Rule Waivers

Note

Fugue’s infrastructure as code (IaC) security features for repository environments are now available in closed beta. Fugue IaC security integrates with Regula to scan code files locally and in CI/CD pipelines. Repository environments currently utilize compliance settings that are configured locally with Regula. In a subsequent release, users will be able to manage rule waivers with the Fugue SaaS UI, API, and CLI.

Note

Waivers are applied to one or more resources at the environment level. To disable a rule across all relevant resources and all environments with associated compliance families, see Enabling and Disabling Rules.

What is a Rule Waiver?

Fugue enables you to waive a Fugue rule or custom rule in an environment for one resource at a time or all applicable resources (including resources added in the future). When a rule is waived for a resource, the result – PASS or FAIL – is effectively ignored in compliance calculations for that environment. Instead, Fugue shows the rule result as WAIVED on the Compliance by Resource page. A failed rule doesn’t count against a resource when compliance is calculated.

For example, say you have an Amazon S3 bucket that is public because it hosts a static website. It fails the rule “S3 buckets should have all block public access options enabled,” which corresponds to the Fugue Best Practices control FBP R002.

However, you can waive that failed rule for that bucket, and it won’t affect the bucket’s resource evaluation. If the bucket fails any other rule, the resource is still noncompliant overall. But if all other underlying rules pass, then the resource is considered compliant.

Waived rule results don’t count against corresponding control evaluations, either. In this example, if there are no other buckets that violate the rule “S3 buckets should have all block public access options enabled,” and no other corresponding rules with violations, the control FBP R002 is considered compliant.

A waiver can be applied to any rule, whether it’s custom or out-of-the-box. In addition to waiving rules for existing resources, you can waive rules for missing resources. For example, if a rule has failed because no AWS password policy exists, you can waive the rule for that missing resource type.

Only users with an Admin, Contributor, or Manager RBAC policy can waive rules.

Tip

You can see all of the rules that were applied to a resource, and all of the controls that correspond to each rule, by selecting the resource on the Compliance by Resource page.

Note

Waivers are not retroactive and cannot be applied to past scans.

Working with Waiver Scope

Fugue provides multiple options for setting a waiver’s scope:

  • A single resource: The waiver applies to one resource at a time. It is also possible to create waivers for individual resources multiple times, such as waiving the rule “VPC flow logging should be enabled” first for VPC A then for VPC B.

  • All affected resources: The waiver applies to all resources of a given type. For example, waiving the rule “VPC flow logging should be enabled” would apply to ALL resources of type AWS.EC2.Vpc in the current environment. If the rule applies to multiple resource types then all of those types are affected. For example, if you waive the rule “IAM policies should not be attached to users” for all resources, it is waived for all AWS.IAM.Policy, AWS.IAM.User, and AWS.IAM.UserPolicy resource types.

  • A custom set of resources: You can customize which resources apply to a waiver. Specifying a tag parameter applies the waiver to all resources in the current environment with a particular tag. When specifying a custom waiver scope, both the resource ID and resource tag parameters support * and ? wildcard characters.

Tip

The resource tag parameter matches both the tag key and value, separated by a ‘:’ character. So to match all resources where the tag key is “Environment” and the tag value is “Production”, set the resource tag to “Environment:Production”. To match resources where the tag key is “Environment” and the tag value can be anything, specify “Environment:*”.

Note

Within resource ID and tag parameters, ‘*’ matches multiple characters and ‘?’ matches a single character. If your resource ID or tag contains ‘*’, ‘?’, or ‘:’, then you can escape a single character with a backslash (‘\’) or escape an entire string with backticks (`).

Once a waiver has been created, its scope cannot be changed. This means a rule waived for a single resource cannot be edited to apply to all resources, and vice versa. To change which resources are affected by a waiver, create a new waiver and optionally delete the old one. However, note that when you waive a rule for all resources of a given type or matching a tag pattern, it will automatically apply to resources of that type or with that tag pattern added in the future.

If you waive a rule for one resource, then waive the same rule for all resources, the first waiver is still in effect. That means if you delete the waiver applying to all resources, the single-resource waiver still stands.

How Rule Waivers Appear in the UI

Here’s how rule waivers are calculated and shown in Fugue:

  • All Environments page and environment summary: The total number of compliant controls and resources ignore waived rule results.

  • Compliance by Control page: Control evaluations ignore waived rule results. If you create waivers for all the failed rule results corresponding to a control, the control evaluation is shown as compliant.

  • Compliance by Resource Type: N/A.

  • Compliance by Resource: Resource evaluations ignore waived rule results. If you create waivers for all the failed rules for a resource, the resource evaluation is shown as compliant. Individual rule results that are waived for that resource are listed as Waived.

How to Search for a Waived Rule

Use the Enter key to search by a keyword. You can enter multiple queries by using Tab after each one.

