Rule Waivers

Note

To disable a rule, see Enabling and Disabling Rules. Not sure whether to waive or disable a rule? See Waivers vs. Disabling Rules.

What is a Rule Waiver?

When a rule is waived for a resource in an environment, the result – PASS or FAIL – is effectively ignored in compliance calculations for that environment. Instead, Fugue shows the rule result as WAIVED on the Compliance by Resource page. A failed rule doesn’t count against a resource when compliance is calculated.

Fugue enables you to waive a rule for one or more applicable resources (including resources added in the future) either in one environment or all environments in a tenant. You can view all waivers on the Waivers page.

For example, say you have an environment with an Amazon S3 bucket that is public because it hosts a static website. The bucket fails the rule “S3 buckets should have all block public access options enabled,” which corresponds to the Fugue Best Practices control FBP R002.

However, you can waive that failed rule for that bucket, and it won’t affect the bucket’s resource evaluation. If the bucket fails any other rule, the resource is still noncompliant overall. But if all other underlying rules pass, then the resource is considered compliant.

Waived rule results don’t count against corresponding control evaluations, either. In this example, if the environment has no other buckets that violate the rule “S3 buckets should have all block public access options enabled,” and there are no other corresponding rules with violations, the control FBP R002 is considered compliant.

A waiver can be applied to any rule, whether it’s custom or out-of-the-box. In addition to waiving rules for existing resources, you can waive rules for missing resources. For example, if a rule has failed because no AWS password policy exists, you can waive the rule for that missing resource type.

Tip

You can see all of the rules that were applied to a resource, and all of the controls that correspond to each rule, by selecting the resource on the Compliance by Resource page.

Note

Waivers are not retroactive and cannot be applied to past scans.

Waiver Expiration

Waivers can be set to expire after 30 days, 90 days, a specific date/time, or never. You can edit a waiver’s expiration, even if the waiver has already expired.

Be aware that you cannot add an expiration date to waivers created before expiration was introduced (March 17, 2022).

Waiver Permissions

Only users with an Admin, Contributor, or Manager RBAC policy can waive rules. Only Admin users can apply a waiver to all environments.

Waiver Syncing for Repository Environments

Note

To sync waivers from the SaaS for repository environments, you must use Regula v2.6.0 or later to scan your repository.

When you scan a repository environment by executing regula run --sync --upload, Fugue applies any relevant waivers created in the SaaS for that environment.

This is a one-way sync; locally created Regula waivers are not synced to the SaaS.

Note that for repository environments, the resource provider parameter defaults to “Root directory (.)” and the provider will be listed as . on the Waivers page.

You can also sync waivers from the SaaS without uploading the results to your Fugue repository environment by executing the following:

regula run --sync

Working with Waiver Scope

Waivers can be scoped to one or more resources, within one environment or all environments.

Waiver scope cannot be edited after the waiver is created. To change which resources and environments are affected by a waiver, create a new waiver and optionally delete the old one. However, note that when you waive a rule for all resources matching a custom pattern, the waiver will automatically apply to future resources matching that pattern.

Environment scope

When you create a waiver, you can choose to apply it to the current environment (default), or to all environments in the tenant. Currently, you cannot apply it to a specific subset of environments.

Resource scope

Within the selected environment(s), you can scope the waiver to one or more resources, based on four resource parameters:

• Resource provider

• Resource type

• Resource tag

• Resource ID

A single resource: By default, when you click the Waive button in the UI, each resource parameter is set so that the waiver applies to only the selected resource. For instance, you might waive the rule “Virtual Network security group flow log retention period should be set to 90 days or greater” for a single Azure.Network.NetworkSecurityGroup resource in the selected environment(s).

All affected resources: If you set all resource parameters to *, the waiver applies to all relevant resource types. Some rules affect multiple resource types. For example, if you waive the rule “IAM policies should not be attached to users” for all affected resources, it is waived for all AWS.IAM.Policy, AWS.IAM.User, and AWS.IAM.UserPolicy resources in the selected environment(s).

A custom set of resources: You can configure each of the four resource parameters individually to apply the waiver to a custom set of resources. See Waiving a Custom Set of Resources.

Waiving a Custom Set of Resources

Each resource parameter has a drop-down menu with several options that affect the waiver’s scope:

Resource provider:

• The selected resource’s provider (default) (called “Root directory (.)” in repository environments)

• Any provider (*)

• Custom pattern

Note that when resource ID is set to “Missing resources,” the resource provider is set to “Any provider (*)” and cannot be changed.

