualize resource configurations, relationships, and compliance state for current or previous scans. The visualization can be exported as a PNG or SVG.

_images/search_viz_pods.gif

Users can access the visualizer from the environment dashboard by selecting the “Visualizer” link in the header near the top of the page:

_images/viz-link-1.png

By default, the diagram is zoomed out to show all resources in the graph, with networks and regions collapsed (except the largest region). You can zoom in or view in full screen to more closely inspect the resources. Select a resource to view its attributes.

_images/viz_pods_nocompliance.png

Compliance state visualization is enabled by default and noncompliant resources are shown in red. For more information about compliance visualization, see Visualizing Resource Compliance State.

_images/viz_zoomed_pods.png

Environment resources from the latest scan are displayed by default and the diagram is automatically updated after future scans. If you change the resource types that Fugue scans, the visualizer will reflect the updated types after the next scan. You can visualize previous scans by using the date picker.

For a list of the resources shown in the visualizer, see Which Resources are Visualized? Note that the details panel shows references and compliance state for all the resources Fugue supports.

Visualization Components

The visualizer is composed of many different elements, which are labeled below. Click here to see the diagram in full size.

_images/viz-annotaed-fugue-5.png

1. Each circular node represents a single resource

_images/viz-single-resource.png

2. …Or grouped resources bounded by a thin gray box, with the number of nodes in the bottom right corner:

_images/viz-group-collapsed.png

3. Expanding grouped resources allows you to view each individual resource:

_images/viz-group-expanded.png

4. A collection is a square containing zero or more nodes, and the number of nodes appears in the bottom right. A collection represents a resource that contains other resource types, such as an Amazon ECS service containing tasks:

_images/viz-collection.png

5. Collections can be expanded to show the nodes inside of them:

_images/viz-expanded-collection-pods.png

6. Collections may also be grouped together

_images/viz-grouped-collection.png

…and therefore a group of collections can be expanded or collapsed:

_images/viz-expanded-grouped-collection.png

7. A collection that doesn’t contain any resources is shown with a gray slash through it (see note here):

_images/viz-empty-collection.png

8. Lines between resources represent resource connections. There are four types:

  • Security group connections between resources

  • Connections to the internet from internet gateways and S3 buckets with website configurations

  • Connections from S3 buckets to log buckets (shown below)

  • VPC peering connections

_images/viz-connected-resources.png

9. A network (such as an Azure VNET, below) is depicted as a set of brackets [ ]. Resources in the network are depicted as nodes inside the brackets:

_images/viz-virtual-network-pod.png

Networks are collapsed by default, and if they contain resources that can be rendered in the visualizer, they display three dots:

_images/viz-collapsed-network-with-dots-1.png

A network without any resources in it is shown with a slash through it:

_images/viz-empty-network-pod.png

10. The internet is depicted as an I-beam symbol. A resource connected to this symbol is connected to the internet:

_images/viz-internet-icon.png

11. Unconnected resources appear on the right side of the visualization:

_images/viz-unconnected-resources-pod.png

12. Labels and configuration information, such as the name super-store below, are shown when you zoom in closely and are hidden when you zoom farther out:

_images/VizLabel-Pods.png

13. Noncompliant resources appear in red. Below, the Lambda instance is compliant, and the noncompliant RDS and VPC are shown in red. For more details, see Visualizing Resource Compliance State:

_images/VizNoncomplianceSmall-pod.png

14. When an environment contains more than one region, horizontal brackets labeled by region separate the infrastructure. Global resources, such as the Amazon CloudFront distributions below, are labeled global:

_images/viz-region.png

In multi-region AWS environments, all regions are collapsed by default except the largest:

_images/viz-most-regions-collapsed1.png

Regions that are collapsed and contain resources that can be rendered in the visualizer display three dots:

_images/viz-one-region-collapsed.png

This example environment includes all supported regions:

_images/multiregion-viz-2.gif

15. When a node resource has references, they are listed as pods above it. Click on a pod to view details for a single resource or a list of resources when a pod contains multiple resources. See Pods for more information.

_images/viz-selected-pods.png

For a list of the resources shown in the visualizer, see Which Resources are Visualized? Note that the details panel shows references and compliance state for all the resources Fugue supports.

Security Group Connections Between Resources

A security group connection between resources occurs when one resource has a security group that accepts traffic from resources in a second security group. The connection is represented as a line between the resource nodes.

For example, the diagram below shows multiple AWS Lambda resources that forward traffic to the same Security Group:

_images/securitygroups-pods.png

Working with Pods

Pods are small circles in the visualizer that show other resources referenced by the node resource. For example, a security group referenced by a VPC instance displays as a pod above it. Click on the pod to view resource details about the security group.

_images/viz-single-sg-example.png

If multiple instances reference this security group, a pod representing it will appear above each instance. Pods appear as small shaded circles above Nodes, Clusters, and to the right of Networks. If a resource references multiple resources of the same type, they will display as a “stack” of pods. Click on the stack of pods to view the list of resources.

_images/viz-multiple-sg-example.png

If the pod resource is noncompliant, it is red.

_images/viz-noncompliant-pods.png

Visualizing Resource Compliance State

Compliance state visualization is enabled by default, and can be toggled off or on through the “Show Compliance Errors” checkbox on the View Options panel (accessible via the viz-options cog icon in the bottom left of the diagram).

Noncompliant resource nodes, networks, and collections are red. If a resource type supports compliance visualization, and it is not red, it is compliant. Waived rule results are ignored and don’t impact how a resource is visualized.

See the full list of AWS and AWS GovCloud and Azure resources that support compliance state visualization. Note that all resource types Fugue supports report compliance state in the details panel.