The Waiver search also supports key:value syntax for the following search terms:

rule_id

Rule ID (e.g., FG_R00010)

resource_provider

Cloud provider; aws (for AWS and AWS GovCloud), azure (for Azure and Azure Government), or google

resource_type

Affected resource type(s)

name

Waiver name

id

Waiver ID

resource_id

Resource ID

environment_name

Environment Name

For example, you can search by the following terms:

  • resource_provider:aws shows only AWS rules that are waived.

  • rule_id:FG_R00068 shows only waived resources with that rule ID. (Enter Tab between the terms.)

_images/waiversearch.gif

Once search terms are entered, you can share them via URL. Additionally, search state is saved.

How to Waive a Rule

Note

For a more detailed walkthrough, see How To: Waive a Rule.

To waive a rule, follow the steps below:

1. Navigate to the Compliance by Resource page in the target environment.

2. Select the desired resource to view its rule results.

3. Select the Waive button next to the rule result you’d like to waive.

4. Under Waiver Information, enter a name and comment for the waiver.

5. Under Waiver Scope, select whether you want to waive the rule for:

  • All affected resources

  • A single resource

  • Custom set of resources. If you selected this option, enter the following information:

    • Resource type: Enter the resource type or enter * if you want to match on all.

    • Resource ID: Enter the resource ID or enter * if you want to match on all.

    • Resource provider: Enter the resource provider or enter * if you want to match on all.

    • (Optional) Resource tag: Enter key:value, key:*, *:value, or *:*.

6. Select Create Rule Waiver. You’ll see a message like this at the bottom of the window: “Successfully created your rule waiver. {name of waiver} will be applied on your next scan.” You’ll also see a tooltip next to the rule result you waived. If you hover over the i, you’ll see the message “This rule has an associated rule waiver that will be applied on the next scan. Compliance results will be updated once the waiver is applied.”

_images/pending-waiver.png

7. Optional: Manually kick off a scan by selecting the Actions button at the top of the page and Start New Scan.

When the scan is complete, you’ll see that the new rule result is Waived instead of Passed or Failed.

You can view, edit, and delete your rule waiver from the Waivers page, accessible from the Rules link at the top of the UI.

Note

If the resource evaluation has changed to Compliant as a result of the applied waiver, and you’ve enabled compliance notifications for the environment, you’ll receive notice that a compliance event occurred and the resource is newly compliant. This can occur if all of the failed rule results for a resource are waived in that environment.

How to View All Waivers

To view the list of active rule waivers, navigate to the Waivers page from the Rules link at the top of the UI.

The Waivers page displays Name, Comments, Rule ID, Environment, Resources, and Edited By/On for all waivers in an organization:

_images/waivers_table.png
  • Name: Name of the waiver

  • Comments: Comments about the waiver

  • Rule ID: The rule ID the waiver applies to

  • Environment: Environment the waiver applies to

  • Resource: Resource ID, resource name, resource type, resource tag (when applicable), and region (when applicable) the waiver applies to

  • Edited On: The user, date, and time when the waiver was most recently created or edited

You can sort the rules by name. Default is alphabetical order. Select the arrow next to the Name header to reverse direction:

_images/waivers-sort-name.png

If you have more than 10 rules, you’ll see a dropdown menu below the table of rules. You can choose to show 10, 20, 50, or 100 rows per page:

_images/row-dropdown.png

How to Edit a Rule Waiver

Note

Once a rule has been waived, its scope cannot be changed. This means a rule waived for a single resource cannot be edited to apply to all resources, and vice versa. To change which resources are affected by a waiver, create a new waiver and optionally delete the old one.

You can modify a rule waiver from the Compliance by Resource page or the Waivers page by following the steps below:

  1. Select the ... menu next to the waived rule.

  2. Select Edit Rule Waiver. Currently, you may edit the name or comment.

  3. Select Update Rule Waiver.

You’ll see a confirmation message like “Successfully updated your rule waiver ‘Prod website bucket’” at the bottom of the window.

_images/edit-waiver.png

How to Delete a Rule Waiver

You can delete a rule from the Compliance by Resource page or the Waivers page by following the steps below:

  1. Select the ... button next to the waived rule.

  2. Select Delete Rule Waiver.

  3. On the confirmation modal, select Delete Rule Waiver.

You’ll see a confirmation message like “Successfully deleted rule waiver ‘Prod website bucket’. Compliance results will be updated on your next scan.” at the bottom of the window.

_images/delete-waiver.png

Note

If you delete a waiver that had caused a resource to become compliant, and you’ve enabled compliance notifications for the environment, after the next scan you’ll receive notice that a compliance event occurred and the resource is newly noncompliant.

When Do Rule Waivers Go Into Effect?

Waivers go into effect after the next scan. To manually kick off a scan, see Triggering a Scan.

When you delete a waiver, the rule result goes back into effect after the next scan.

Further Reading

  • Compliance Concepts: what rules, controls, resource evaluations, etc. are and how they work

  • Compliance: general information about how Fugue checks the compliance of your cloud infrastructure configuration

  • Writing Custom Rules: how to define your own compliance rules