Resource type:

• The selected resource’s type (default)

• Any resource type (*)

• Any resource type within the selected provider and service (e.g., Azure.Network.*)

• Custom pattern

Resource tag:

• Any resource tag (*) (default)

• Custom pattern

A custom pattern for the resource tag parameter matches both the tag key and value, separated by a : character. So to match all resources where the tag key is Environment and the tag value is Production, set the resource tag to Environment:Production. To match resources where the tag key is Environment and the tag value can be anything, specify Environment:*.

If a resource tag parameter contains *, ?, or :, then you can escape a single character with a backslash (\) or escape an entire string with backticks (`).

Resource ID:

• The selected resource’s ID (default)

• Any resource ID (*)

• Missing resources

• Custom pattern

Custom Pattern Examples

All resource parameters support custom patterns and globbing, where * matches multiple characters and ? matches a single character.

• To waive a rule for all AWS S3 buckets matching the provider aws.us-??st-? (where a bucket in us-west-1 and us-east-2 would match but ap-southeast-1 would not):

  • Resource provider: aws.us-??st-?

  • Resource type: AWS.S3.Bucket

  • Resource tag: Any resource tag (*)

  • Resource ID: Any resource ID (*)

• To waive a rule for all Azure virtual machines that match the resource ID pattern /subscriptions/12345678-abcd-1234-abcd-1234abcd5678/resourceGroups/*/providers/Microsoft.Compute/virtualMachines/examplevm (where a VM named examplevm in any resource group would match):

  • Resource provider: azure

  • Resource type: Azure.Compute.VirtualMachine

  • Resource tag: Any resource tag (*)

  • Resource ID: /subscriptions/12345678-abcd-1234-abcd-1234abcd5678/resourceGroups/*/providers/Microsoft.Compute/virtualMachines/examplevm

• To waive a rule for all Google compute resources (where Google.Compute.Subnetwork and Google.Compute.Network would match, but Google.Storage.Bucket would not):

  • Resource provider: google.*

  • Resource type: Google.Compute.*

  • Resource tag: Any resource tag (*)

  • Resource ID: Any resource ID (*)

• To waive a rule for missing AWS Config configuration recorder resources:

  • Resource provider: Any provider (*)

  • Resource type: AWS.Config.ConfigurationRecorder

  • Resource tag: Any resource tag (*)

  • Resource ID: Missing resources

• To waive a rule for all resources of any resource type that match the resource tag pattern code:000? (where code:0001 would match, but code:1000 and code:00001 would not):

  • Resource provider: Any provider (*)

  • Resource type: Any resource type (*)

  • Resource tag: code:000?

  • Resource ID: Any resource ID (*)

Note that tags are case sensitive. A pattern of environment:* will not match Environment:*.

How Rule Waivers Appear in the UI

Here’s how rule waivers are calculated and shown in Fugue:

• All Environments page and environment summary: The total number of compliant controls and resources ignore waived rule results.

• Compliance by Control page: Control evaluations ignore waived rule results. If you create waivers for all the failed rule results corresponding to a control, the control evaluation is shown as compliant.

• Compliance by Resource Type: N/A.

• Compliance by Resource: Resource evaluations ignore waived rule results. If you create waivers for all the failed rules for a resource, the resource evaluation is shown as compliant. Individual rule results that are waived for that resource are listed as Waived.

How to Search for a Waived Rule

To search for a waived rule on the Waivers page, use the Enter key to search by a keyword. You can enter multiple queries by using Tab after each one.

The Waiver search also supports key:value syntax for the following search terms:

rule_id

Rule ID (e.g., FG_R00010)

resource_provider

Cloud provider; aws (for AWS and AWS GovCloud), azure (for Azure and Azure Government), google, repository

resource_type

Affected resource type(s)

name

Waiver name

id

Waiver ID

resource_id

Resource ID

environment_name

Environment Name

For example, you can search by the following terms:

• resource_provider:aws shows only AWS rules that are waived.

• rule_id:FG_R00068 shows only waived resources with that rule ID. (Enter Tab between the terms.)

Once search terms are entered, you can share them via URL. Additionally, search state is saved.

How to Waive a Rule

Note

For a more detailed walkthrough, see our tutorial How To: Waive a Rule.

To waive a rule, follow the steps below:

1. Navigate to the Compliance by Resource page in the target environment.

2. Select the desired resource to view its rule results.

3. Select the Waive button next to the rule result you’d like to waive.

4. Enter a name for the waiver.

5. Enter a comment for the waiver.

6. Set an expiration date or interval (defaults to Does not expire).

7. Set the environment(s) the waiver should apply to (defaults to the current environment). Note that only the Admin role can select Any environment (*). Currently, selecting a subset of environments is not supported.