Below, the LB nodes are noncompliant and shown in red. The other resources, such as RDS, Lamdas, and LB nodes are compliant.

_images/VizNoncompliance-pod.png

If you click on the red viz-warning (warning) symbol next to the noncompliant resource, the resource details panel opens, and at the bottom it lists the failed compliance controls and why they failed. In the animation below, you can see that the DDB table named example-ddb-table is noncompliant with a number of controls:

_images/viz-compliance-details.gif

Grouped resources, collections, networks, and regions show compliance a little differently. For details, see How collapsed groupings show compliance.

Viewing Groupings

Grouped resources

Similar resources of the same type are grouped together. Grouped resources in the visualizer are depicted as a stack of nodes surrounded by a light gray border, and the number of resources is shown in the bottom right corner:

_images/viz-single-resource-group.png

Grouped resources may be expanded or collapsed to view individual nodes.

Collections

A collection represents a resource that contains other resource types. For example, AWS auto scaling groups containing EC2 instances, and ECS services containing tasks, are rendered as collections. A collection is depicted as a square with a thick border containing zero or more nodes:

_images/viz-single-collection.png

Collections may also be expanded or collapsed to view individual nodes:

_images/expand_collapse_viz.gif

A collection that doesn’t contain any resources is shown with a gray slash through it.

Note

There are a variety of reasons on why a collection would not contain any resources, such as if the resources are not currently running, if they are not enabled for scans, or if you are looking at an old scan before Fugue added support for the resources.

_images/viz-empty-collection.png

Networks

Networks are collapsed by default. You can expand them to view the resources inside.

_images/viz-vpc-collapsed-pods.png

Networks that are collapsed and contain resources that can be rendered in the visualizer display three dots. The number in the bottom right shows the number of renderable resources in the network. This number includes nodes inside grouped resources and collections as well as resources connecting a network to the internet, such as an AWS internet gateway:

Networks that are collapsed and do not contain any renderable resources are shown with a slash through the middle:

_images/noresources-viz-pods.png

Regions

All regions except the largest are collapsed by default. As with other groupings, you can expand them to view the resources inside.

Networks and regions that are collapsed and contain resources that can be rendered in the visualizer display three dots. As with networks, the number in the bottom right shows the number of renderable resources in the region:

_images/collapsed-expanded-regions-pods.png

How to expand and collapse groupings

You can select the outward-arrow icon in the upper right to expand the grouping and view the individual resources:

_images/VizGroup1.png

Select the inward-arrow icon to contract the grouping:

_images/VizContractGroup1.png

The animated image below shows expansion/contraction in action:

_images/expand_collapse_viz_pods1.gif

You can expand or collapse all grouped resources, collections, networks, and regions at once by accessing the View Options panel via the viz-options square cog icon in the bottom left of the diagram and then selecting Expand All Groupings or Condense All Groupings:

_images/expand_condensed_cog_pods.gif

Nested groups/collections

Collections can be grouped together. For example, in the image below, two ECS nodes are grouped together:

_images/nested_groups_collections.png

If you drill down into it, the group of collections can be expanded, in this case revealing collections containing containing multiple resources:

_images/ECS_TASK_collapse.png

Going one step further, you can expand individual collections – such as Prod ECS, which contains two resources:

_images/task_expanded.png

How collapsed groupings show compliance

Collapsed grouped resources, collections, groups of collections, networks, and regions show compliance state a little differently:

Nodes inside grouped resources and collections

  1. All compliant: All nodes are normal (bordered in black)

  2. All noncompliant: All nodes are red

  3. Mixed compliance:

    1. One red node if one resource is noncompliant

    2. Two red nodes, one black node if 2+ nodes (but not all) are noncompliant

When any resource in a collapsed group is noncompliant, the top node is shown as noncompliant.

Below is a group of resources containing nodes of mixed compliance:

_images/viz-resource-group-compliance.png

Single collection

A noncompliant single collection has a red background, like so:

_images/viz-noncompliant-single-collection.png

Grouped collections

  1. All compliant: All collections are normal

  2. All noncompliant: All collections are red

  3. Mixed compliance:

    1. One red collection, one black collection if one collection is noncompliant

    2. Two red collections, one black collection if 2+ collections (but not all) are noncompliant

When any collection in a collapsed group is noncompliant, the top collection is shown as noncompliant.

Below is a group of collections with mixed compliance:

_images/viz-mixed-compliance-grouped-collections.png

Below is a depiction of grouped resources with all compliant resources, no compliant resources, and mixed compliance:

_images/viz-collapsed-stacks.png

Networks and regions

  1. All contained resources are compliant: All three dots are gray

  2. All contained resources are noncompliant: All three dots are red

  3. Mixed compliance:

    1. One red dot, two gray dots if one resource is noncompliant

    2. Two red dots, one gray dot if 2+ (but not all) resources are noncompliant

Below is a depiction of regions with all compliant resources, no compliant resources, and mixed compliance:

_images/viz-mixed-compliance-regions.png

To see the compliance state for each individual resource in any grouping, expand it.

For more about visualizing compliance state, see Visualizing Resource Compliance State.

Viewing the Visualizer for Repository Environments

After you kick off a scan for your repository environment, the diagram is automatically generated to include your resources from the Terraform HCL and CloudFormation YAML files in your repository. By default, the diagram is zoomed out to show all resources in the graph, with the with the CloudFormation or Terraform files collapsed (except the largest file). You can zoom in or view in full screen to more closely inspect the resources. Select a resource to view its attributes.

