Rule Waivers

What is a Rule Waiver?

Fugue enables you to waive an out-of-the-box or custom rule for a specific resource in an environment. When a rule is waived for a resource, the result – PASS or FAIL – is effectively ignored in compliance calculations for that environment. Instead, Fugue shows the rule result as WAIVED on the Compliance by Resource page. A failed rule doesn’t count against a resource when compliance is calculated.

For example, say you have an S3 bucket that is public because it hosts a static website. It fails the rule “S3 buckets should have all block public access options enabled,” which corresponds to the Fugue Best Practices control FBP R002.

However, you can waive that failed rule for that bucket, and it won’t affect the bucket’s resource evaluation. If the bucket fails any other rule, the resource is still noncompliant overall. But if all other underlying rules pass, then the resource is considered compliant.

Waived rule results don’t count against corresponding control evaluations, either. In this example, if there are no other buckets that violate the rule “S3 buckets should have all block public access options enabled,” and no other corresponding rules with violations, the control FBP R002 is considered compliant.

A waiver can be applied to any rule, whether it’s custom or out-of-the-box.

Tip

You can see all of the rules that were applied to a resource, and all of the controls that correspond to each rule, by selecting the resource on the Compliance by Resource page.

Note

Waivers are not retroactive and cannot be applied to past scans.

How Rule Waivers Appear in the UI

Here’s how rule waivers are calculated and shown in Fugue:

  • All Environments page and environment summary: The total number of compliant controls and resources ignore waived rule results.

  • Compliance by Control page: Control evaluations ignore waived rule results. If you create waivers for all the failed rule results corresponding to a control, the control evaluation is shown as compliant.

  • Compliance by Resource Type: N/A.

  • Compliance by Resource: Resource evaluations ignore waived rule results. If you create waivers for all the failed rules for a resource, the resource evaluation is shown as compliant. Individual rule results that are waived for that resource are listed as Waived.

How to Waive a Rule

Note

For a more detailed walkthrough, see How To: Waive a Rule.

To waive a rule, follow the steps below:

1. Navigate to the Compliance by Resource page in the target environment.

2. Select the desired resource to view its rule results.

3. Select the Waive button next to the rule result you’d like to waive.

4. Under Waiver Information, enter a name and comment for the waiver.

5. Select Create Rule Waiver. You’ll see a message like this at the bottom of the window: “Successfully created your rule waiver. {name of waiver} will be applied on your next scan.” You’ll also see a tooltip next to the rule result you waived. If you hover over the i, you’ll see the message “This rule has an associated rule waiver that will be applied on the next scan. Compliance results will be updated once the waiver is applied.”

_images/pending-waiver.png

6. Optional: Manually kick off a scan by selecting the Actions button at the top of the page and Start New Scan.

When the scan is complete, you’ll see that the new rule result is Waived instead of Passed or Failed.

You can view, edit, and delete your rule waiver from the Waivers page, accessible from the Rules link at the top of the UI.

Note

If the resource evaluation has changed to Compliant as a result of the applied waiver, and you’ve enabled compliance notifications for the environment, you’ll receive notice that a compliance event occurred and the resource is newly compliant. This can occur if all of the failed rule results for a resource are waived in that environment.

How to View All Waivers

To view the list of active rule waivers, navigate to the Waivers page from the Rules link at the top of the UI.

The Waivers page displays Name, Comments, Environment, Resource, Edited By, and Edited On for all waivers in an organization:

_images/waivers-page-annotated.png
  • Name: Name of the waiver

  • Comments: Comments about the waiver

  • Environment: Environment the waiver applies to

  • Resource: Resource ID the waiver applies to

  • Edited By: The user who most recently created or edited the waiver

  • Edited On: The date when the waiver was most recently created or edited

How to Edit a Rule Waiver

You can modify a rule waiver from the Compliance by Resource page or the Waivers page by following the steps below:

  1. Select the ... menu next to the waived rule.

  2. Select Edit Rule Waiver. Currently, you may edit the name or comment.

  3. Select Update Rule Waiver.

You’ll see a confirmation message like “Successfully updated your rule waiver ‘Prod website bucket’” at the bottom of the window.

_images/edit-waiver.png

How to Delete a Rule Waiver

You can delete a rule from the Compliance by Resource page or the Waivers page by following the steps below:

  1. Select the ... button next to the waived rule.

  2. Select Delete Rule Waiver.

  3. On the confirmation modal, select Delete Rule Waiver.

You’ll see a confirmation message like “Successfully deleted rule waiver ‘Prod website bucket’. Compliance results will be updated on your next scan.” at the bottom of the window.

_images/delete-waiver.png

Note

If you delete a waiver that had caused a resource to become compliant, and you’ve enabled compliance notifications for the environment, after the next scan you’ll receive notice that a compliance event occurred and the resource is newly noncompliant.

When Do Rule Waivers Go Into Effect?

Waivers go into effect after the next scan. To manually kick off a scan, see Triggering a Scan.

When you delete a waiver, the rule result goes back into effect after the next scan.

Further Reading

  • Compliance Concepts: what rules, controls, resource evaluations, etc. are and how they work

  • Compliance: general information about how Fugue checks the compliance of your cloud infrastructure configuration

  • Custom Rules: how to define your own compliance rules