8. Enter the following:

• Resource provider(s)

• Resource type(s)

• Resource tag(s)

• Resource ID(s)

See Waiving a Custom Set of Resources for detailed information about each parameter.

9. Select Create Rule Waiver. You’ll see a message like this at the bottom of the window: “Successfully created your rule waiver. {name of waiver} will be applied on your next scan.” You’ll also see a tooltip next to the rule result you waived. If you hover over the i, you’ll see the message “This rule has an associated rule waiver that will be applied on the next scan. Compliance results will be updated once the waiver is applied.”

7. Optional: Manually kick off a scan by selecting the Actions button at the top of the page and Start New Scan.

When the scan is complete, you’ll see that the new rule result is Waived instead of Passed or Failed.

You can view, edit, and delete your rule waiver from the Waivers page, accessible from the Rules link at the top of the UI.

Note

If the resource evaluation has changed to Compliant as a result of the applied waiver, and you’ve enabled compliance notifications for the environment, you’ll receive notice that a compliance event occurred and the resource is newly compliant. This can occur if all of the failed rule results for a resource are waived in that environment.

How to View All Waivers

To view the list of active rule waivers, navigate to the Waivers page from the Rules link at the top of the UI.

The Waivers page displays Name, Comments, Rule ID, Environment(s), Resource(s), Edited By, and Status for all waivers in an organization:

• Name: Name of the waiver

• Comments: Comments about the waiver

• Rule ID: The rule ID the waiver applies to

• Environment: Environment the waiver applies to

• Resource: Resource ID, resource name, resource type, resource tag (when applicable), and region (when applicable) the waiver applies to

• Edited By: The user, date, and time when the waiver was most recently created or edited

• Status: Whether the waiver is active or expired (and when it expired)

You can sort the rules by name. Default is alphabetical order. Select the arrow next to the Name header to reverse direction:

If you have more than 10 rules, you’ll see a dropdown menu below the table of rules. You can choose to show 10, 20, 50, or 100 rows per page:

How to Edit a Rule Waiver

Note

Once a rule has been waived, its scope cannot be changed. To change which environments and resources are affected by a waiver, create a new waiver and optionally delete the old one.

You can modify a rule waiver from the Compliance by Resource page or the Waivers page by following the steps below:

1. Select the ... menu next to the waived rule.

2. Select Edit Rule Waiver. Currently, you may edit the name, comment, or expiration.

3. Select Update Rule Waiver.

You’ll see a confirmation message like “Successfully updated your rule waiver ‘Prod website bucket’” at the bottom of the window.

How to Delete a Rule Waiver

You can delete a rule from the Compliance by Resource page or the Waivers page by following the steps below:

1. Select the ... button next to the waived rule.

2. Select Delete Rule Waiver.

3. On the confirmation modal, select Delete Rule Waiver.

You’ll see a confirmation message like “Successfully deleted rule waiver ‘Prod website bucket’. Compliance results will be updated on your next scan.” at the bottom of the window.

Note

If you delete a waiver that had caused a resource to become compliant, and you’ve enabled compliance notifications for the environment, after the next scan you’ll receive notice that a compliance event occurred and the resource is newly noncompliant.

When Do Rule Waivers Go Into Effect?

Waivers go into effect after the next scan. To manually kick off a scan, see Triggering a Scan.

When you delete a waiver, the rule result goes back into effect after the next scan.

Waivers vs. Disabling Rules

What’s the difference between waiving and disabling a rule?

Waivers are applied after rule results are generated. When a rule result is waived, the PASS or FAIL value is replaced with WAIVED. You can find the original value by viewing the Rule Result column in the Current Rule Results report, where you’ll see the values PASS_WAIVED, FAIL_WAIVED, or UNKNOWN_WAIVED.

Disabled rules do not run at all in any environment and no rule results are calculated.

Use waivers when:

• You need to record the original pass/fail value of a rule result, such as for auditing purposes

• Or, you need the rule to apply only to a custom set of resources, based on one or more of the following properties:

  • Resource provider

  • Resource type

  • Resource tag

  • Resource ID

Disable rules when:

• You need to prevent the rule from being applied to any resource in any environment

Further Reading

• Compliance Concepts: what rules, controls, resource evaluations, etc. are and how they work

• Compliance: general information about how Fugue checks the compliance of your cloud infrastructure configuration

• Writing Custom Rules: how to define your own compliance rules