_images/IaC-repo-viz.gif

Viewing Resource Details

The visualizer allows you to view resource attributes and references via the resource details panel. To access the panel, click on a resource, and the panel appears on the left side of the screen.

The Attributes section lists configuration details for the selected resource. For example, you’d see cidr_block for an Amazon VPC. Nested attributes can be expanded or collapsed by clicking on them.

The References section lists other resources related to the selected resource. For example, you’d see a list of security groups for a VPC. You can click on a resource listed in the Reference section and it redirects you to that resource, as shown below.

_images/viewing_resource_details-pods.gif

The Compliance section lists any failed rules and associated compliance controls for the selected resource. For example, you might see that a noncompliant VPC failed the rule “VPC flow logging must be enabled” and the controls PCI DSS v3.2.1 1.3.4 and 1.3.5.

Because waived rule results are ignored, they are not listed in the Compliance section.

Additionally, you can copy an attribute for a resource by selecting the “Copy to Clipboard” icon.

You can close the details panel by clicking on the X on the lower right side of the panel, or by deselecting the resource.

Searching

The visualizer supports searching on resource ID, resource type, and resource name. These capabilities make it easier to find specific resources and drill down on resource details.

To search within the visualizer:

  1. Enter a resource ID, resource type, or resource name.

  2. Select the resource from the suggested list or hit enter to get a list of resources that match your search criteria. Resources that match your search criteria are highlighted blue, as shown below.

_images/searching_viz_pods.gif

3. The visualizer zooms into the selected resource and highlights it, as shown below.

_images/search_zoom_selected_viz_pods.gif

Filtering

Visualizer now supports filtering by region, tags, services, compliance state, severity, rules, or families. Filtered views can be exported. Once filters are applied, you can share them via URL.

Note

Visualizer supports filtering by resource tag for AWS and Azure.

To filter within the visualizer:

  1. Select the filter icon.

  2. Expand the filters and select the desired criteria. Only resources that match your filter criteria display, as shown below.

_images/viz-filtering-searching.png

3. Optionally, select settings > Export as .PNG to export a filtered view of your visualization.

4. Optionally, once the filters are applied, bookmark or share the URL.

Panning, Zooming, and Viewing in Full Screen

You can navigate the visualizer by panning and zooming. You can also reset zoom so all resources are shown, enable/disable full screen mode, and enable/disable compliance visualization. The visualizer supports keyboard shortcuts.

To pan, click inside the diagram and drag it around:

_images/panning_zooming_viz.gif

You can also use the arrow keys on your keyboard.

To zoom in:

  • Click the plus sign + in bottom right of graph

  • Or, scroll down with mouse

  • Or, pinch closed with trackpad

  • Or, press the plus + (equals =) key on your keyboard

To zoom out:

  • Click the minus sign - in bottom right of graph

  • Or, scroll up with mouse

  • Or, pinch open with trackpad

  • Or, press the minus - (underscore _) key on your keyboard

To reset zoom and show all resources:

  • Click the viz-center “center” icon in bottom right of graph

  • Or, refresh the page

  • Or, double-tap the spacebar on your keyboard

To view in full screen mode:

  • Click the viz-full-on full-screen toggle icon in bottom right of graph

To exit full screen mode:

  • Click the viz-full-off full-screen toggle icon in bottom right of graph

To view the compliance state of your resources (enabled by default):

  1. Access the View Options panel by selecting the viz-options square cog icon in the bottom left of the diagram or by pressing the period . key on your keyboard

  2. Check “Show Compliance Errors”

To disable compliance state visualization:

  1. Access the View Options panel by selecting the viz-options square cog icon in the bottom left of the diagram or by pressing the period . key on your keyboard

  2. Uncheck “Show Compliance Errors”

You can also close the View Options panel by pressing the . period key.

Here’s an example of full screen mode:

_images/viz_full_screen_pods.png

Here’s an example of the compliance view:

_images/compliance_viz_highlight_pods.gif

Which Resources Are Visualized?

For a list of AWS and AWS GovCloud resources that the visualizer can display, see AWS & AWS GovCloud.

For Azure and Azure Government resources, see Azure.

For Google resources, see Google.

Note that the details panel shows references and compliance state for all the resources Fugue supports.

Supported AWS & AWS GovCloud Resources

The resource details panel shows references and compliance state for all the AWS & AWS GovCloud resources Fugue supports.

The following resources are also displayed in the interactive diagram. Each abbreviation shows how the resource is labeled:

  • AWS.AccessAnalyzer.Analyzer (ANALYZ) [Displays as a Node]

  • AWS.ACM.Certificate (CERT) [Displays as a Node]

  • AWS.ApiGateway.Authorizer (AUTH) [Displays as a Pod]

  • AWS.ApiGateway.ClientCertificate (CERT) [Displays as a Pod]

  • AWS.ApiGateway.Deployment (DEPOLY) [Displays as a Pod]

  • AWS.ApiGateway.GatewayResponse (RESPONSE) [Displays as a Pod]

  • AWS.ApiGateway.Model (MODEL) [Displays as a Pod]

  • AWS.ApiGateway.RequestValidator (VALIDTR) [Displays as a Pod]

  • AWS.ApiGateway.Resource (RESOURCE) [Displays as a Pod]

  • AWS.ApiGateway.RestApi (API) [Displays as a Node]

  • AWS.ApiGateway.Stage (STAGE) [Displays as a Pod]

  • AWS.ApiGateway.UsagePlan (PLAN) [Displays as a Pod]

  • AWS.ApiGatewayV2.Api (API) [Displays as a Node]

  • AWS.ApiGatewayV2.ApiMapping (MAPPING) [Displays as a Pod]

  • AWS.ApiGatewayV2.Authorizer (AUTHORIZR) [Displays as a Pod]

  • AWS.ApiGatewayV2.Deployment (DEPLOY) [Displays as a Pod]

  • AWS.ApiGatewayV2.DomainName (DOMAIN) [Displays as a Pod]

  • AWS.ApiGatewayV2.Integration (INTEG) [Displays as a Pod]

  • AWS.ApiGatewayV2.IntegrationResponse (RESPONSE) [Displays as a Pod]

  • AWS.ApiGatewayV2.Model (MODEL) [Displays as a Pod]

  • AWS.ApiGatewayV2.Route (ROUTE) [Displays as a Pod]

  • AWS.ApiGatewayV2.RouteResponse (RESPONSE) [Displays as a Pod]

  • AWS.ApiGatewayV2.Stage (STAGE) [Displays as a Pod]

  • AWS.ApiGatewayV2.VpcLink (GTW LNK) [Displays as a Node Border]

  • AWS.Athena.Workgroup (ATHENA) [Displays as a Node]

  • AWS.AutoScaling.AutoScalingGroup (ASG) [Displays as a Cluster]

  • AWS.AutoScaling.LaunchConfiguration (LAUNCH CFG) [Displays as a Pod]

  • AWS.CloudFormation.Stack (STACK) [Displays as a Node]

  • AWS.CloudFormation.StackSet (STACKSET) [Displays as a Node]

  • AWS.CloudFront.Distribution (CF) [Displays as a Node]

  • AWS.CloudTrail.Trail (TRAIL) [Displays as a Node]

  • AWS.DirectoryService.ConditionalForwarder (DIRCF) [Displays as a Pod]

  • AWS.DirectoryService.Directory (DIR) [Displays as a Node]

  • AWS.DocDB.Cluster (DOC DB) [Displays as a Cluster]

  • AWS.DocDB.ClusterInstance (DB INST) [Displays as a Node]

  • AWS.DocDB.ClusterSnapshot (SNAPSHOT) [Displays as a Pod]

  • AWS.DynamoDB.Table (DDB) [Displays as a Node]

  • AWS.EC2.Image (AMI) [Displays as a Node]

  • AWS.EC2.Instance (EC2) [Displays as a Node]

  • AWS.EC2.InternetGateway (IGW) [Displays as a Node Border]

  • AWS.EC2.RouteTable (ROUTE TBL) [Displays as a Pod]

  • AWS.EC2.SecurityGroup (SG) [Displays as a Pod]

  • AWS.EC2.Snapshot (SNAPSHOT) [Displays as a Pod]

  • AWS.EC2.Subnet (SUBN) [Displays as a Pod]

  • AWS.EC2.Volume (VOLUME) [Displays as a Pod]

  • AWS.EC2.Vpc (VPC) [Displays as a Network]

  • AWS.EC2.VpcEndpoint (ENDPT) (gateway endpoints only) [Displays as a Pod]

  • AWS.EC2.VpcPeeringConnection (PEER) [Displays as a Pod]

  • AWS.ECR.LifecyclePolicy (LIFECYCLE) [Displays as a Pod]

  • AWS.ECR.Repository (ECR) [Displays as a Node]

  • AWS.ECR.RepositoryPolicy (POLICY) [Displays as a Pod]

  • AWS.ECS.Cluster (CLSTR) [Displays as a Pod]

  • AWS.ECS.Service (ECS) [Displays as Cluster]

  • AWS.ECS.Task (TASK) [Displays as a Node]

  • AWS.ECS.TaskDefinition (DEF) [Displays as a Pod]

  • AWS.EFS.FileSystem (EFS) [Displays as a Node]

  • AWS.EFS.MountTarget (MOUNT) [Displays as a Pod]

  • AWS.EKS.Cluster (EKS) [Displays as a Node]

  • AWS.Elasticsearch.Domain (ESEARCH) [Displays as a Node]

  • AWS.ELB.LoadBalancer (ELB) [Displays as a Node]

  • AWS.ELBv2.LoadBalancer (LB) [Displays as a Node]

  • AWS.Glue.CatalogDatabase (GLUE DB) [Displays as a Cluster]

  • AWS.Glue.CatalogTable (TABLE) [Displays as a Node]

  • AWS.Glue.Connection (CONNECTION) [Displays as a Pod]

  • AWS.Glue.Crawler (CRAWLER) [Displays as a Node]

  • AWS.Glue.Database GLUE DB [cluster]

  • AWS.Glue.Job (GLUE JOB) [Displays as a Node]

  • AWS.Glue.SecurityConfiguration (SEC CFG) [Displays as a Pod]

  • AWS.Glue.Table TABLE [Displays as a Node]

  • AWS.Glue.Trigger (TRIGGER) [Displays as a Pod]

  • AWS.Glue.Workflow (WORKFLOW) [Displays as a Pod]

  • AWS.IAM.Group (IAMGRP) [Displays as a Node]

  • AWS.IAM.InstanceProfile (IAM) [Displays as a Pod]

  • AWS.IAM.ManagedPolicy (POLICY) [Displays as a Node]

  • AWS.IAM.Role (ROLE) [Displays as a Pod]

  • AWS.IAM.ServerCertificate (IAMSRV) [Displays as a Node]

  • AWS.IAM.User (USER) [Displays as a Node]

  • AWS.Kinesis.Stream (KNSIS) [Displays as a Node]

  • AWS.KinesisFirehose.DeliveryStream (HOSE) [Displays as a Pod]

  • AWS.KMS.Key (KEY) [Displays as a Node]

  • AWS.Lambda.EventSourceMapping (EVENT) [Displays as a Pod]

  • AWS.Lambda.Function (λ) [Displays as a Node]

  • AWS.Lambda.Permission (PERM) [Displays as a Pod]

  • AWS.Neptune.Cluster (NEPTUNE) [Displays as a Cluster]

  • AWS.Neptune.ClusterInstance (NPT INST) [Displays as a Node]

  • AWS.Neptune.ClusterSnapshot (SNAPSHOT) [Displays as a Pod]

  • AWS.RAM.PrincipalAssociation (PRINCIPAL) [Displays as a Pod]

  • AWS.RAM.ResourceAssociation (RESOURCE) [Displays as a Pod]

  • AWS.RAM.ResourceShare (RAM) [Displays as a Node]

  • AWS.RDS.Cluster (RDS) [Displays as a Node]

  • AWS.RDS.ClusterInstance (RDS) [Displays as a Node]

  • AWS.RDS.Instance (RDS) [Displays as a Node]

  • AWS.RDS.Snapshot (SNAPSHOT) [Displays as a Pod]

  • AWS.RDS.SubnetGroup (SUBNT GRP) [Displays as a Label]

  • AWS.Redshift.Cluster (REDSH) [Displays as a Node]

  • AWS.Redshift.ParameterGroup (PARAM GRP) [Displays as a Pod]

  • AWS.Redshift.SubnetGroup (SUBNT GRP) [Displays as a Pod]

  • AWS.S3.AccountPublicAccessBlock (PUB ACCESS) [Displays as a Pod]

  • AWS.S3.Bucket (S3) [Displays as a Node]

  • AWS.S3.Bucket.Inventory (INVENTORY) [Displays as a Pod]

  • AWS.S3.Bucket.Metric (METRIC) [Displays as a Pod]

  • AWS.S3.Bucket.Notification (NOTIFY) (Also generates connections from the S3 Bucket to a Lambda, SNS, or SQS) [Displays as a Pod]

  • AWS.S3.Bucket.Policy (POLICY)[Displays as a Pod]

  • aws_s3_bucket_server_side_encryption_configuration (SSE CONFIG) [Displays as a Pod] (Note this resource type is only supported for Repository environments)

  • AWS.Sagemaker.Endpoint (SAGE ENDPT) [Displays as a Node]

  • AWS.Sagemaker.EndpointConfiguration (CONFIG) [Displays as a Pod]

  • AWS.Sagemaker.Model (SAGE MDL) [Displays as a Node]

  • AWS.Sagemaker.NotebookInstance (SAGE NOTE) [Displays as a Node]

  • AWS.Sagemaker.NotebookInstanceLifecycleConfiguration (LIFECYCLE) [Displays as a Pod]

  • AWS.SecretsManager.Secret (SECRET) [Displays as a Node]

  • AWS.SNS.Subscription (SUBSCR) [Displays as a Pod]

  • AWS.SNS.Topic (SNS) [Displays as a Node]

  • AWS.SQS.Queue (SQS) [Displays as a Node]

  • AWS.WAF.WebACL (WAF) [Displays as a Pod]

  • AWS.WAFv2.WebACL (WAFv2) [Displays as a Node]

  • AWS.WAFv2.WebACLAssociation (ASSOC) [Displays as a Pod]

  • AWS.Workspaces.Directory (WORK DIR) [Displays as a Cluster]

  • AWS.Workspaces.IPGroup (IP GROUP) [Displays as a Pod]

  • AWS.Workspaces.Workspace (WORKSP) [Displays as a Node]

Note

If you are interested in gaining access to beta resources, please send an email to support@fugue.co.

VPC Attributes

Attributes shown for each VPC:

  • CIDR block

  • VPC ID

  • Region

  • Number of security groups

  • Number of subnets

  • Peering connections

  • Route Tables

Attributes shown for each subnet:

  • Name, if subnet is named

  • CIDR block, if unnamed

  • Unique label corresponding to resources inside the subnet (purple badge, bottom)

Attributes shown for each security group:

  • Name

  • Unique label corresponding to resources inside the security group

Below, Example EC2 instance is in 4 subnets (labels A-D). Security Groups and Route Tables are listed as labels in the Other References section. At the top, Security Groups are listed as pods.

_images/vpc-example-pods.png

You can click on a label on the right to view either:

  • Resource details for a single resource

_images/viz-subnet.png
  • List of resources when there is more than one

_images/viz-other-ref-sg.png

You can click on a pod on the top to view resource details for a single resource or a list of resources when there is more than one. Refer to pods for more information.

_images/viz-vpc-pods-select.png

VPC peering connections (PEER) are shown as a line between two VPCs. Each VPC is labeled with the name of the peering connection. In the example below, there is one peering connection:

  • VPC-1 connects peer-vpc and VPC-2

_images/viz-perring-pods-2.png

peer-vpc is an external VPC, and though it is rendered, it does not list any information apart from the VPC ID.

_images/vpc-peering.png

VPC gateway endpoints (ENDPT) are shown as a line between a VPC and all S3 buckets or all DDB tables in the same region. In the example below, Example VPC Endpoint connects a VPC and S3 buckets:

_images/viz-vpc-peering-pods.png

Implicit Resources

Sometimes infrastructure in your environment may refer to a resource that Fugue doesn’t have access to. For example, if you have a VPC peering connection with an external account, Fugue does not have access to anything inside the external VPC.

In situations like this, the unknown resource is displayed as an implicit resource. When you select the resource details panel, you see the message “This resource was not found in your scan, so it is displayed as an implicit resource.” In the external VPC vpc-3ba7f15f below, you can see that no information is displayed.

_images/viz-implicit-resources.png

Reasons a resource might be considered implicit:

  • Resource type isn’t selected for scanning

  • Resource is in a region that is not part of the environment

  • Resource is in another cloud provider account

  • Fugue’s IAM role doesn’t have the necessary permissions to survey it

Supported Azure & Azure Government Resources

The details panel shows references and compliance state for all the Azure and Azure Government resources Fugue supports.

The following resources are also displayed in the interactive diagram. Each abbreviation shows how the resource is labeled:

  • Azure.ActiveDirectory.Application (APP) [Displays as a Node]

  • Azure.ActiveDirectory.Group (AD GRP) [Displays as a Node]

  • Azure.ActiveDirectory.ServicePrincipal (PRINCPL) [Displays as a Node]

  • Azure.ActiveDirectory.User (AD USER) [Displays as a Node]

  • Azure.Authorization.PolicyAssignment (PLCY ASSIGN) [Displays as a Node]

  • Azure.Authorization.RoleAssignment (ROLE ASSIGN) [Displays as a Node]

  • Azure.Authorization.RoleDefinition (ROLE DEF) [Displays as a Node]

  • Azure.Automation.Account (AUTO) [Displays as a Node]

  • Azure.Automation.Credential (CRED) [Displays as a Pod]

  • Azure.Automation.Schedule (SCHED) [Displays as a Pod]

  • Azure.Cdn.Profile (CDN) [Displays as a Node]

  • Azure.Compute.AvailabilitySet (AVSET) [Displays as a Pod]

  • Azure.Compute.Image (IMAGE) [Displays as a Pod]

  • Azure.Compute.ManagedDisk (DISK) [Displays as a Pod]

  • Azure.Compute.SharedImageGallery (GALRY) [Displays as a Node]

  • Azure.Compute.Snapshot (SNAPSH) [Displays as a Pod]

  • Azure.Compute.VirtualMachine (VM) [Displays as a Node]

  • Azure.Compute.VirtualMachineScaleSet (SCALE SET) [Displays as a Node]

  • Azure.Container.Group (GROUP) [Displays as a Node]

  • Azure.Container.Registry (RGST) [Displays as a Node]

  • Azure.CosmosDB.Account (COSDB) [Displays as a Node]

  • Azure.Databricks.Workspace (BRICK) [Displays as a Node]

  • Azure.DataLakeStore.Account (DLAKE) [Displays as a Node]

  • Azure.DataLakeStore.FirewallRule (FWRULE) [Displays as a Pod]

  • Azure.KeyVault.AccessPolicy (POLICY) [Displays as a Pod]

  • Azure.KeyVault.Certificate (CERT) [Displays as a Pod]

  • Azure.KeyVault.Key (KEY) [Displays as a Pod]

  • Azure.KeyVault.Secret (SECRET) [Displays as a Pod]

  • Azure.KeyVault.Vault (VAULT) [Displays as a Node]

  • Azure.Kubernetes.Cluster (KUBER) [Displays as a Node]

  • Azure.ManagedIdentity.Identity (MNGED ID) [Displays as a Node]

  • Azure.Monitor.ActionGroup (MONTR) [Displays as a Pod]

  • Azure.Monitor.ActivityLogAlert (ALERT) [Displays as a Pod]

  • Azure.Monitor.DiagnosticSetting (METRIC) [Displays as a Pod]

  • Azure.Monitor.LogProfile (LOG) [Displays as a Node]

  • Azure.Monitor.MetricAlert (METRIC) [Displays as a Pod]

  • Azure.MySQL.Configuration (CONFIG) [Displays as a Pod]

  • Azure.MySQL.ConfigurationSet (CONFIG SET) [Displays as a Pod]

  • Azure.MySQL.Database (DB) [Displays as a Node]

  • Azure.MySQL.FirewallRule (FWRULE) [Displays as a Pod]

  • Azure.MySQL.Server (MYSQL) [Displays as a Cluster] [Displays as a Pod]

  • Azure.MySQL.VirtualNetworkRule (MYSQL) [Displays as a Node Border]

  • Azure.Network.ApplicationGateway (AGW) [Displays as a Node]

  • Azure.Network.ApplicationSecurityGroup (APP SG) [Displays as a Pod]

  • Azure.Network.DDoSProtectionPlan (DDOS) [Displays as a Node]

  • Azure.Network.DNSZone (DNS) [Displays as a Node]

  • Azure.Network.Firewall (FW) [Displays as a Node]

  • Azure.Network.LoadBalancer (LB) [Displays as a Node]

  • Azure.Network.NetworkInterface (NETINT) [Displays as a Pod]

  • Azure.Network.NetworkSecurityGroup (SG) [Displays as a Pod]

  • Azure.Network.NetworkWatcher (WATCH) [Displays as a Cluster]

  • Azure.Network.NetworkWatcherFlowLog (FLWLG) [Displays as a Node]

  • Azure.Network.PublicIPAddress (IP) [Displays as a Pod]

  • Azure.Network.RouteTable (ROUTE TBL) [Displays as a Pod]

  • Azure.Network.Subnet (SUBN) [Displays as a Label]

  • Azure.Network.VirtualNetwork (VNET) [Displays as a Network]

  • Azure.Network.VirtualNetworkGateway (GW) [Displays as a Pod]

  • Azure.Network.VirtualNetworkGatewayConnection (CONN) [Displays as a Pod]

  • Azure.PostgreSQL.Configuration (CONFIG) [Displays as a Pod]

  • Azure.PostgreSQL.ConfigurationSet (CONFIG SET) [Displays as a Pod]

  • Azure.PostgreSQL.Database (DB) [Displays as a Node]

  • Azure.PostgreSQL.FirewallRule (FWRULE) [Displays as a Pod]

  • Azure.PostgreSQL.Server (PGSQL) [Displays as a Cluster]

  • Azure.PostgreSQL.VirtualNetworkRule (PGSQL) [Displays as a Node Border]

  • Azure.Redis.Cache (REDIS) [Displays as a Node]

  • Azure.SecurityCenter.Contact (CONTACT) [Displays as a Node]

  • Azure.SecurityCenter.SubscriptionPricing (PRICING) [Displays as a Node]

  • Azure.SQL.Database (DB) [Displays as a Node

  • Azure.SQL.ElasticPool (POOL) [Displays as a Node]

  • Azure.SQL.FirewallRule (FWRULE) [Displays as a Pod]

  • Azure.SQL.Server (SQL) [Displays as a Cluster]

  • Azure.SQL.VirtualNetworkRule (SQL) [Displays as a Node Border]

  • Azure.Storage.Account (STRAC) [Displays as a Node]

  • Azure.Storage.Container (CONTAINER) [Displays as a Pod]

  • Azure.Web.AppService (APP) [Displays as a Node]

  • Azure.Web.AppServicePlan (APP) [Displays as a Pod]

  • Azure.Web.FunctionApp (FN APP) [Displays as a Pod]

Note

If you are interested in gaining access to beta resources, please send an email to support@fugue.co.

VNet Attributes

Attributes shown for each Azure Virtual Network:

  • Name

  • Region

  • Number of security groups

  • Number of subnets

Attributes shown for each subnet:

  • Name

  • Unique label corresponding to resources inside the subnet (purple badge, bottom)

Attributes shown for each security group:

  • Name

  • Unique label corresponding to resources inside the security group

Each resource inside the VNet shows an label corresponding to its subnet and security group. The purple subnet label appears above the security group label in the left.

You can click on a label on the right to view either:

  • Resource details for a single resource

  • List of resources when there is more than one

_images/viz-azure_selected.png

You can click on a pod on the top to view resource details for a single resource or a list of resources when there is more than one. Refer to pods for more information.

_images/viz-pods-azure.png

Supported Google Resources

The details panel shows references and compliance state for all the Google resources Fugue supports.

The following resources are also displayed in the interactive diagram. Each abbreviation shows how the resource is labeled:

  • Google.BigQuery.Dataset (BIG Q) [Displays as a Cluster]

  • Google.BigQuery.DatasetIAMPolicy (IAM) [Displays as a Pod]

  • Google.BigQuery.DataTransferConfig (DATA) [Displays as a Pod]

  • Google.BigQuery.Table (TABLE) [Displays as a Node]

  • Google.Compute.AutoScaler (AUTO) [Displays as a Pod]

  • Google.Compute.BackendBucket (BACKBK) [Displays as a Node]

  • Google.Compute.BackendService (BACKSRV) [Displays as a Node]

  • Google.Compute.Disk (DISK) [Displays as a Pod]

  • Google.Compute.Firewall (FW) [Displays as a Node Border]

  • Google.Compute.GlobalAddress (ADDR) [Displays as a Pod]

  • Google.Compute.GlobalForwardingRule (RULE) [Displays as a Pod]

  • Google.Compute.HealthCheck (HEALTH) [Displays as a Pod]

  • Google.Compute.Instance (INST) [Displays as a Node]

  • Google.Compute.InstanceGroup (GROUP) [Displays as a Cluster]

  • Google.Compute.InstanceGroupManager (MGR) [Displays as a Pod]

  • Google.Compute.InstanceIAMPolicy (IAM) [Displays as a Pod]

  • Google.Compute.InstanceTemplate (TEMP) [Displays as a Pod]

  • Google.Compute.Network (NETWORK) [Displays as a Network]

  • Google.Compute.NetworkPeering (PEER) [Displays as a Pod]

  • Google.Compute.ProjectMetadata (META) [Displays as a Pod]

  • Google.Compute.SecurityPolicy (IAM) [Displays as a Pod]

  • Google.Compute.Snapshot (SNAP) [Displays as a Pod]

  • Google.Compute.SSLCertificate (CERT) [Displays as a Pod]

  • Google.Compute.SSLPolicy (POLICY) [Displays as a Pod]

  • Google.Compute.SubNetwork (SBN) [Displays as a Pod]

  • Google.Compute.TargetHTTPProxy (PROXY) [Displays as a Node]

  • Google.Compute.TargetHTTPSProxy (PROXY) [Displays as a Node]

  • Google.Compute.TargetPool (POOL) [Displays as a Pod]

  • Google.Compute.TargetSSLProxy (PROXY) [Displays as a Pod]

  • Google.Compute.TargetTCPProxy (PROXY) [Displays as a Pod]

  • Google.Compute.URLMap (UMAP) [Displays as a Pod]

  • Google.Container.Cluster (KUBER) [Displays as a Node]

  • Google.Container.NodePool (POOL) [Displays as a Pod]

  • Google.DNS.ManagedZone (ZONE) [Displays as a Node]

  • Google.IAM.ServiceAccount (SRVACT) [Displays as a Node]

  • Google.IAM.ServiceAccountIAMPolicy (IAM) [Displays as a Pod]

  • Google.IAM.ServiceAccountKey (KEY) [Displays as a Pod]

  • Google.KMS.CryptoKey (KEY) [Displays as a Node]

  • Google.KMS.CryptoKeyIAMPolicy (IAM) [Displays as a Pod]

  • Google.KMS.KeyRing (KEYRING) [Displays as a Cluster]

  • Google.Logging.Metric (METRIC) [Displays as a Pod]

  • Google.Logging.ProjectBucketConfig (LOG BUCKET) [Displays as a Pod]

  • Google.Logging.ProjectSink (LOG SINK) [Displays as a Pod]

  • Google.Monitoring.AlertPolicy (IAM) [Displays as a Pod]

  • Google.Monitoring.MetricDescriptor (METRIC)

  • Google.Redis.Instance (REDIS) [Displays as a Node]

  • Google.ResourceManager.Project (PROJECT) [Displays as a Pod]

  • Google.ResourceManager.ProjectDefaultServiceAccounts (ACCOUNT) [Displays as a Pod]

  • Google.ResourceManager.ProjectIAMAuditConfig (AUDIT) [Displays as a Pod]

  • Google.ResourceManager.ProjectIAMPolicy (POLICY) [Displays as a Pod]

  • Google.SQL.Database (DB) [Displays as a Node]

  • Google.SQL.DatabaseInstance (SQL) [Displays as a Cluster]

  • Google.SQL.SSLCert (CERT) [Displays as a Pod]

  • Google.SQL.User (USER) [Displays as a Pod]

  • Google.Storage.Bucket (BUCKET) [Displays as a Node]

  • Google.Storage.BucketACL (ACL) [Displays as a Pod]

  • Google.Storage.BucketIAMPolicy (POLICY) [Displays as a Pod]

  • Google.Storage.Notification (NOTIF) [Displays as a Pod]

Supported Fugue IaC Kubernetes Resources (limited beta)

The details panel shows references and compliance state for all the Kubernetes resources Fugue supports.

Note

Kubernetes is only supported for Fugue’s Infrastructure as Code (IaC) offering, which is in limited beta. If you are interested in gaining access, please send an email to support@fugue.co. For more information, refer to Setup - Repository (limited beta).

The following resources are also displayed in the interactive diagram. Each abbreviation shows how the resource is labeled:

  • ClusterRole (ROLE) [Displays as a Pod]

  • ConfigMap (CFG MAP) [Displays as a Pod]

  • CronJob (CRON) [Displays as a Node]

  • DaemonSet (DAEMON) [Displays as a Cluster]

  • DefaultServiceAccount (ACCOUNT) [Displays as a Node]

  • Deployment (DEPLOY) [Displays as a Cluster]

  • HorizontalPodAutoscaler (AUTOSCALER) [Displays as a Node]

  • Ingress (INGRESS) [Displays as a Node Border]

  • Job (JOB) [Displays as a Cluster]

  • PersistentVolume (VOLUME) [Displays as a Node]

  • PersistentVolumeClaim (CLAIM) [Displays as a Pod]

  • Pod (POD) [Displays as a Node]

  • PodDisruptionBudget (BUDGET) [Displays as a Node]

  • PodSecurityPolicy (SEC POLICY) [Displays as a Node]

  • ReplicaSet (REPLICA) [Displays as a Cluster]

  • Role (ROLE) [Displays as a Pod]

  • Secret (SECRET) [Displays as a Pod]

  • Service (SERVICE) [Displays as a Node]

  • ServiceAccount (ACCOUNT) [Displays as a Node]

  • StatefulSet (STATE SET) [Displays as a Cluster]

Note

If you are interested in gaining access to beta resources, please send an email to support@fugue.co.

Visualizing Previous Scans

To visualize resources from a previous scan, select a scan date and time from the date picker on the visualizer page:

_images/date-picker-select-date.png

The page will automatically refresh with an updated visualization. You can continue to select other scans from the date picker to visualize resources from past scans as desired. To reset to the most recent scan, simply refresh the page. If you leave the page, the diagram will be reset to the most recent scan when you return.

You may export the visualization from a past scan.

View Options

The View Options sidebar allows you to:

You can access the View Options sidebar by selecting the viz-options square cog icon in the bottom left of the diagram.

Exporting a Diagram

To save the visualization for a particular scan, use the visualizer’s export image feature:

  1. Access the View Options sidebar by selecting the viz-options square cog icon in the bottom left of the diagram.

  2. Optionally enable/disable compliance state visualization or expand/contract groupings.

  3. Optionally, use filters to select your desired criteria. Only your filtered options are exported.

  4. Select either “Export as .PNG” or “Export as .SVG” button to download a PNG or SVG of your environment visualization.

Here’s an example:

_images/fugue-exported-pods.png

The exported image is the same as what appears in the visualizer on your screen, but it displays the entire environment at once and does not include the background grid or zoom controls. If you’ve selected “Show Compliance Errors,” the PNG will show compliance errors. If you expand some groupings and keep others condensed, the PNG will reflect that, too.

The exported image also includes the following environment information in the bottom left corner:

  • Environment name

  • Cloud provider

  • Account number (AWS) or subscription number (Azure)

  • Region(s) (AWS)

  • Date and time of the selected scan

To export the visualization of a historic scan, see Visualizing Previous Scans.

Note

For environments with a large number of resources, the visualizer exports the biggest image with the highest resolution that the browser can handle. The image export process may freeze the browser UI for a second or even a few seconds on very large environments. Filtered views can be exported. See Filtering.

Supported Browsers

The visualizer is supported in the following browsers:

  • Chrome

  • Firefox

  • Microsoft Edge

  • Opera

  • Safari

Note

The Fugue API does not support visualization.

WebGL is Required

Hardware acceleration must be enabled in your browser to use WebGL.

Chrome and Opera:

  • Preferences > Advanced > System > Use hardware acceleration when available

Firefox:

  • Preferences > Performance > Use recommended performance settings > Use hardware acceleration when available